bypass

Five 'bypass' stories May 2012 - June 2014

New lock screen bypass discovered in iOS 7, allows access in 5 seconds under certain circumstances (Update: Resolved)

Dom Esposito Jun 9 2014 - 10:30 am PT

Update 6/30: It appears iOS 7.1.2 has resolved the issue: A state management issue existed in the handling of the telephony state while in Airplane Mode. This issue was addressed through improved state management while in Airplane Mode.

A new lock screen bypass has been discovered in iOS 7 that allows anyone to skip the default authentication method. The shocking part about this bypass is that it can be done in under five seconds. This isn’t the first time that lock screen security on iOS has been compromised, but this does require very specific conditions in place in order to work.

Expand
Expanding
Close

More than $15k in rewards offered to crack Apple’s iPhone 5s TouchID fingerprint sensor

Jordan Kahn Sep 19 2013 - 3:23 pm PT

3 Comments

TouchID-iPhone5S-fingerprint-sensor-01

As noted by BusinessInsider, a number of security researchers and other hackers have come together to offer rewards to the first person that can “reliably and repeatedly break into an iPhone 5s” through bypassing the new TouchID fingerprint sensor feature. They aren’t looking for a software hack, however, but instead want hackers to break into the device by lifting prints, “like from a beer mug.”

It’s not exactly a legit contest, as the creators of the site are only claiming responsibility for their own bounty offers. Their bounties come out to around just $200 of the approximately $20k in pledges listed on the site.

In order to collect, you’ll have to have video proof of the process. The site’s creator explained in the “terms and conditions,” which is actually just a series of tweets:

All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print. I’ll put money on this… Enroll print, Place it, lift it, reproduce it, use the reproduction to unlock the phone without being locked out… satisfactory video evidence of the print enrollment, lift, reproduction and successful application of the print without locking out will do.

While there’s no way of telling if most of those offering bounties will actually payout, the largest pledge comes from IOCapital for $10K:

https://twitter.com/Arturas/status/380748248589148161

Apple said at the introduction of the iPhone 5s that “all fingerprints will be encrypted, stored securely and never uploaded to iCloud or its own servers,” but there have been a few questions surrounding how Apple’s new TouchID fingerprint sensor works. Earlier this month Apple addressed security concerns and noted some features to prevent hacking of the fingerprint sensor:

Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours. This feature is meant to block hackers from stalling for time as they try to find a way to circumvent the fingerprint scanner.

You can check out all of the bounties being offered and learn more through the istouchidhackedyet.com site.

iOS 6 bug lets institutional users bypass ‘Don’t Allow Changes’ account restriction, install unapproved apps (Update: fixed)

Jordan Kahn Feb 15 2013 - 7:11 am PT

0 Comments

Update (Feb 21st): This has been fixed according to a reader. The iTunes and App Stores use HTML on the backend so Apple can “push” updates via backend code changes:

As of this morning, the bug is gone! No update required! Looks
like the somehow they pushed the update! I can no longer change the
account in the App Store or iTunes store! This reminds me when I was
beta testing 6.0 and Apple changed the behavior of downloading updates
not requiring a password (they also allowed free apps with no password
for a short while). That didn’t need an update to change either.
They seem to have ways of fixing App Store behavior without needing to
update iOS. I’m still running 6.1 on my devices, haven’t gone to
6.1.2 yet.

Would be nice for an official answer from Apple, but so far, it’s
working correctly! Also, I see redeem and send gift are grayed out
also, at the bottom of the App Store. Same for iTunes Store.

For those unaware, iOS 6 received some beefed up Restriction settings when it was released that allowed users to select “Don’t Allow Changes” for an entire account linked to an iOS device. This option was particularly useful for schools and organizations that wanted to limit a device to a specific account and keep students and others from installing apps not approved by the institution. Without the restriction, students or employees could easily change the iTunes account linked to the iOS device. Unfortunately, as noticed by one frustrated 9to5Mac reader, it seems there are several backdoor methods of bypassing the setting…

Expand
Expanding
Close

Google facing tens of millions in fines in FTC’s iOS Safari privacy investigation

Jordan Kahn May 4 2012 - 12:25 pm PT

0 Comments

We knew that Google would likely face fines in the Federal Trade Commission’s investigation into its method of bypassing Apple’s default iOS Safari browser settings. Last month, reports claimed the FTC would make a decision on the fines within 30 days. Today, Reuters reported sources close to the situation have confirmed Google is currently negotiating with the FTC over fines that “could amount to tens of millions of dollars”:

Google Inc. (GOOG) is negotiating with the U.S. Federal Trade Commission over how big a fine it will have to pay for its breach of Apple Inc. (AAPL)’s Safari Internet browser, a person familiar with the matter said. The FTC is preparing to allege that Mountain View, California-based Google deceived consumers and violated terms of a consent decree signed with the commission last year when it planted so-called cookies on Safari, bypassing Apple software’s privacy settings, the person said.

Cross-posted on 9to5Google.com

Google could soon face big fines over iOS Safari privacy controversy in FTC investigation (9to5mac.com)
Lawmakers ask FTC to investigate Google over mobile Safari cookies (9to5google.com)

bypass

Related articles