Weaponizing Old Apple iOS Devices

news.ycombinator.com
4 min read
standard
Apple refuse to change their policy of forcing you to enter your macbook password into new iPads ... so anytime you want to plunder an Apple users account, all you need to do now is load a keylogger onto a rooted device, and "gift" it to them (you can't update iOS until after "activating" - entering your macbook password into it)...It's always nice when Apple trains all their users to accept insecure computing practices for us :-)From product-security@apple.com To @gmail.com Date Thursday, September 23, 2021, 9:00:23 AM Subject Important security mistake inside apple products.Please include the line below in follow-up emails for this request. Follow-up: 780397525 Hello Chris,Thank you for taking the time to contact Apple's Product Security team. Regarding the issue you reported, we have examined it and determined that it is best addressed via Apple's Support resources which may be found at https://www.apple.com/support/.For more information about when your device will prompt for a secondary device password see "End-to-end encrypted data" in https://support.apple.com/HT202303Please note that due to the nature and complexity of technical issues, we are not able to provide technical support through email.Details of available service and support options can be found on the AppleCare Overview web page at https://www.apple.com/support/products/.Best regards, Mike Apple Product Security On September 17, 2021 at 04:53:46 AM GMT, .com wrote:I'm a security professional, and cryptography expert with 35+ years experience. I wrote the world's most heavily-cited security patent of all time. I'm no n00b.While setting up my freshly-wiped (2nd hand from eBay) iPad today, it forced me to enter the master password for my Macbook, into my sketchy-2nd-hand iPad.You know it is NEVER SAVE to require users to key password for anything, into something else.This is an important security error, which makes it extremely easy for malicious actors to steal passwords from others.The correct procedure for authenticating an iPad by using a Macbook - is for the user to login to the MACBOOK and approve a request - NEVER to key any macbook credentials into any potentially untrusted device.An easy example for how anyone can steal someones password:- a) obtain an older iOS device not using the current iOS, b) exploit any of the flaws within to capture passwords and maintain persistence (this step cannot be later defeated, since (1) the user probably won't update before setting up, and (2) iOS cannot be updated until activated anyhow), c) gift this to the victimPlease fix!Also - I suggest you allow iOS updates without any kind of barrier, especially on new iPads, to further reduce the risks of the malicious gifting of compromised devices. Comments URL: https://news.ycombinator.com/item?id=28624715 Points: 1 # Comments: 0
Apple refuse to change their policy of forcing you to enter your macbook password into new iPads ... so anytime you want to plunder an Apple users account, all you need to do now is load a keylogger onto a rooted device, and "gift" it to them (you can't update iOS until after "activating" - entering your macbook password into it)... It's always nice when Apple trains all their users to accept insecure computing practices for us :-) From product-security@apple.com To @gmail.com Date Thursday, September 23, 2021, 9:00:23 AM Subject Important security mistake inside apple products. Please include the line below in follow-up emails for this request. Follow-up: 780397525 Hello Chris, Thank you for taking the time to contact Apple's Product Security team. Regarding the issue you reported, we have examined it and determined that it is best addressed via Apple's Support resources which may be found at…
Read full article