Default settings make locked ones vulnerable.
Eight Points of Apple Threat Research
Apple's mobile phone spy software problem is becoming increasingly serious
Understanding Apple's Device and Server Infrastructure Model Release
Although it is commonly believed that locked settings are secure, the default configurations within them may expose users to significant privacy and security risks.
Security researcher reveals that the default configuration on locked devices allows access to features such as message previews and contact details, which could be abused by anyone who finds or steals the device.
His findings underscore the importance of adjusting these settings for better protection.
Default Exists Risks
Out-of-the-box, it is configured to allow access on the lock screen via the "Hey " command or by pressing the side button.
This setting allows anyone to make calls, send messages, or create calendar entries using - even when the phone is locked.
Additionally, message previews are displayed by default on the lock screen, showing the content of received messages and enabling the ability to reply without unlocking the device.
This configuration has a privacy vulnerability.
For instance, contact suggestions can be displayed based on user prompts, and attackers can exploit these suggestions to communicate with the contact list.
If a malicious actor gains physical access to misplaced or stolen devices, they can exploit them to send misleading messages or initiate potentially harmful interactions with known contacts.
Since access can be obtained from the lock screen, attackers can use social engineering techniques to lock the victim.
Illustrates a hypothetical scenario:
If the thief possesses the lost item, they can activate it and instruct it to send a message to the person listed as "Mom" or "Dad."
Then, the attacker can impersonate the phone's owner, fabricate an urgent financial assistance request, and know that trusted contacts may respond positively.
Due to the default display of message previews, attackers can even view and reply to messages from the lock screen, making the deception more credible.
Recommended protection steps
To mitigate these risks, security experts recommend that users change specific settings.
The "Find My" feature is available for all devices, allowing users to locate and remotely wipe their devices, which is a crucial tool in case of theft or loss.
However, by adjusting certain privacy settings, users can further protect their locked content from unauthorized access.
Here are the suggested adjustments:
Disable on Lock Screen: Go to "Settings" > "Search & Assistant," then turn off "Allow access when locked" to prevent unauthorized access to phone, messages, or contact list.
Update Emergency Contact Information: If the phone is lost, setting up emergency contacts ensures that they receive notifications through the emergency call screen, adding an extra layer of security without relying on . Path: Settings → Emergency → Set Emergency Contacts in Health.
Enable "Find My" for tracking and remote wipe: The "Find My" app allows users to track lost or stolen devices and remotely erase data if recovery is not possible.
Regular encrypted backups: Regular backups (preferably encrypted) allow users to restore important data on a new device in case of loss. This can be done through [method] or [method].
Adjust Message Preview Settings: By navigating to "Settings" > "Notifications" > "Show Previews," and then selecting "When Unlocked" or "Never," users can prevent message content from appearing on the lock screen, thereby preventing sensitive information from being viewed by others.
Although it has advanced security features, the default settings may inadvertently open access to critical functions on the locked device.
By making some adjustments to disable access on the lock screen and restrict message previews, users can protect themselves from potential misuse in the event of loss or theft.
Your phone is lost, but it's locked. It's okay, right?
Disable on Lock Screen: Go to "Settings" > "Search & Assistant," then turn off "Allow access when locked" to prevent unauthorized access to phone, messages, or contact list.
Update Emergency Contact Information: If the phone is lost, setting up emergency contacts ensures that they receive notifications through the emergency call screen, adding an extra layer of security without relying on . Path: Settings → Emergency → Set Emergency Contacts in Health.
Enable "Find My" for tracking and remote wipe: The "Find My" app allows users to track lost or stolen devices and remotely erase data if recovery is not possible.
Regular encrypted backups: Regular backups (preferably encrypted) allow users to restore important data on a new device in case of loss. This can be done through [method] or [method].
Adjust Message Preview Settings: By navigating to "Settings" > "Notifications" > "Show Previews," and then selecting "When Unlocked" or "Never," users can prevent message content from appearing on the lock screen, thereby preventing sensitive information from being viewed by others.
https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-locked-thats-fine-right/
**长话短说
**
Default configuration makes your locked device vulnerable to attacks.
Ensure that emergency contacts have been set up.
Use "" to track/erase lost devices.
Regular backups.
Consider turning off lock screen message previews.
Imagine this: you lose your . Fortunately, it's locked, so no one can access it, right? Actually, not quite. Even when locked, the settings of can create surprising vulnerabilities. My colleague recently explored the risks of losing a smartphone, and today, I will delve into what someone might do with your if it falls into the wrong hands.
**iOS 默认设置如何造成漏洞
**
The default settings allow access from the lock screen, enabling activation via voice commands (such as "Hey") or by pressing the side button even when the device is locked. This setting, combined with another default setting (displaying message previews on the lock screen), could be exploited if your device is lost or stolen.
What does the default look like?
The default configuration of the device allows usage during lock by using and/or commands or by pressing the side button of the device, as shown below.
Figure - Default Configuration for Search
No manual input required, calls can be made and/or SMS sent to designated contacts or verbal phone numbers from a locked device, along with creating alarms, reminders, calendar entries, and other daily tasks.
Although the device has been locked, under certain conditions, it can still display the saved contact list to the user.
For example:
You instructed to call " ", and then the phone will be dialed to the contact saved as " ".
You will call "", and then you will see a list of all contacts containing the name "".
You let the call "", and then you will see the list of all contacts including "", as shown in the screenshot below.
Figure - Presenting multiple options containing
When users see the list, they can select a contact and then make a call from the lock screen.
It is worth noting that, seemingly, it can learn from user behavior. For example, if the device interacts more frequently with " " than with " ", then when asked to dial " ", it might directly dial " ", instead of displaying the list shown above.
You can also use the feature to send messages from the device's lock screen. More concerning is that messages can be easily composed using the on-screen keyboard, all while the device remains locked.
Figure - Message initiated by editor
What does this mean?
Now, let's imagine that a lost phone falls into the wrong hands. We've all received spam messages asking for money, right? So, what if that message asking for money actually came from a trusted phone number that you frequently communicate with? You get the point...
Attacker: "Hey, send a message to mom."
"What do you want to say?"
攻击者:“嗨,妈妈,锅炉坏了,我没钱修,你能借我 500 英镑吗?不好意思,我下个月会还给你。请你把钱汇到在此处插入账户详情。谢谢!”
Additionally, the default setting is to always display message previews on the device's lock screen, so device users can also read any replies and respond accordingly. This could turn into a costly and dangerous game.
Figure – Lock Screen Message Preview
Figure – Default Preview Settings
How to avoid this situation
We recommend disabling the "Allow when locked" feature. Now, you might wonder what happens if you lose your phone? Of course, you can still make a call with another number and hope that a kind person will answer and help you reunite with it.
However, for safety, in addition to disabling when the device is locked, we also recommend you do the following:
Ensure your emergency contact details are set up and up to date (these can be accessed via the emergency call screen on your locked device) and inform that person. (Settings - Emergency - Set up emergency contacts in Health).
Consider using an app like "Find My," which will allow you to track your device and remotely wipe it if necessary.
Regularly encrypt and back up your data. If your device encounters any issues, you can effortlessly restore the backup data to a new device.
Change the "Show Previews" setting to "When Unlocked" or "Never". (Settings - Notifications - Show Previews).
Generally, it is a good privacy and security practice to lock devices out of the box. This does not take long. Here is a comprehensive guide for your reference.
如果您的手机丢失或被盗,如何保护您的数据、隐私和财务?``https://www.pentestpartners.com/security-blog/how-can-you-protect-your-data-privacy-and-finances-if-your-phone-gets-lost-or-stolen/
