Hacker News new | past | comments | ask | show | jobs | submit login

Apple's Find My features are what turn iPhone theft into complete iCloud vulnerabilities. This was first seen with the social engineering attacks made possible in Find My iPhone. All an attacker needs to do is spoof an SMS and phish your account credentials. It's likely this feature too will lead to clever hacks used to further damage users.

How, exactly ?

First forensics to try and crack the pass code (takes about 2 days). Next turn on the phone just long enough to take down the phone number provided. Then wait another day or so and turn on the phone again. At the same time send the recovery number an SMS linked to a fake iCloud website and grab the credentials when they log-in. I have concrete examples of the processes, tools and servers used to pull this off. Apple Support is aware this is a common occurrence - they told me so over the phone.

If you'd like to know more specifics, please feel free to contact me.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact