In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.

All one needs to do is enable the Find My Phone option in iCloud settings. In fact, this option is enabled by default once you set up your new iPhone. After that, even if you lose your iPhone and someone else attempts to reset it to factory defaults, the device will be still locked to your iCloud account. Unlocking the device (removing iCloud lock) requires access to your Apple ID, password, and secondary authentication factor if you have Two-Factor Authentication enabled. Sounds pretty secure so far?

Unfortunately, even Apple’s implementation is not perfect (and believe us, by and large this is still the best on the market).

Did you know that a malicious person can still change your iCloud password from the device without actually knowing your password? One just needs to open [Settings] | [Apple ID] | [Password & Security] and tap Change password there. Now things are getting funny. The thief’s further steps depend on two factors: whether the device has a passcode set, and whether two-factor authentication is enabled (let’s forget about two-step verification as it is not supported in iOS 11).

• 2FA is not enabled (it won’t matter whether there is a passcode on the device): you have to correctly answer security questions you set when creating the Apple account, and then enter old password first.
• 2FA is enabled, passcode is not set: you are prompted for security code that will be sent to your trusted phone number (yes, good old SMS). Still, an old iCloud password is required in order to set a new one.
• 2FA is enabled, passcode is set: this would be the most secure combination, right? Wrong.

In this last case, the only thing you might be prompted for is device passcode. I said might, because if the device has been just recently unlocked, then the passcode is NOT required at this step. The thief can just go ahead and change your Apple ID password, disable Find My iPhone on your device and put all of your other devices into Lost Mode. An extortion attempt would then follow.

Bad things don’t end here. One can easily add a new trusted phone number here and remove the old number from the account, making it even more difficult for you to regain control over your Apple account and your other devices.

By now they have your iCloud password changed, and trusted phone number is somebody else’s number. The thieves can now easily do whatever they want: disable Find My Phone, log on into www.icloud.com, download your data (backups, synced data, photo library and maybe even your passwords) from your account.

Watch the video below (made with iOS 11 beta 10), where we perform both steps: changing iCloud password (when passcode has been recently used so it is not required), and then adding the new trusted number.

To make the things even worse: if one has iCloud credentials including the second factor (basically, this device – or the new trusted phone number) and the passcode (yes, the passcode is the key again), they can get into your iCloud keychain containing all the passwords from your browser (including your online banking passwords and social media accounts), as well as credit card numbers.