• rippersnapper@lemm.ee
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    Genuine question, don’t both iPhones and Androids lock out users if they’re unable to provide the password? In that case are most of these stolen phones sold for parts?

    • thehatfox@kbin.social
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      They both have security features to lock out unauthorised users. But there has been a cat and mouse game of hackers finding exploits to bypass the device locks, and platform developers patching them to secure the devices again. There have also been various schemes using rogue employees of phone companies to get illegitimate access to official tools that can unlock devices.

      So sometimes the phones can be unlocked. But failing that, there is also a thriving black market for phone parts salvaged for stolen phones.

    • smeg@feddit.uk
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      1
      ·
      1 year ago

      That’s a feature to protect user data not to prevent the phone being reused. Wipe the device and it’s brand new (unless the device ID is reported and the phone blacklisted by the networks somehow, but that relies on the owner and the authorities being faster than the thieves, I’d imagine).

      • atkdef@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Not sure about Apple devices, but for Android there’s FRP (factory reset protection). Basically, if an Android phone which has FRP enabled has at least one Google account signed in, after factory reset, the phone is locked unless it signs into one of the Google accounts previously in use.

        I cannot find documents about FRP from Google, but here’s one from Samsung, and I’m pretty sure it’s not limited to Samsung.

        https://www.samsung.com/ph/support/mobile-devices/what-is-device-protection-or-factory-reset-protection-frp/

        • frazorth@feddit.uk
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I ran into this on my phone when I forgot the pin and tried to factory reset. However I know my Google password so it was quite simple, but I don’t know how thieves get past this.

      • nanometer@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        You can’t wipe an iPhone that’s locked to an ICloud ID without the password of the account

        • smeg@feddit.uk
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          If you have physical access to a device you can eventually do whatever you want with it, depends how organised the thief is

          • GreatAlbatross@feddit.ukM
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Unless it’s changed recently, you can wipe a user from it, but you cannot disable find my iphone, which will prevent initial activation with Apple.

            And since it’s a brick without being activated following a wipe, it would only be usable for parts.

            • smeg@feddit.uk
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I posted a link to an article in another reply, there is software available which can use whatever jailbreak exploit to remove the lock. Basically no device is 100% secure, so there will always be some way in if you have physical access and enough time on your hands.

              • Bartsbigbugbag
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                1 year ago

                You can’t jailbreak a phone without already obtaining full access to the device. So, unless people are jailbreaking their phones before giving them away, that is not a likely scenario. You also can’t use a phone that was wiped unless you first remove or have the credentials to the iCloud account associated with it. So, they could wipe the phone, and then it’s a brick. Only if they have the appleid password Can they wipe it and use it as new, and only if they have the Lock Screen passcode can they jailbreak it to wipe it via exploits.

                That said, there are other tools and methods, the most common being transferring a known good serial number to a locked phone, and remote iCloud unlocks are available from China, using the official Apple unlock servers, so not a technical exploit, but a human one.

                • smeg@feddit.uk
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Aren’t jailbreak exploits achieved by various means? i.e. if you’re exploiting some unknown software bug it could come from any source, right? Either way, this totally legit software claims it can do it, and I’m sure there are plenty of less well-advertised hacks available too.

                  • Bartsbigbugbag
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    Jailbreaks are indeed achieved by various means, but every single one of them requires the phone to be unlocked. I used to own a repair shop, so I’m rather acquainted with the tricks. I’d say 95% of those “iCloud unlock” services are scams, and the rest of them use apples official servers to do so as I mentioned above.

          • frazorth@feddit.uk
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            I would be curious to learn more, as this is a much touted security feature. If it’s that easy to bypass then we need to understand the limitations.

            Do you have any more information on this?

            • dotslashme@infosec.pub
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Not an expert in any way, but I would assume it is similar to having physical access to a computer. You would not be able to get into the existing device or retrieve data, but if you have stolen it and just to use the device, there are numerous tools to allow side loading of new blobs, that will bypass any restrictions.

              • 520@kbin.social
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                In theory this is true, in practice the protections Apple puts in place tend to put even games consoles to shame. That plus the quick turnaround of iPhone hardware means by the time it is cracked, it was already obselete

            • 520@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              The usual tactic is to send a phishing text to a number that calls it pretending to be Apple. They then get your Apple ID credentials and use that to unlock the device.

              • frazorth@feddit.uk
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                How do you send a phishing text to a phone you have stolen? The owner would either not get the text, or get it via iMessage which the response wouldn’t appear on the stolen phone. I’m not following this tactic, so I’m obviously missing something.

                • 520@kbin.social
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  1 year ago

                  The owner tries to call the number from another phone, usually a mobile. The hope is that the phone was misplaced and not stolen.

                  • frazorth@feddit.uk
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    1 year ago

                    So the owner calls the phone, which is answered by the thief who pretends to be Apple?

                    Interesting.

                • 520@kbin.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Exactly. The protections on the iPhone themselves are actually very strong for the time the phone released in. Unless you’ve got NSA-level hardware hackers in your org, this is by far your best bet.

                  • smeg@feddit.uk
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    1 year ago

                    Very much depends on your threat model. An iPhone is great if you trust Apple with the backdoor to your phone, if not then you’re probably much more secure with GrapheneOS.

            • smeg@feddit.uk
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              This is the first article I found (so I don’t know how reliable the software is) but one suggestion is a tool that seems like it just jailbreaks the iPhone and can then remove the lock. So basically find an exploit that allows you to get round the protection.

      • butterflyattack@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I am pretty sure this isn’t the case if you report the phone stolen. Your provider will have the IMEI number and can brick it. There are probably ways around this - one that I’ve heard is that this bricking is regional. If you sell the stolen phone to someone who is going to ship it to Africa, say, and resell it, it would work fine there.

        I should say that this info is a decade old, but I knew someone back then who would pay for phones, no questions asked. Also vehicles, even large commercial ones. The containers were going to the Gambia, although I’m sure other people were shipping stuff to other countries and continents. I don’t know if bricking is still regional but I’ve not heard that it’s changed.

        Another possibility is that thieves are trying to literally snatch a phone out of the hand of someone who is using it, while it’s still unlocked. Many of us do banking etc on our phones, and have other login credentials, so perhaps if they get the phone while it’s unlocked they can do something with this.

      • Alchemy@lemmy.team
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Even if they’re blocked I think that only applies to certain countries too. So they likely just get sent abroad and used there!

        • GreatAlbatross@feddit.ukM
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          My info on IMEI blacklisting is probably out of date, but it used to be that different regions operated their own lists (since phones were normally sold for a specific region).

          That meant that stolen phones would often just get shipped abroad, even with a bar in place for the UK.

    • Aux@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      There is a way to perma lock a phone to a specific account. But that means you will never be able to sell the phone and it won’t be repairable at all. Once you introduce an unlock feature for second hand sales and repair personnel someone will find a way to hack it.