CVE-2023-42855 - How an Apple ID Could Secretly Survive a Device Erase (Exploit, Details, and Fix)

In late 2023, Apple patched an intriguing security issue known as CVE-2023-42855. This bug was quietly fixed in iOS 17.1 and iPadOS 17.1. The short description is simple but alarming: *"An attacker with physical access may be able to silently persist an Apple ID on an erased device."* In this exclusive deep dive, we’ll explain how this flaw worked, why it was dangerous, and what was changed to fix it.

Let’s break it down

- CVE Number: CVE-2023-42855

Platforms Affected: iOS and iPadOS (before 17.1)

- What’s the Problem?: After erasing an iPhone or iPad, it might look clean, but under the hood, an attacker could keep their Apple ID associated with the device—without the new user knowing.

Impact: If you bought a used iPhone, wiped it, and set it up fresh, an attacker could still control or track it by having their Apple ID tied to hidden parts of the system. This could also block you from fully owning your device.

Technical Details

Apple is secretive about the nitty gritty, but from patch notes and researcher hints, we can reconstruct what probably happened. Essentially, device *state management* was weak during the erase process. Not all traces of Apple ID accounts or persistent tokens were wiped from lower system databases.

Attacker Sets Up Device: Attacker logs into Apple ID on a device.

2. Attacker Prepares Device: Before selling or handing off, attacker triggers a subtly broken erase process (e.g., via settings or cable/DFU tricks).

Victim Erases Device: Buyer or new user erases and sets up the device.

4. Persistence: Somehow, attacker’s Apple ID info sticks in the Secure Enclave or in a system database, not visible to normal users.

Backdoor Access: Attacker uses their Apple ID to locate, lock, or even remotely wipe.

Key Flaw: The clean-up during factory reset did *not* cover every state variable or database related to Apple ID association.

Let’s look at a high-level pseudocode of what could’ve happened, based on what’s known

# Pseudocode -- not real device code

def erase_device():
    # Standard wipe routine
    wipe_user_data()
    wipe_apps()
    # ...however, attacker-added Apple ID info remains!
    # e.g., hidden in Secure Enclave or certain system partition
    # Forgotten here: clear_apple_id_persistence()
    
def clear_apple_id_persistence():
    # Proper fix: make sure this function is now called!
    remove_all_apple_id_tokens()
    flush_secure_enclave()
    clear_associated_services()
    
# In iOS 17.1, Apple made sure this happens:
erase_device()  # NOW includes clear_apple_id_persistence()

The above illustrates a missing step in device erasure, allowing the “attacker” Apple ID to survive secretly.

Demonstration Scenario

It’s not a remote hack. The main vector is through physical access. Here’s how it might play out:

Sells device.

- Later, attacker can “reclaim” the device or just harass the user by activating activation lock, sending unlock requests, or tracking location.

Forensics note: Even after device wipe, parts of the system thought the old Apple ID was still “owner,” likely due to persistence in a low-level management database or the Secure Enclave.

Apple's Release Note

> "This issue was addressed with improved state management. This issue is fixed in iOS 17.1 and iPadOS 17.1."
>
> Apple Security Updates - CVE-2023-42855

In simple terms, Apple now ensures that every erase wipes *all* user associations—visible or hidden. This closes the door for leftover Apple ID tokens.

Takeaways & Recommendations

- Update your device: Always run the latest iOS/iPadOS.
- Avoid second-hand headaches: If buying used, force a DFU (Device Firmware Update) restore after installing latest firmware. How-to DFU restore
- Physical security: Remember, even erased devices aren’t always safe until software catches up. Never allow untrusted users physical access.

References

- CVE-2023-42855 on MITRE
- Apple Official Security Updates
- Apple iOS 17.1 Release Notes
- How To Erase Your iPhone
- DFU Restore Guide

Conclusion

CVE-2023-42855 shows that even physical resets aren’t foolproof if your OS leaves behind shadows of the old owner. Update to iOS 17.1, be careful with used devices, and stay tuned to security announcements! Apple’s patching was fast, but exploits like this are a sharp reminder: total erasure is hard, and attackers will look for any surviving crumbs.

Stay safe out there.

*Please share this post with anyone who uses or sells used iPhones or iPads—especially small shops or recyclers!*

Timeline

Published on: 02/21/2024 07:15:49 UTC
Last modified on: 11/01/2024 20:35:01 UTC