CVE CyberSecurity Database News

CVE-2024-44136 - How Attackers Could Disable Stolen Device Protection on iPhones — Exploit Details and Fixes

Poster -

Apple has always focused on device security, especially with features like “Stolen Device Protection” that help keep your iPhone or iPad safe from thieves. However, a recent flaw, CVE-2024-44136, revealed that attackers could actually turn off this protection if they had your device in their hands. Let’s break down what happened, how it could be abused, and what has been done to fix it.

What is CVE-2024-44136?

CVE-2024-44136 is a security vulnerability that affects iOS (iPhone) and iPadOS versions before 17.5. The flaw existed in how Apple’s Stolen Device Protection managed the device’s internal state. According to Apple:

> "An attacker with physical access to a device may be able to disable Stolen Device Protection. This issue was addressed through improved state management."
> — Apple Security Releases, May 2024

What is Stolen Device Protection?

Stolen Device Protection is a security setting that helps block thieves from doing things like changing your Apple ID password, disabling Find My, or factory-resetting your phone, especially if they have your passcode. It is designed as a last line of defense if someone grabs your unlocked device.

Without going into dangerous territory, here’s a conceptual overview

- Target: Devices running iOS/iPadOS before 17.5 with Stolen Device Protection enabled.
- Access Required: Physical access (attacker must have the device in hand; remote attacks do not work).
- Vulnerability: Due to “improper state management,” certain device states or sequences were not properly checked.
- What Could Happen: The attacker could navigate through the device settings, and under certain conditions, disable Stolen Device Protection without hitting expected authentication barriers.

Attacker leverages state management bug to access Settings → Stolen Device Protection options.

3. Utilizing specific steps (which may involve Airplane Mode, restarts, or UI manipulation), the attacker bypasses security checks meant to require face/touch authentication or a delay.

Disables Stolen Device Protection without secondary authentication or time delay.

> This means the criminal could then factory reset or change settings, escaping anti-theft measures.

Code Snippet: Abstracted State Management Flaw (Pseudocode Example)

Here’s a simple (NOT real, just for illustration) pseudocode that shows what might have been going wrong:

// Before the fix: Bad state check
if (user.accessedSettings && device.isUnlocked) {
    showDisableStolenProtectionOption()
    // Missing: check for Face ID/Time Delay here!
}

After the fix in iOS 17.5

// After the fix: Improved state management
if (user.accessedSettings && device.isUnlocked) {
    if (requireFaceID() && waitForSecurityDelay()) {
        showDisableStolenProtectionOption()
    }
}

Basically, Apple didn’t properly check *all* the needed conditions before letting someone disable the feature.

Apple’s engineers improved state management in iOS and iPadOS 17.5. This means they

- Added stricter checks for authentication (requiring Face ID, and/or a set waiting period).
- Closed gaps where the system might "forget" a device recently unlocked, or improperly handled state transitions.
- The fix is included in iOS 17.5 and iPadOS 17.5.

Should You Be Worried?

If you have already updated to iOS 17.5 or iPadOS 17.5, you’re safe from this exploit. If you lost a device running an older OS version, there was a small risk that a tech-savvy thief could bypass Stolen Device Protection, but they needed physical access and knowledge of the flaw.

Never share your unlock code.

- Stay aware: If your device is lost or stolen, use Find My iPhone to lock or erase it remotely.

- Official Apple CVE Page
- Stolen Device Protection Explained
- Apple’s Security Updates
- CVE Details Listing

Summary

CVE-2024-44136 was a serious bug where physical attackers could turn off key iPhone/iPad anti-theft features. Apple fixed it with a software update (iOS 17.5 / iPadOS 17.5), so updating your device is the best way to stay protected. While the attack wasn’t easy or remote, it shows the power of strong, ongoing security updates.

Always keep your device updated!

*If you found this helpful or have more security questions, drop them in the comments!*

References

- https://support.apple.com/en-us/HT214100
- https://support.apple.com/en-us/HT213919
- https://www.cvedetails.com/cve/CVE-2024-44136/

Timeline

Published on: 01/15/2025 20:15:27 UTC
Last modified on: 03/03/2025 22:45:38 UTC