Stolen VisionPro : what's the security risk if running 2.0 beta?

Tuesday morning at 3am, a burglar broke into my house and stole my VisionPro (s/n MWFYJ49L0V) that was running VisionOS 2.0 Beta.

Apple Support advised me to keep the device on my account to stop the crooks from activating it.

Is keeping the VisionPro (running a 2.0 beta) active on my personal iCloud account indefinitely like this okay, or a risk to my private data and ID?

Answered by CMDdev in 790954022

I'm sorry for what happened to you.

I'm no expert, so take this with a grain of salt. I'd love to hear other people's opinions on this matter :) . Here's my take on this.

Apple Support advised me to keep the device on my account to stop the crooks from activating it.

I think that's the best thing to do right now - leaving Activation Lock on - since turning it off will allow them to use it.

There's still a chance you'll be able to retrieve your device. Right now, I think you should focus on the legal procedures in your area regarding this kind of events, so you can maximise the chances of recovering your Vision Pro.

You can always remove it from your account later if you're unable to recover your device. During the time you had your device on your account, it's quite unlikely that they would've been able to recover personal data, since developing a bypass for security measures like the ones on the Vision Pro usually takes a while.

Is keeping the VisionPro (running a 2.0 beta) active on my personal iCloud account indefinitely like this okay

Security wise, it should be safe, maybe even safer than visionOS 1, as it might include some security features and improvements that will be available in the autumn release.

Of course, with new beta features there's always a risk for introducing new vulnerabilities, but I don't think Activation Lock is particularly affected by these changes. If one found a security vulnerability in activation lock / optic ID, I'd say there's a big chance it would be available on both visionOS 1 and 2.

a risk to my private data and ID?

Activation Lock prevents them from using the device even if they reset it. And if they reset the device, there's likely no way they can access your private data: the on device-data was erased, and they cannot use the Vision Pro to connect to your iCloud account - in fact, all it does is it requires them to login to your account to use the device.

So the question is what happens if they don't reset the device, since bypassing optic ID would give them access to your iCloud account and on-device data. Removing your device from your account would revoke access to your iCloud, but is it likely they will bypass optic ID?

Assuming the thief isn't a security expert, I think your personal data is fine. And even if they were an expert, they would need to find / wait for a vulnerability that bypasses activation lock / optic ID, which would take some time to develop. If they were able to find one, I think they would be able to afford a Vision Pro.

Accepted Answer

I'm sorry for what happened to you.

I'm no expert, so take this with a grain of salt. I'd love to hear other people's opinions on this matter :) . Here's my take on this.

Apple Support advised me to keep the device on my account to stop the crooks from activating it.

I think that's the best thing to do right now - leaving Activation Lock on - since turning it off will allow them to use it.

There's still a chance you'll be able to retrieve your device. Right now, I think you should focus on the legal procedures in your area regarding this kind of events, so you can maximise the chances of recovering your Vision Pro.

You can always remove it from your account later if you're unable to recover your device. During the time you had your device on your account, it's quite unlikely that they would've been able to recover personal data, since developing a bypass for security measures like the ones on the Vision Pro usually takes a while.

Is keeping the VisionPro (running a 2.0 beta) active on my personal iCloud account indefinitely like this okay

Security wise, it should be safe, maybe even safer than visionOS 1, as it might include some security features and improvements that will be available in the autumn release.

Of course, with new beta features there's always a risk for introducing new vulnerabilities, but I don't think Activation Lock is particularly affected by these changes. If one found a security vulnerability in activation lock / optic ID, I'd say there's a big chance it would be available on both visionOS 1 and 2.

a risk to my private data and ID?

Activation Lock prevents them from using the device even if they reset it. And if they reset the device, there's likely no way they can access your private data: the on device-data was erased, and they cannot use the Vision Pro to connect to your iCloud account - in fact, all it does is it requires them to login to your account to use the device.

So the question is what happens if they don't reset the device, since bypassing optic ID would give them access to your iCloud account and on-device data. Removing your device from your account would revoke access to your iCloud, but is it likely they will bypass optic ID?

Assuming the thief isn't a security expert, I think your personal data is fine. And even if they were an expert, they would need to find / wait for a vulnerability that bypasses activation lock / optic ID, which would take some time to develop. If they were able to find one, I think they would be able to afford a Vision Pro.

Thanks CMDdev! Activation Lock protection does give me confidence now that you mention it and I will leave the stolen device on my account! Additionally, I am taking extra steps to remove the credit cards on the device, and then for me to log into services accounts to force all device sessions to expire.

Stolen VisionPro : what's the security risk if running 2.0 beta?
 
 
Q