Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[dk001]

Circumventing a Screen Time passcode by performing an Emergency Reset (Settings | Privacy & Security | Safety Check) is an intriguing idea. But, if this worked, wouldn’t a child use it to easily bypass the Screen Time restrictions placed on an iPhone by their parents? I have not seen reports that such is the case, which causes me to question the concept.

The Apple documentation only says “If your iPhone has Screen Time restrictions turned on or has a mobile device management (MDM) profile installed, you can still use Safety Check, but some functionality may not be available.” I do not see any indication in the documentation that Safety Check (Emergency Reset) disables the Screen Time passcode. In addition, although emergency contacts can be updated, there is no mention that recovery contacts can be changed by using Emergency Reset.

Yet, I recognize could certainly be mistaken, and look forward to hearing more about this possibility from the community….

My daughter and granddaughter have iPhones and set up as parent and child. The passcode for the child phone is different than the passcode for the parent device. Cannot unlock with this on the child’s phone but you can on the parent device.

So the kid is better protected tab mom or dad.

 

[Pleonasm]

Few cents from me… as I have sent to Apple 2 ways to reset iCloud using data found on “stolen” iPhone and its passcode they answered in PR words which can be translated to human as: “we don’t give a f, Screen Time is made for other purposes than protecting security but we still are focused on privacy and security”.

Huge facepalm 🤦‍♂️

@addamas, I agree with the perspective of Apple that a Screen Time passcode cannot prevent a thief from resetting an Apple ID password.

However, it appears that a Screen Time passcode (with Screen Time Passcode Recovery disabled) may prevent a thief from changing a Recovery Contact (or Recovery Key), as described here. As a consequence, the owner of the iPhone should be able to reset the Apple ID, relying on the use of a Recovery Contact; and thereby regain access to iCloud.

Thoughts?

 

[Pleonasm]

My daughter and granddaughter have iPhones and set up as parent and child. The passcode for the child phone is different than the passcode for the parent device. Cannot unlock with this on the child’s phone but you can on the parent device.

So the kid is better protected tab mom or dad.

@dk001, can you please elaborate on this experiment? I'm interested to learn more, but I don't precisely understand what you did here....

 

[dk001]

@dk001, can you please elaborate on this experiment? I'm interested to learn more, but I don't precisely understand what you did here....

My daughter has two iPhones - 11PM and 12. She uses the 11PM and her daughter has the 12.

The 12 is setup via ST to lock down pretty much.
The access passcode for the device on the 11PM is not the same as the 12. ST passcode is different than device access code.

Since it is set up this way I asked her to try something with the ST passcode.
She has set the accounts up as parent/child along with a myriad of ST settings including not allowing ST PC recovery. Despite an inquisitive child and Google this has worked well for her.

I asked her to see if she could trigger reset of the ST passcode from either device via forgot PC.. She tried on the 12 and it would not allow. Totally greyed out. She went on her 11PM and even though it was set to not allow she said she was able to use the Forgot Passcode.
Both devices are on 16.4.

Not sure if this is what you are looking for. Let me know and I can ask further.

ps: Spellcheck really really sucks on beta.

 

[Pleonasm]

My daughter has two iPhones - 11PM and 12. She uses the 11PM and her daughter has the 12.

The 12 is setup via ST to lock down pretty much.
The access passcode for the device on the 11PM is not the same as the 12. ST passcode is different than device access code.

Since it is set up this way I asked her to try something with the ST passcode.
She has set the accounts up as parent/child along with a myriad of ST settings including not allowing ST PC recovery. Despite an inquisitive child and Google this has worked well for her.

I asked her to see if she could trigger reset of the ST passcode from either device via forgot PC.. She tried on the 12 and it would not allow. Totally greyed out. She went on her 11PM and even though it was set to not allow she said she was able to use the Forgot Passcode.
Both devices are on 16.4.

Not sure if this is what you are looking for. Let me know and I can ask further.

ps: Spellcheck really really sucks on beta.

Hello, @dk001. Based on your experiment, it appears that when Screen Time Passcode Recovery is disabled, it successfully prevents a recovery of the passcode on the child's iPhone - but, not on the parent's iPhone?

If possible, please ask the parent to double-check the setup of the Screen Time passcode on their device, since it is easy to inadvertently make a configuration mistake; and try again to recover the passcode using the "Forgot Passcode" option.

• Remove the existing Screen Time passcode (Settings | Screen Time | Turn Off Screen Time).
• Enter the four-digit Screen Time passcode (Settings | Screen Time | Turn On Screen Time); and also select "This is My [device]" when prompted.
• Press “Cancel” (upper left corner) in response to the prompt “Screen Time Passcode Recovery: If you forget the Screen Time passcode, you can use your Apple ID to reset it.”
• Press “Skip” in response to the prompt “Are you sure? Using an Apple ID gives you a secure way to reset the Screen Time passcode if you forget it.”
• Try to change the Screen Time passcode using the recovery process (Settings | Screen Time | Change Screen Time Passcode | Forgot Passcode).

P.S.: A recent post on the Apple Support Community (which is designated "Apple recommended") says: "...the passcode recovery feature will be turned off, and you will not be able to reset your Screen Time passcode using your Apple ID. Note that turning off passcode recovery will also delete any existing Screen Time passcode recovery data from Apple's servers."

 

[dk001]

Hello, @dk001. Based on your experiment, it appears that when Screen Time Passcode Recovery is disabled, it successfully prevents a recovery of the passcode on the child's iPhone - but, not on the parent's iPhone?

If possible, please ask the parent to double-check the setup of the Screen Time passcode on their device, since it is easy to inadvertently make a configuration mistake; and try again to recover the passcode using the "Forgot Passcode" option.

• Remove the existing Screen Time passcode (Settings | Screen Time | Turn Off Screen Time).
• Enter the four-digit Screen Time passcode (Settings | Screen Time | Turn On Screen Time); and also select "This is My [device]" when prompted.
• Press “Cancel” (upper left corner) in response to the prompt “Screen Time Passcode Recovery: If you forget the Screen Time passcode, you can use your Apple ID to reset it.”
• Press “Skip” in response to the prompt “Are you sure? Using an Apple ID gives you a secure way to reset the Screen Time passcode if you forget it.”
• Try to change the Screen Time passcode using the recovery process (Settings | Screen Time | Change Screen Time Passcode | Forgot Passcode).

P.S.: A recent post on the Apple Support Community (which is designated "Apple recommended") says: "...the passcode recovery feature will be turned off, and you will not be able to reset your Screen Time passcode using your Apple ID. Note that turning off passcode recovery will also delete any existing Screen Time passcode recovery data from Apple's servers."

I’ll reach out and ask.

 

[citivolus]

@addamasHowever, it appears that a Screen Time passcode (with Screen Time Passcode Recovery disabled) may prevent a thief from changing a Recovery Contact (or Recovery Key), as described here. As a consequence, the owner of the iPhone should be able to reset the Apple ID, relying on the use of a Recovery Contact; and thereby regain access to iCloud.

Thoughts?

If a thief has been able to change your Apple ID password as previously confirmed, can't they just add a new Apple device to your account and then use that device to change the Recovery Contact?

 

[Reason077]

"OMG!!!!! I left my keys on at the bar when I was drunk! I'm gonna sue Schlage for making it so easy for the guy who took 'em to break into my house!"

Do stupid things, win stupid prizes. Sorry folks, it may sound harsh but don't do stupid things!

No, this is more like leaving the keys at the bar when you were drunk, and then coming home to find the thief has not only broken in, but convinced the land registry to sign over the property title.

 

[lindros2]

No, this is more like leaving the keys at the bar when you were drunk, and then coming home to find the thief has not only broken in, but convinced the land registry to sign over the property title.

Or like a thief broke into a car, and stole a gun.

 

[ric22]

What a monumental balls up by Apple.

Shame on anyone that commented "don't be such an idiot and let your phone be stolen." I'm disappointed to share this forum with such cretins.

 

[bushman4]

Bottom Line: Your iPhone lacks the security that it should have, If a thief can use your password which we all use at times and take over your iphone by changing settings than Apple needs to introduce a better security system

 

[lindros2]

Bottom Line: Your iPhone lacks the security that it should have, If a thief can use your password which we all use at times and take over your iphone by changing settings than Apple needs to introduce a better security system

not entirely true.
We've all bought into the Apple ecosystem.

Don't like it? Don't use it. Don't use iCloud. Don't use Photos, Wallet, and other services.
Use third party stuff which you can maintain access to.

Sorted.

 

[dk001]

not entirely true.
We've all bought into the Apple ecosystem.

Don't like it? Don't use it. Don't use iCloud. Don't use Photos, Wallet, and other services.
Use third party stuff which you can maintain access to.

Sorted.

People need to stop making excuses for Apple. The “just move to Android” is tiring and disingenuous.

I am sure this is an issue that was not originally identified AND folks need to remember that TouchID and FaceID were for convenience of not having to type you passcode/password in all the time.

Just hope that Apple addresses this. This should not be a difficult fix.

 

[lindros2]

People need to stop making excuses for Apple. The “just move to Android” is tiring and disingenuous.

I am sure this is an issue that was not originally identified AND folks need to remember that TouchID and FaceID were for convenience of not having to type you passcode/password in all the time.

Just hope that Apple addresses this. This should not be a difficult fix.

Not saying android.
Saying if undies in a wad, don’t use the services.

 

[Morac]

What’s annoying is iCloud used to be secure, but a few years ago Apple made it possible to reset the Apple ID password with nothing but the phone passcode because too many people were forgetting their Apple ID password. Basically Apple chose convenience over security.

 

[dk001]

Not saying android.
Saying if undies in a wad, don’t use the services.

Apple makes that difficult for the average user. On purpose. They want the user to use all their services.
You want to use something else on an iPhone? Jump through hoops.
Welcome to the circus.

 

[BaErv]

I speak Applese so I'll translate..."if a thief gets your passcode you're f***ed".

 

[citivolus]

@addamasHowever, it appears that a Screen Time passcode (with Screen Time Passcode Recovery disabled) may prevent a thief from changing a Recovery Contact (or Recovery Key), as described here. As a consequence, the owner of the iPhone should be able to reset the Apple ID, relying on the use of a Recovery Contact; and thereby regain access to iCloud.

Thoughts?

If a thief has been able to change your Apple ID password as previously confirmed, can't they just add a new Apple device to your account and then use that device to change the Recovery Contact?

I just tried this and it works. If someone steals your Passcode, they can they use that device to change your Apple ID password, then add a spare iPhone to your Apple account, then remove your Recovery Contact. Unfortunately there doesn't seem to be any way at this point to be able to regain access to your Apple account.

 

[bobcomer]

I just tried this and it works. If someone steals your Passcode, they can they use that device to change your Apple ID password, then add a spare iPhone to your Apple account, then remove your Recovery Contact. Unfortunately there doesn't seem to be any way at this point to be able to regain access to your Apple account.

Apple's going to have to figure out a way to recover your account. I don't care if it's snail mail for the registration and snail mail to unlock it, it just has to be done. At this rate I'll just carry my android phone and leave the iphone at home, but dang it, that means I have to do something for Microsoft authenticator for work. Yes, android has it too, but there's no way to transfer them that I know of. There's no better security than physical security.

 

[dk001]

Apple's going to have to figure out a way to recover your account. I don't care if it's snail mail for the registration and snail mail to unlock it, it just has to be done. At this rate I'll just carry my android phone and leave the iphone at home, but dang it, that means I have to do something for Microsoft authenticator for work. Yes, android has it too, but there's no way to transfer them that I know of. There's no better security than physical security.

Transferring ms authenticator to another phone - Microsoft Q&A

Hello everyone I was able to transfer my office 365 records to a new phone, using a cloud backup. But I see an error that I need to activate them all again, that is, go through the full setup again. I have a lot of such records, the question is,…

learn.microsoft.com

 

[bobcomer]

Transferring ms authenticator to another phone - Microsoft Q&A

Hello everyone I was able to transfer my office 365 records to a new phone, using a cloud backup. But I see an error that I need to activate them all again, that is, go through the full setup again. I have a lot of such records, the question is,…

learn.microsoft.com

That really doesn't fit my situation, it's a different problem, but the gist is the same pretty much, I have to re-set it up under Microsoft Authenticator on an android phone, there's no way to transfer between MS Authenticator on Apple to MS Authenticator on android.

 

[pdoherty]

The technology isn't there, though, at least not to Apple's standards. In-display readers are still slower and less reliable than Touch ID was. Plus, Face ID is better in just about every way.

I had Samsung phones several years ago that has fingerprint readers conveniently on the back of the phone (where our fingers could easily reach while holding it). Why does a fingerprint reader even need to be on the front?

 

[pdoherty]

Yes you did. See above.

I believe he meant he never had to use the passcode because the TouchID failed to work (like FaceID does routinely).

 

[pdoherty]

FaceID. It's super fast (far faster than typing in a code) and works amazingly well. The number of times I have to enter my iPhone passcode manually (other than after a phone reboot) is extremely small and therefore highly unlikely to happen in a busy public place.

Others have pointed out the issues with FaceID - it fails a lot and if a thief wanted to they could force you to present your face to unlock it.

I think Apple should implement an extra FaceID 'pose', that's a 'duress pose', intended to immediately lock and wipe the device. For example you with your tongue sticking out of your mouth, or what have you. That way, even if forced to unlock the phone, you would deny them access and they'd be running off with a brick.

 

[pdoherty]

I think the ultimate solution here is that Apple must make it so that a device/passcode combination cannot be used for the following on their own:

1. Changing Apple ID password.
2. Creating or changing a recovery key.
3. Creating or changing a recovery contact.
4. Creating of changing a trusted phone number.
5. Turning on or updating 2FA.
6. Adding or updating physical security keys.

7. Disabling Find My Device functionality (which includes the ability to erase a remote device)