Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Permanently Locking Out iPhone Users
- Thread starter MacRumors
- Start date
- Sort by reaction score
it might be, apple has certainly done late updates to an old iOS version before. that said, lets call this what is it... very, very rare. it requires social engineering for them to both see your code then after steal the phone. while it happens I believe apple that it is many, many, many times more likely someone just forgets their iCloud password and would lose everything if not for the ability to change it with the phone passcode (which people don't forget because they use it often.) its a tough and RARE problem so I could see apple investing their resources in only fixing it for devices that support iOS 17 which likely represent SIX YEARS worth of phones based on the current rumors, to ask apple to fix the issue on devices more than six years old when the issue is very, very rare might be a bit much to ask.
Social engineering and deliberate observation for criminal intent to steal both the phone and passcode are different.
Shoulder surfing is quite common but not with malicious intent. We have all deliberately or inadvertently seen someone’s passcode.
btw - this has been going on for a long time and Apple and Android could have fixed this long ago.
They haven’t.
Last edited:
unfortunately even with the screen time passcode set to something different, and with screen time preventing account changes... you STILL can change the Apple ID (iCloud) password through the emergency reset process using nothing more than the iPhone passcode. its an intentional loophole in the system that Apple provides to "protect" an iCloud account from the more common "forgetful" user vs. thief.
Last edited:
Very self centered of you.. What about the people that get get held up by gun point for their phone and passcode? This is exactly what happened to my friend and the thieves used this method to lock them out of their iCloud and had access to everything
The article was talking about thieves learning the passcode of the phone by watching a user enter the passcode, then later stealing the phone and using that passcode to lock users out of their Apple ID account.
Yes, thieves can force you to present your face to unlock your phone, but they would still lack the passcode, which is required for password changing, disabling Find My, etc.
Using FaceID as the default method of unlocking your phone almost eliminates this as a possibility.
My and my family's experience with FaceID has been that it is pretty solid. The only time it fails to the point that I need to enter my passcode is if I have my near-mirror reflective running sunglasses on. Yes, you need to enter your passcode after a reboot, but as far as being in public, I don't recall the last time I had to enter my passcode to unlock my phone.
Other people's experiences may differ, of course, but even if someone only used FaceID 80% of the time, that's still a dramatic risk-reduction for the type of issue mentioned in the article.
Yeah, something like that would be nice, though, I might not say 'immediately'. Would suck to accidentally present your own duress pose and nuke your phone unintentionally.
Maybe a lock-out that would require you to log in to your Apple ID account on some other device, the web, etc, to unlock it.
If you are going to be the victim of armed robbery it doesn't really matter how many layers there are. If the choice is provide the information even if multiple layers of security exist or get shot, I assume most rational people would provide the information.
Addtional multiple layers of security really benefits those whose passcode may have compromised and whose phone is snatched or pick-pocketed. For those people, some situational awareness combined with a complex password and the use of face id would greatly reduce these types of social attacks.
I noticed on my wife's iPhone 12 last night, I went to install an app for her (she was borrowing my DJI Gimbal to shoot video so I was installing the app) - App Store required a Face ID - and when that failed. it did NOT ask for a pin, it went straight to AppleID Password.
why is installing a Free app more secure than changing the appleID through the OS??
why is installing a Free app more secure than changing the appleID through the OS??
It’s not. If your Apple ID password were the fall back for Face ID and Touch ID then the thief would now know your Apple ID password as opposed to your device passcode, so would be able to access your device and reset the Apple is password.
I’m not sure how that’s better than the thief knowing your device passcode.
Last edited:
well being that her password is something like 28 alphanumeric characters, I dont think a thief is going to be able to read and remember that over her shoulder at a bar.
So why not just make the device passcode 28 alphanumeric characters?
I could but thats not the issue here. the fall back for FaceID IS a 4-6 digit code. And if you can gain that code, it allows you with no other prevention to change the Apple ID password and take over the account.
yes, changing the passcode to Alphanumeric is a good step, but simply removing the option to take that 4-6 digit code and possibly hijack someones life with credit cards and bank accounts seems lacking on apples part
Huh? If you change the passcode to 28 character alphanumeric then the fallback for face ID is a 28 character alphanumeric. I'm not quite sure you know what you are talking about here.
Anyone prefers the unlocking pattern how they have on Android smartphones?
It’s not Apple therefore no
Does anyone know if the Account Recovery Contact method provides a defense against this passcode method to hijack accounts?
No since the contacts can be removed once the Apple account is stolen.
I haven't tested this myself yet but Apple might have fixed this security risk:
I have just tested this again (first time since May) and in iOS 17, with the 28 digit Recovery key set, I am finding it impossible to change Apple ID account password if a Screen Time Passcode is set.
talk.tidbits.com
-----------
ETA: according to threads on MR and TidBITS, Apple has not issued a fix.
How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently
I have just tested this again (first time since May) and in iOS 17, with the 28 digit Recovery key set, I am finding it impossible to change Apple ID account password if a Screen Time Passcode is set. This was not true in May (even though I had Recovery key set at that time). In May, attempting...
-----------
ETA: according to threads on MR and TidBITS, Apple has not issued a fix.
Last edited:
So any update on this subject? Would the screentime passcode option be the best solution?
It _is_ the best solution in my opinion. Just, when setting up ST
- provide different AppleId/password as recovery method for ST passcode (e.g. ask your spouse/friend to input their AppleId)
- always set Trusted Phone Number *different* that installed in your phone (again, your spouse/friends phone number).
Without the device passcode the damage on a stolen unlocked phone can be mitigated by setting a ST passcode, locking down sharing, passwords and accounts. My financial apps require face id so they are protected. Emails and other apps that don't have face id obviously can be opened. A passcode can be put on the SIM card, if present, but obviously a SIM card can be removed and the phone powered off.
As far as resetting your apple id I believe the device passcode is still needed.