Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

[Admiral]

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.

I use a 29-digit numeric passcode. Easy for me, less easy for shoulder surfers.

 

[ypl]

CASE CLOSED ?

iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone

The first iOS 17.3 beta rolling out to developers today includes a new "Stolen Device Protection" feature that is designed to add an...

www.macrumors.com

 

[I7guy]

CASE CLOSED ?

iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone

The first iOS 17.3 beta rolling out to developers today includes a new "Stolen Device Protection" feature that is designed to add an...

www.macrumors.com

Could be. We’ll see shortly.

 

[Pleonasm]

The description of the Stolen Device Protection feature seems to imply that the user must have Significant Locations enabled (Settings | Privacy & Security | Location Services | System Services | Significant Locations). Otherwise, how will Apple know that an "iPhone is in familiar locations, such as at home or work"?

 

[Morac]

The description of the Stolen Device Protection feature seems to imply that the user must have Significant Locations enabled (Settings | Privacy & Security | Location Services | System Services | Significant Locations). Otherwise, how will Apple know that an "iPhone is in familiar locations, such as at home or work"?

You probably won’t be able to bypass the 1 hour delay with significant locations disabled, but the rest of stolen device protection should still work.

 

[Pleonasm]

My understanding is that the Stolen Device Protection feature in iOS 17.3 will prevent a thief from changing a user's Apple ID password - presumably, even during the process of attempting to circumvent or reset a Screen Time passcode.

As a consequence, does this now mean that Screen Time restrictions in iOS 17.3 will serve as a robust security measure (e.g., Settings | Screen Time | Content & Privacy Restrictions | Account Changes = Don't Allow), assuming that Screen Time Passcode Recovery is disabled?

 

[Morac]

I don’t see a reason to use Screentime passwords at all with Stolen Device Protection as it stops the entire mechanism thieves were using to change the Apple ID password.

The only way thieves could change the Apple ID password would be to also kidnap the phone owner so that they could use Face or Touch ID to change the Apple ID password even with the 1 hour delay.

There is a slight danger to enabling the stolen device protection, in that if TouchID or FaceID doesn’t work, you are effectively locked out of doing a lot of security related things on the device. I know my Dad’s TouchID doesn’t work in wintertime for some reason. That’s less of an issue with FaceID, but if the person gets into an accident or something the phone could become unusable.

Presumably stole device protection is enabled on a per-device basis so it would still be able to do some account related things on another device.

 

[ypl]

I don’t see a reason to use Screentime passwords at all with Stolen Device Protection as it stops the entire mechanism thieves were using to change the Apple ID password.

The only way thieves could change the Apple ID password would be to also kidnap the phone owner so that they could use Face or Touch ID to change the Apple ID password even with the 1 hour delay.

There is a slight danger to enabling the stolen device protection, in that if TouchID or FaceID doesn’t work, you are effectively locked out of doing a lot of security related things on the device. I know my Dad’s TouchID doesn’t work in wintertime for some reason. That’s less of an issue with FaceID, but if the person gets into an accident or something the phone could become unusable.

Presumably stole device protection is enabled on a per-device basis so it would still be able to do some account related things on another device.

There are reasons (use cases). Example: I have lots of files in iCloud Drive enabled only in macBook, but disabled in iOS for security reasons (lots of private, sensitive information). SDP doesn't stop thief to enable iCloud Drive in iOS settings if not disabled by ScreenTime options.
My opinion - whole Settings app should be protected by Face/Touch ID when SDP active. For now it is more complicated that it should be.

 

[Morac]

There are reasons (use cases). Example: I have lots of files in iCloud Drive enabled only in macBook, but disabled in iOS for security reasons (lots of private, sensitive information). SDP doesn't stop thief to enable iCloud Drive in iOS settings if not disabled by ScreenTime options.
My opinion - whole Settings app should be protected by Face/Touch ID when SDP active. For now it is more complicated that it should be.

Stolen device protection (SDF) doesn’t do anything for non-security related features. As neither iCloud Drive nor ScreenTime are considered security, it won’t do anything for that.

For iCloud Drive I would suggest either using password protected files or putting sensitive information in Notes which can be password protected.

The plus side of is that because a thief can’t change the Apple ID password you can mark the device as lost which will disable using the passcode to unlock the phone so the thief will only have a limited amount of time to use the device.

 

[ypl]

Stolen device protection (SDF) doesn’t do anything for non-security related features. As neither iCloud Drive nor ScreenTime are considered security, it won’t do anything for that.

For iCloud Drive I would suggest either using password protected files or putting sensitive information in Notes which can be password protected.

The plus side of is that because a thief can’t change the Apple ID password you can mark the device as lost which will disable using the passcode to unlock the phone so the thief will only have a limited amount of time to use the device.

Disabling access to my files is non-security related topic? That's quite bold statement, really.

Actually, for now I'm using "off-labeled" Screen Time + SDF, which protects my iCloud Drive files, keychain passwords, etc. from being accessed by thief knowing my passcode. I like it. I think that's a lot better solution than protecting hundreds of files with password. Of course, YMMV.

 

[Morac]

Disabling access to my files is non-security related topic? That's quite bold statement, really.

What I said is iCloud Drive is not a security feature which can result in the device or Apple account being stolen. As such device protection is not designed to prevent access to iCloud Drive.

 

[ypl]

What I said is iCloud Drive is not a security feature which can result in the device or Apple account being stolen. As such device protection is not designed to prevent access to iCloud Drive.

You're trying to explain Apple's aproach hidden behind the name of the feature. I understand that approach but for me it is bad approach.
Stolen Device Protection should (as name suggest) protect user when his/her device is stolen with device passcode potentially leaked (definitely weak point of security architecture). That means in particular protecting:
A/ Device from being reused by unauthorized person
B/ AppleId - password reset, etc.
C/ iCloud data.

For last point it should mean protecting:
1/ keychaing passwords
2/ e-mails/SMS (3pty passwords can be reset by means of sending "password reset message")
3/ iCloud Drive files (health records, private letters, CV with personal data, etc.)
4/ turning on/off synchronization of certain iCloud data in Settings
5/ other (?)

All of the above should be protected by means of one feature. For now its partially available by means of use of SDP + "off-labeled" Screen Time. In my opinion it's an inconsistent mess.

 

[Pleonasm]

Stolen device protection (SDF) doesn’t do anything for non-security related features. As neither iCloud Drive nor ScreenTime are considered security, it won’t do anything for that.

But, if Stolen Device Protection (SDP) closes the existing loophole that allows a Screen Time passcode to be reset by changing an Apple ID password, then SDP has substantially increased the robustness of Screen Time itself - correct?

 

[Morac]

But, if Stolen Device Protection (SDP) closes the existing loophole that allows a Screen Time passcode to be reset by changing an Apple ID password, then SDP has substantially increased the robustness of Screen Time itself - correct?

No idea. I don’t use Screentime as it’s been broken for several iOS versions.

 

[Pleonasm]

There is a new and interesting video from the Wall Street Journal, in which a convicted thief describes the techniques used to steal an iPhone and its passcode - and, then leverage the valuable contents stored on the device.

 

[Michael Scrip]

There is a new and interesting video from the Wall Street Journal, in which a convicted thief describes the techniques used to steal an iPhone and its passcode - and, then leverage the valuable contents stored on the device.

Thanks!

Here's the video on Youtube: