I believe you can cross back over a section you already touched to make it a bit better, but yeah most people just used an extremely simple pattern that’s visible from across the room.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Permanently Locking Out iPhone Users
- Thread starter MacRumors
- Start date
- Sort by reaction score
I believe you can cross back over a section you already touched to make it a bit better, but yeah most people just used an extremely simple pattern that’s visible from across the room.
well, if only Face ID worked all the time.. I have to enter the password half the time.. the phone is either too close , too far or wrong angle
Once you're logged in the phone, you can update the iCloud password without entering the old iCloud password. Then the thieves can disable Find My, and do anything they want with the data, saved passwords, etc.
A Screen Time passcode can be setup with or without Screen Time Passcode Recovery (see https://www.macworld.com/article/1531764/how-to-reset-screen-time-password-prevent-lockout.html). If the recovery mechanism is disabled, then circumventing the Screen Time passcode may not be possible. As a consequence, a thief should be prevented from changing the Apple ID account or the iPhone passcode (assuming both have been configured to "Don’t Allow" in Content & Privacy Restrictions)?
How is there no issue? I never asked for my iPhone pin to also act as my Apple ID password.
Why do I even have a cryptic 20 character password when it can just be unlocked with a 6 digit pin? Total Bs, there needs to be a way to turn this **** off.
Then they'll point a gun at you and demand the icloud password as well...
I'm using Yubikeys for a reason, and Apple thinks I want to change my iCloud password with Passcode alone? This is madness and it needs to be fixed.
If you leave your keys at the bar and someone takes them, they'll still have to figure out which of the potentially millions of homes you live in.
If someone gets your passcode and iPhone, they can drain your accounts, copy your credit card info, text your wife and boss..
Unfortunately, even if you set it up and skip recovery setup, the iOS device won't honor your choice. I tried and it still let me disable the screen time passcode with my Apple ID.
Basically, the passcode alone gives you the ability to:
-Disable Find My
-Reset/Remove Screen Time & All Account Protections Therein
-Reset Apple ID password
-Set/Remove 28 Character Recovery Key
-Remove Recovery Contacts
-Remove Hardware Keys
Even if you have hardware security keys on your account, you're roasted if a thief just has your passcode.
You need to disable account changes when you set up screen time pin, it's under screen time -> restrictions. After that I haven't found a way to do any of your points.
But if you don't have that screen time restrictions set up, I agree with you. A strong apple id password or yubikeys / hardware security keys are worth less than a "please do not steal" sticker on your iPhone when someone gains access to your phone and pin.
Guys, thieves in Brazil steal phones unlocked, from cars in traffic, using bicycles on the street, whilst people are talking etc
We usually setup screentime passcode BUT DISABLE recovery using email/Apple ID. It stores the Screentime passcode locally. Just don’t forget it.
We also time limit all important apps to 1 min, so basically you need to know the screentime passcode even to access bank/financial apps.
We usually setup screentime passcode BUT DISABLE recovery using email/Apple ID. It stores the Screentime passcode locally. Just don’t forget it.
We also time limit all important apps to 1 min, so basically you need to know the screentime passcode even to access bank/financial apps.
Not sure, why anyone would use a PIN code instead of Face ID?
The Wall Street Journal's Nicole Nguyen and Joanna Stern today published a report highlighting how thieves can use Apple's optional recovery key security option to permanently lock out iPhone users from their Apple ID account.
As the journalists first revealed in February, there have been increasing instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device and its contents, including financial apps. All of the victims interviewed in the initial report said their iPhones were stolen while they were out socializing at bars and other public places at night.
With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud.
Today's report places more focus on an additional step that thieves can take: using the stolen device to set or reset a recovery key, a randomly generated 28-character code that is required to regain access to an Apple ID once enabled.
"Apple's policy gives users virtually no way back into their accounts without that recovery key," the report states. With unmitigated access to a stolen iPhone, the device's passcode, and the Apple ID password, thieves can steal money via Apple Pay and potentially other banking apps, view sensitive information like photos and emails, and more.
Apple's website does warn that losing access to both your trusted devices and recovery key means that "you could be locked out of your account permanently." In this scenario, however, thieves spying on iPhone passcodes before stealing the devices means that victims only need to lose their device in order to potentially be permanently locked out. The report serves as a valuable reminder to protect your iPhone's passcode in public.
For more details, read our previous coverage.
Apple Responds
In a statement shared in response to the report, Apple said it is "always investigating additional protections against emerging threats like this one."
"We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare," an Apple spokesperson told The Wall Street Journal. "We work tirelessly every day to protect our users' accounts and data, and are always investigating additional protections against emerging threats like this one."
How to Stay Protected
iPhone users should use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.
The report also recommends that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.
To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.
Users can enable Screen Time parental controls to further lock down their device, the report adds.
Article Link: Apple Responds to Report About Thieves Permanently Locking Out iPhone Users
Why isn't anyone asking these questions?
I've never had a need to use a PIN code in a public place!
Who are these fools? 😡
And then the problem would be the people that forget their Apple ID,
I suspect, there are many more of them, than the robbed ones 😏
Both sets are not too smart 😡
BTW, none of the alleged victims ha their phone stolen forcibly, never mind at gun point!
"Some victims said the iPhones were grabbed out of their hands by strangers, while others said they were physically assaulted and intimidated. The report provides specific examples of these instances."
I changed my passcode to an obnoxiously awkward alpha-numeric string about five years ago, and I really do feel more confident that it can't be hacked.
After the recent (untimely) death of my Father, the steps I made trying to recover/hack his passwords/passcode passed far beyond comedy.
So, it's so: I delved into the world of John the Ripper, et al. as fervent as any thief.
I leaned more into the world of regex. I found that cuda was as tedious as I had always imagined it would be. I waited days for multiple de-hashings to complete (mostly, I used various linuxii running on a dual Xeon 5675 (12-core; 24-thread) with a nVidia 980Ti).
Nada. Nilch. Nothing.
I held (what I thought was) a lot of hints, clues and starting-points.
Even paid for some cloud-time with some services which I assumed to be in posesion of multiples of the aforementioned I have under my desk.
All to no avail.
Only saving grace in the process is that he had an iPad (v9) to which he had not applied a passcode.
From there, I was (eventually) able to perform a re-set of his iCloud account, and transfer that designated email to mine, from which I was able to achieve access to the entirety of his iCloud.
I still cannot gain access to his local.keychain (and--let me tell you--I
This is just what I attempted/had to do just to try to get access to a few accounts and emails so I could let any parties (that might be concerned) know that he had shuffled-off the Mortal Coil :/
But, I digress...
When I'm 'Out In The Field' (in a hole; with my gloves on), and something important claims my iPhone, there is not much that's more irritating than swiping-up on a Face ID-enabled device, only to have it assert that I must enter my obnoxiously awkward alpha-numeric string passcode (which it does, 3/10 times) <grr>
Regards, splifingate
After the recent (untimely) death of my Father, the steps I made trying to recover/hack his passwords/passcode passed far beyond comedy.
So, it's so: I delved into the world of John the Ripper, et al. as fervent as any thief.
I leaned more into the world of regex. I found that cuda was as tedious as I had always imagined it would be. I waited days for multiple de-hashings to complete (mostly, I used various linuxii running on a dual Xeon 5675 (12-core; 24-thread) with a nVidia 980Ti).
Nada. Nilch. Nothing.
I held (what I thought was) a lot of hints, clues and starting-points.
Even paid for some cloud-time with some services which I assumed to be in posesion of multiples of the aforementioned I have under my desk.
All to no avail.
Only saving grace in the process is that he had an iPad (v9) to which he had not applied a passcode.
From there, I was (eventually) able to perform a re-set of his iCloud account, and transfer that designated email to mine, from which I was able to achieve access to the entirety of his iCloud.
I still cannot gain access to his local.keychain (and--let me tell you--I
This is just what I attempted/had to do just to try to get access to a few accounts and emails so I could let any parties (that might be concerned) know that he had shuffled-off the Mortal Coil :/
But, I digress...
When I'm 'Out In The Field' (in a hole; with my gloves on), and something important claims my iPhone, there is not much that's more irritating than swiping-up on a Face ID-enabled device, only to have it assert that I must enter my obnoxiously awkward alpha-numeric string passcode (which it does, 3/10 times) <grr>
Regards, splifingate
If the thief has the passcode and gets into Settings, I suppose you’d better hope that your Apple login isn’t in your keychain. If it is, they just copy your Apple ID password and do whatever they want, right? Or am I missing something?
For people who have multiple Apple devices using the same Apple ID, they could make it an option that you can't change Apple ID passwords on one device without either your original password, or access to your second Apple device.
If they’re in your Settings, they have your original password if it’s in your keychain, don’t they?
Yes. I don't use iCloud Keychain for security purpose threats like what you mentioned.
There is a 2FA but it just sends the code to the registered phone number…and if the crook stole the phone…
If the thief only knows the device passcode, is there any way for them to disable the screen time passcode? I can't find any. They need the iCloud password to disable the screen time restriction, but they need the screen time restriction lifted in order to change the iCloud password. Is there a different workaround?
You're right that if you cancel out of the iCloud recovery for the screen time passcode, the device doesn't honor that and will still accept the primary iCloud password. This is clearly a bug. If this is a concern (a thief who knows the iCloud password without having gotten in to change it is far less of a possibility; most likely someone who knows the victim well), you could setup a secondary iCloud account to use for screen time passcode recovery. I tried this and it works - if I try the primary iCloud account with the correct password, it logs that as a failed passcode attempt. [There's a separate issue that the behavior is different depending on whether the primary (non-screen time) iCloud password is entered correctly; this could tell an attacker whether they have the right primary account password, which is a big security no-no. Apple certainly has a lot they could shore up here!]
Apple says nothing until they have a solution. Perhaps they will have changes to how they handle these issues by iOS 17 in September, they won't sit still on this with the PR heat turning up on them.
but Stern and the WSJ are high profile enough that Apple can't and won't ignore them. Sure they won't say anything now or admit flaws but I bet we see changes in how Apple handles these issues perhaps by this fall with iOS 17.