Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[sk1ski1]

That is true. That did happen. But it still remains to be determined if the screen time password can be overridden.

I already proved it on my own phone. Others have too. Try it yourself on your phone. Sad but true! Apple needs to fix this flaw.

 

[I7guy]

I already proved it on my own phone. Others have too. Try it yourself on your phone. Sad but true! Apple needs to fix this flaw.

I couldn’t do it. Maybe I have something else set up or enabled.

 

[sk1ski1]

I couldn’t do it. Maybe I have something else set up or enabled.

Post your screenshot after you select "Change Screen Time Passcode" --> "Change Screen time Passcode"

 

[twohellos]

tl;dr: Shoulder Surfing attacks can happen with our phones too. This is why we have Face ID and Touch ID.

Once again: The iPhone and iPad ruined a generation of computer users. Apple's made so many people soft and forget basic cybersecurity as they think their phone and Apple will do it all for them.

How does not knowing cybersecurity = soft. That’s a little much. Also if you read the article it’s social engineering, it’s outright assault to get passcodes and shoulder surfing. It’s a multi prong attack on the victim

 

[I7guy]

Post your screenshot after you select "Change Screen Time Passcode" --> "Change Screen time Passcode"

So yep, I was able to get to the screen to reset my Apple ID password. I didn’t go any further, but I can assume after resetting apple id password I can change the screen time password…but I didn’t try so I don’t know.

Observations:
- don’t use a simple password
- be aware of your surroundings and social engineering aspects of security
- apple didnt design security from the drunk people in a bar requirement. As terrible as the story was as reported in the WSJ they all could have been avoided
- set a screen time password
- set a recovery password and recovery/legacy account where possible

 

[twohellos]

And iPhone occasionally asks for the passcode to unlock the phone at the most unfortunate times, even if you have done nothing to it to warrant this. Should just stick with asking for passcode 1. on restart, 2. on multiple Face ID attempts, and 3. user manually disables Face ID through a combined button press gesture.

Exactly this is what some of these commenters don’t understand. From what I read Apple does this so you don’t forget you passcode. I think it’s every 6 days it asks for your passcode

 

[sk1ski1]

So yep, I was able to get to the screen to reset my Apple ID password. I didn’t go any further, but I can assume after resetting apple id password I can change the screen time password…but I didn’t try so I don’t know.

Observations:
- don’t use a simple password
- be aware of your surroundings and social engineering aspects of security
- apple didnt design security from the drunk people in a bar requirement. As terrible as the story was as reported in the WSJ they all could have been avoided
- set a screen time password
- set a recovery password and recovery/legacy account where possible

Unfortunately even a longer password can still be snooped, but it will make it harder. Especially if someone is snooping by videoing it. And with the Apple security flaws, all the other protections you have on your Apple ID account...Apple ID password, screen time password, recovery password, Yubi keys, etc....can all be reset/removed by stealing the device after snooping the phone passcode. You entire Apple ID account can be taken over by the attacker.

 

[ikramerica]

This is why I disagree with the users on here who keep saying passcode is more secure and stop using Face ID if you don't want people to take your phone and point it at you, etc. Perhaps the passcode is technically more secure, but it is practically way less secure. Face ID is secure especially if you enable "attention required." Always use Face ID. Never enter your passcode in public unless you are sure no one is looking at your screen (and to be extra secure, that no camera overhead is looking down at you).

Apple is not innocent either. Somehow they think it makes the phone more secure to occasionally demand your passcode at the most inconvenient times. This is way less secure. I have been asked for the passcode while in public and I actually waited until I went to a private location before entering it. Ask for it every restart, fair. But if the phone has been on and there are no multiple failed Face ID attempts, DO NOT ask for the passcode.

And Apple, without a way to opt out that I saw, decided that I had to enter my phone passcode to secure icloud on the web. As Backup of sorts. But thay just means being more exposed to this kind of thing.

Of course you can do what PayPal did and out of the blue make an old phone number the ONLY way to verify my account, effectively locking me out of the account forever.

 

[ikramerica]

Unfortunately even a longer password can still be snooped, but it will make it harder. Especially if someone is snooping by videoing it. And with the Apple security flaws, all the other protections you have on your Apple ID account...Apple ID password, screen time password, recovery password, Yubi keys, etc....can all be reset/removed by stealing the device after snooping the phone passcode. You entire Apple ID account can be taken over by the attacker.

Al your accounts can. They can reset banking, anything. Because it all flows back to keychain being exposed by the stolen passcode. If they have your phone unlocked, 2 factor authentication is worthless.

 

[sk1ski1]

Al your accounts can. They can reset banking, anything. Because it all flows back to keychain being exposed by the stolen passcode. If they have your phone unlocked, 2 factor authentication is worthless.

Exactly! This apple security flaw and low level attack, can expose everything!! So dangerous!

 

[mrochester]

Exactly! This apple security flaw and low level attack, can expose everything!! So dangerous!

It's funny how some people are only discovering now that they need to keep their device passcode safe!

 

[MilaM]

It's funny how some people are only discovering now that they need to keep their device passcode safe!

Sure, but did you expect that the knowledge of your passcode is all that is needed to completely lock the rightful owner out of their Apple ID and disable Find My?

 

[sk1ski1]

It's funny how some people are only discovering now that they need to keep their device passcode safe!

It’s not funny how Apple’s security flaw foolishly allows your Apple ID password to be reset by your device passcode. A code that most people at one time or another type in public and is subject to snooping. It’s an easy low level attack that can potentially take over not just your Apple account, but all your other accounts.

 

[golfnut1982]

I thought it was a good article for those who would click on it and read it. But for the TLR crowd, hopefully they watch the video.

 

[CharlesShaw]

Sure, but did you expect that the knowledge of your passcode is all that is needed to completely lock the rightful owner out of their Apple ID and disable Find My?

Yes, [the thought of] getting locked out of my Apple ID is the biggie, since I migrated everything mission critical to that email address over the years and later put my important documents in the iCloud Drive tied to that ID. [and put almost all of my passwords in the keychain for that ID.]

While I would feel violated about having my phone stolen, I could get a new phone immediately. Undoing the damage of being locked out of my ID would be painful. I’m going to spend the weekend either protecting that ID or making it less potent.

 

[I7guy]

Unfortunately even a longer password can still be snooped, but it will make it harder. Especially if someone is snooping by videoing it. And with the Apple security flaws, all the other protections you have on your Apple ID account...Apple ID password, screen time password, recovery password, Yubi keys, etc....can all be reset/removed by stealing the device after snooping the phone passcode. You entire Apple ID account can be taken over by the attacker.

Much modern security is based on what you have and what you know. If someone points a gun to your head and asks for the atm password and card unless one takes a ridiculous stance they can get your money. Same for your house keys and security system password. And same for your phone.

My guess is if apple made the iPhone impenetrable few would use it. They took a reasonable stance between usability and security. Even logging into appleid . Apple.com for people who forget their Apple ID. The have a billion devices to support and my guess is devised a system from the perspective of an average user.

In order to break an account one needs physicsal Possession of the device and the passcode. While it’s terrible what happened the WSJ took a few situations out of billions and sensationalized it.

 

[golfnut1982]

If you go to settings->click your user name on top->password&security->change password…you can change your Apple ID with only your device passcode.

I'm glad you brought that up. But, that is not true in my case. I have two factor on, and I have to acknowledge access thru another device to continue. 14 Pro, Face ID, 6 code, latest iOS, and two factor on. Good article for the ones that think that they are protected with a 4 digit passcode, or no passcode or no Face ID etc.

 

[CharlesShaw]

Much modern security is based on what you have and what you know. If someone points a gun to your head and asks for the atm password and card unless one takes a ridiculous stance they can get your money.

They can withdraw the maximum allowed amount of cash, but they can’t use your pin to put the account in their own name and remove you from having access to the bank.

 

[mrochester]

Sure, but did you expect that the knowledge of your passcode is all that is needed to completely lock the rightful owner out of their Apple ID and disable Find My?

Yes I expected that. Did you not?

 

[sk1ski1]

Much modern security is based on what you have and what you know. If someone points a gun to your head and asks for the atm password and card unless one takes a ridiculous stance they can get your money. Same for your house keys and security system password. And same for your phone.

But your ATM pin is limited to just one account and a limited purpose. Your Apple ID can have the keys to all your accounts and documents.

 

[I7guy]

They can withdraw the maximum allowed amount of cash, but they can’t use your pin to put the account in their own name and remove you from having access to the bank.

If you set a recovery password and account you can take it back. As far as the bank to reset a password it takes usually a piece of information you know like a security question. Apple pay is problematic.

When you lose your credit cards it’s a time game to notify the cc companies. Same with the iPhone to take back your account and wipe the iPhone.

 

[I7guy]

But your ATM pin is limited to just one account and a limited purpose. Your Apple ID can have the keys to all your accounts and documents.

True but the same ne’er do well could commit armed robbery and get your wallet which has usually everything.

 

[sk1ski1]

If you set a recovery password and account you can take it back.

Nope! The attacker can easily reset the recovery password.

 

[I7guy]

Nope! The attacker can easily reset the recovery password.

I dont know yes or no about resetting the recovery account or password after it’s been set. But my point about these being edge cases out of billions of devices and not the general case. If someone has your phone and password yes it’s a problem, not so much with just the phone.

The same ne’er do well as mentioned above could demand your bank id and password and then it’s the same thing.

 

[sk1ski1]

True but the same ne’er do well could commit armed robbery and get your wallet which has usually everything.

Your wallet doesn’t have the keys to permanently lock you out of all your documents, pictures, and account passwords to your entire life.