It could be edge cases for sure. But it’s a low level attack that can have devastating outcomes. Fact remains, Apple needs to fix these security flaws.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
when you tested it on your iPhone, did/do you have two factor authorization on?
The point is for apple to fix these edge cases imo would cause major problems in recovery for iPhone users. It’s up to people to be aware of their surroundings.
Yes…I have all the latest security features turned on. Even Yubi keys.
I have 2fa on but I actually didn’t try to reset my Apple ID password. Too much headache. The key is never to enter your password with unauthorized prying eyes looking on.
Turning on Apple’s new optional advanced security protection also makes recovery harder too. It’s an optional feature. It should also be an optional feature to better protect the Apple ID password. It’s silly that a device passcode can do this much potential damage.
Security is only as good as its weakest link.
Last edited:
You never know if a camera is watching you somewhere. But yes…better protect yourself when keying it in.
Maybe. But a lot of security today is based on what you have and what you know. Frankly a secret question would help.
You can also make sure the iPhone is not used as a wallet. Such as don’t use Apple Card, carry credit cards only, not debt cards that also can be used at a ATM. Majority of places you spend money take credit cards, no need of cash these days. Make sure financial sites are accessed using passwords not in you keychain. So if the iPhone is stolen either by brute force or clever pickpocket or drunk at a bar, nothing financially is at risk except cards that can be reported stolen.
True. But your device passcode is usually less complex than your normal password that you use on other accounts. And you type this passcode in public that can be snooped. Your device passcode should not have the capability to lock you out of your Apple ID account that has your entire life.
Security is only as good as its weakest link.
Yes. I just changed mine on my iPhone with two factor on. I realized that I’ve been using the same password for a few years and it’s time to change it. Very simple process that only required my passcode.
To me apple attempts to strike a balance between usability and security. Situational awareness combined with some other simple practices as discussed in this thread could mostly mitigate this type of social engineering attack. Maybe a secret question in resetting your Apple ID would help.
Using a complex easy rememberable pass phrase would also help. But again apple allows simple passcodes for those who want it. It’s unknown if apple could eliminate these types of attacks entirely and still have an iPhone that is usable and recoverable for the masses.
On my iPhone, with two factor authorization on, and when I tried to change my password through settings, I could not go any further, until a code was received from another device. The WSJ article mentioned 2FA, and it said the code was sent to the same phone. The same phone the hacker had. Obviously not a good idea. https://support.apple.com/en-us/HT204915
Quite a chunk of this article is fear-mongering.
There are security lockouts and delays that prevent someone who gains access to your device from locking out out of your Apple ID.
To those in the comments saying Face/Touch-ID is more secure than entering a passcode, that's not fully true. FaceID simply enters your passcode for you, it does NOT bypass the passcode entry. That's why you always have to enter your code the first time you unlock after a restart, you have to enter the passcode so it can be stored in the secure enclave for access by Face/Touch-ID.
Far as I know the passcode isn't stored permanently, that's why you need to know it to change it.
People that use a simple 4 digit passcode (iOS default is 6) are just plain dumb from a security standpoint. I, personally, use an 8 digit code which has the advantage of not showing an attacker how many digits the code is like the 4 and 6 digit versions. Write your passcode down someplace at home and never take that code out of the secure location unless needed. Put it someplace with your birth certificate, SS card, etc.
Remember folks: security isn't about keeping people out permanently, it's to keep people out until the attack can be detected and an intervention is started
Also "...All of the victims interviewed said their iPhones were stolen while they were out..."
Is just about as stupid as "...All of the crash victims interviewed said their car crashes occurred while they were out..."
There are security lockouts and delays that prevent someone who gains access to your device from locking out out of your Apple ID.
To those in the comments saying Face/Touch-ID is more secure than entering a passcode, that's not fully true. FaceID simply enters your passcode for you, it does NOT bypass the passcode entry. That's why you always have to enter your code the first time you unlock after a restart, you have to enter the passcode so it can be stored in the secure enclave for access by Face/Touch-ID.
Far as I know the passcode isn't stored permanently, that's why you need to know it to change it.
People that use a simple 4 digit passcode (iOS default is 6) are just plain dumb from a security standpoint. I, personally, use an 8 digit code which has the advantage of not showing an attacker how many digits the code is like the 4 and 6 digit versions. Write your passcode down someplace at home and never take that code out of the secure location unless needed. Put it someplace with your birth certificate, SS card, etc.
Remember folks: security isn't about keeping people out permanently, it's to keep people out until the attack can be detected and an intervention is started
Also "...All of the victims interviewed said their iPhones were stolen while they were out..."
Is just about as stupid as "...All of the crash victims interviewed said their car crashes occurred while they were out..."
Last edited:
At the very least, for those that turned on the new Yubi key security, it should be required to have your Yubi key to change the Apple ID password. And Apple’s Keychain unlock should fallback to the Apple ID password instead of the device passcode when Face-ID fails.
Last edited:
No, because I was using a trusted device that was signed into iCloud and had a passcode enabled.
And after it was changed I was given the option to sign out of all my other devices. The thief in these scenarios would certainly choose that option. [Edit: actually, centauratlas made a good point. They might do worse than just logging you out.]
Last edited:
The problem is that this low level attack, because of Apple’s security flaw, can keep you out of your Apple ID account permanently, before you have a chance to intervene.
So for 2fa to be effective, you need to use more than 1 device right to get the code (and not just the one your are using)? With 2fa on the same device (and no other ones) you are using then your are doomed. True or False?
me. I have clammy hands, so TouchID fails most of the time for me, which means I have to use the secondary method, my passcode.
If Apple brought back Touch ID this would be less of a problem. Having to put your passcode in because Face ID has decided it couldn’t see your face properly for some reason is the issue here.
2FA is only being used the first time you log into a device (or an untrusted web browser). I’m sure that the publicity from this WSJ article will affect a change to the method of changing an Apple ID password.
I don't have ✋✋✋ (while standing)🤔
If iPhone passcodes are that powerful, then Apple should not be encouraging 6-digit ones...
Big props to Joanna Stern. This is a great report and she is also the person who forced Apple to finally respond to their butterfly keyboard mess. What a legend
Big props to Joanna Stern. This is a great report and she is also the person who forced Apple to finally respond to their butterfly keyboard mess. What a legend
Last edited:
That's not 2FA, though! 2FA implies 1) something you know; and 2) something you have.