Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[MVMNT]

This isn't a new issue though, as a passcode is the original unlock method.

The problem is the number of connected services available on these devices since the original device was launched.

(Also an Android issue, let's not be remiss here)

 

[julescilib]

So what's the solution here people ? Under the screen touch id !!??

 

[sk1ski1]

(Also an Android issue, let's not be remiss here)

Not an Android issue. Google requires the current Google password to change the Google password. You can't change the Google password by just using the simple device passcode.

 

[I7guy]

This isn't a new issue though, as a passcode is the original unlock method.

The problem is the number of connected services available on these devices since the original device was launched.

(Also an Android issue, let's not be remiss here)

I dont understand why apple doesn’t enforce the option when a screen time password is setup to use the Apple ID (or not) to unlock the screen time password. If a iPhone user doesn’t want to use the Apple ID to unlock their screen time password the option for forgot password shouldn’t even appear.

And android users it sounds like you are SOL if you forget your google password. One extreme isn’t better than the other.

 

[sk1ski1]

And android users it sounds like you are SOL if you forget your google password. One extreme isn’t better than the other.

You are not SOL on Goggle/android. There are other ways to recover your google password if you forgot it. But none of those ways is by using a simple device passcode.

 

[GuilleA]

...what, exactly, was the point of the 'report'?

"If someone steals your house keys, they could get in your house and take your stuff!" - Joanna Stern later today, probably.

The point is that the passcode has way too much power, and having it gives you the power to change your Apple ID password, which can potentially wreak havoc in your life. Changing the Apple ID password should be more involved, somehow.

 

[dk001]

So what's the solution here people ? Under the screen touch id !!??

Good question.
Asking for the current password when trying to rest your Apple ID password would help. Ask why are 95% of these thefts iPhone and only 5% Android.

 

[I7guy]

You are not SOL on Goggle/android. There are other ways to recover your google password if you forgot it. But none of those ways is by using a simple device passcode.

Let’s discuss the ways if all you have is your phone?

 

[I7guy]

Good question.
Asking for the current password when trying to rest your Apple ID password would help. Ask why are 95% of these thefts iPhone and only 5% Android.

That’s the point. If one forgets their current password the person is SOL? I’m guessing most thefts are iphone due to the popularity of the iPhone.

 

[sk1ski1]

Let’s discuss the ways if all you have is your phone?

You are in far worse shape if you have no way to access any type of device on the internet in 2023.

 

[sk1ski1]

That’s the point. If one forgets their current password the person is SOL? I’m guessing most thefts are iphone due to the popularity of the iPhone.

No the person is not SOL.

 

[MisterSavage]

So what's the solution here people ? Under the screen touch id !!??

Require entering the current iCloud password before changing to a new iCloud password.

Require entering the current iCloud password to see the password database if FaceID fails.

 

[I7guy]

No the person is not SOL.

Seems they are.

 

[I7guy]

You are in far worse shape if you have no way to access any type of device on the internet in 2023.

Going round in circles at this point. Please explain with only an android phone and a forgotten google password what your options are.

 

[sk1ski1]

Seems they are.

Nope

 

[CharlesShaw]

So what's the solution here people ? Under the screen touch id !!??

Whatever the solution ends up being, I’m rolling my own workaround so I’m not afraid to carry my iPhone out of my home.

I backed up, logged out and created a separate Apple ID just for my iPhone (and Apple Watch), no access to to [my] “doomsday” keychain, icloud drive, emails, etc. Apple Pay is only on the Watch, so the phone cannot use the card or see the complete card number. I logged into iMessage on my iPad using the new iPhone ID, but the phone cannot see the iPad in Find My, so that’s good. [The phone can see that the iPad is on the account, and could remove it, which makes sense, but it would only be removing iMessage from the iPad not from its own ID or locking it out from me.] I shared my calendar with the iPhone ID so if that ID were ever lost, I haven’t lost my calendar. I’ll keep a limited version of my contact list on the iPhone, a different set of apps and bookmarks, etc. Tailored to the sort of scenario where someone has access to my phone, like theft, customs agents, being detained by police in a backwoods town, etc.

I currently can’t get Homekit to share access with my iPhone ID, but hoping that gets fixed in 16.4. I also cannot get my Reminders [or Notes] to share, but I use different reminders on my devices anyhow. It’s going to be a “need to know” approach going forward. I don’t need my tax documents on my iPhone.

[If want to use my Apple Card on my Apple Watch (or phone), I would have to close the credit account and re-open it on the iPhone under the new ID. I’ll pass. I can still use the Apple Card online and I have the physical card.]

Luckily, all my iTunes media and Apple subscriptions and purchases are on a secondary Apple ID that cannot have its password changed in Settings if its ONLY logged in under Media & Purchases (if entered for iCloud email, the secondary ID can be messed with like the primary).

 

[sk1ski1]

Going round in circles at this point. Please explain with only an android phone and a forgotten google password what your options are.

No need for me to explain a known fact to you. I don't need to go in circles with you.....again. Just like I proved you wrong about the Screen Time flaw..lol! Go do your own research.

 

[I7guy]

Nope

There’s a rule against one word responses. So sooner or later your post will disappear. But it does help to explain yourself.

 

[sk1ski1]

There’s a rule against one word responses. So sooner or later your post will disappear. But it does help to explain yourself.

Your 3 words are no better.

 

[stradify]

"One can protect against this with Screen Time

Set Screen Time on, protected by a separate PIN. Disallow account changes and passcode changes. Done!"

Henrik,
It's still possible to remove devices from your account by going to Settings>Privacy & Security>Safety Check then going to the Sharing & Access setup. When you reach Step 3 you can remove all devices associated with your Apple ID (except for the iPhone your using).

 

[sk1ski1]

Wow....I opened an Apple security ticket. I explained the security flaw in detail and even suggested a possible solution. They just responded back with the below. Sad! Maybe it will take more people to file security tickets and more media publicity to get this flaw fixed.

We’re unable to identify a security issue in your report.

We reviewed your report and were unable to identify a security issue. If you have new information that you didn’t include in your report, providing it now may allow us to review your report further.

 

[stradify]

sk1,
Not surprised you got that feedback!
Instead try this: https://www.apple.com/feedback/

 

[I7guy]

Wow....I opened an Apple security ticket. I explained the security flaw in detail and even suggested a possible solution. They just responded back with the below. Sad! Maybe it will take more people to file security tickets and more media publicity to get this flaw fixed.

Because apple doesn’t consider changing the Apple ID password when the device password is known a security risk?

 

[sk1ski1]

Because apple doesn’t consider changing the Apple ID password when the device password is known a security risk?

Yes....and security is only as good as its weakest link. As with some other security flaws that took them awhile to acknowledge and fix, I guess this will take more pressure.

 

[I7guy]

Yes....and security is only as good as its weakest link. As with some other security flaws that took them awhile to acknowledge and fix, I guess this will take more pressure.

That’s not the point I was making. According to apple the functionality is working as expected. And in the case where the password is compromised either out of duress or social engineering the software still is working as expected.