Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'
- Thread starter MacRumors
- Start date
- Sort by reaction score
FaceID is just used to unlock the passkey. The key itself is stored in you iCloud keychain.
I haven't had the opportunity to use it yet. But I strongly suspect that you will be able to unlock your passkeys with your passcode. The same way you can unlock normal passwords stored in your keychain.
Passkeys were not invented by Apple by the way. It's a protocol that is also used by hardware security keys like those you can get from Yubico. You can find the details and other vendors here.
From the FIDO's own site: "When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password."
So were right back where we started, I guess. Doesn't seem super secure to me if all someone needs is the unlock device PIN. If all the passwords are just behind an unlock PIN how is this more secure? I'm probably just not understanding something here.
Watched a few people at a concert this past weekend punch in "1111" and "999999" for their PIN codes. I wasn't trying to snoop, but these people were in front of me and it was just so obvious. FaceID should've worked fine here I don't get why people prefer using PINs.
That's why you should use something more than a 6 - 8 digit passcode. Use an alphanumeric passcode with numbers, letters symbols. You shouldn't need to use this 99% of the time and instead rely on TouchID/FaceID for general unlocking of your phone.
I think what people are forgetting is someone not knowing your device passcode is only limited in access for a few things like changing your iCloud password. Someone getting access to your phone as it is unlocked already is already capable of wreaking havoc... I can reset all your passwords basically by having access to your email account.
The iPhone is most secure when locked, and that's why a strong passcode is important.
Once someone has your device AND the passode for your phone, it's game over. Doesn't matter if you used passkeys or passwords.
Under all other circumstances, Passkeys are still preferable to regular passwords. The difference is that Passkeys are technically not phishable. While you could be tricked to put your password into e.g. a fake PayPal website, a passkey would not work on the same fake website.
Yep, that is what the MR security observers have recommended. Let's see what, if anything, Apple comes up with.
Actually I have one correction:
- Screen time password should not be able to changed if the device passcode is used to reset the apple id. Nor should any lists in Notes be reset. Actually if it worked properly you couldn't change the password on the device if a screen time passcode prevented the passcode from being altered. There should be no "forgot apple id" or "forgot Apple password" from the screen time password.
If you care about securing your phone, I strongly encourage my fellow members to turn off all Control Center access when the phone is locked. This will prevent a thief from being able to turn on airplane mode, as well as prevent access to messages, phone calls, and SIRI when the phone is locked, amongst other app abilities.
Turn on Screen Time and toggle allow password changes and account changes to "don't allow."
I realize many like using iCloud Keychain for passwords but, if a bad actor were to gain access to your phone, you don't want to expose iCloud Keychain contents as well. In my opinion, people should forget iCloud Keychain and use a secure vaulted password manager. Doing this will give you the ability to password protect your manager. Some of the password managers offer the ability to erase the on device content after x amount of incorrect password entries.
Any personal sensitive information (including photos) you have stored in iCloud (Files app) should be encrypted. I highly recommend using Cryptomator to secure said information in an innocuous folder.
Get a good privacy screen.
Turn on Screen Time and toggle allow password changes and account changes to "don't allow."
I realize many like using iCloud Keychain for passwords but, if a bad actor were to gain access to your phone, you don't want to expose iCloud Keychain contents as well. In my opinion, people should forget iCloud Keychain and use a secure vaulted password manager. Doing this will give you the ability to password protect your manager. Some of the password managers offer the ability to erase the on device content after x amount of incorrect password entries.
Any personal sensitive information (including photos) you have stored in iCloud (Files app) should be encrypted. I highly recommend using Cryptomator to secure said information in an innocuous folder.
Get a good privacy screen.
I basically just did a few things to my phone and then pretended to be a thief knowing my passcode. My objective was to secure my three main accounts 1) google 2) Microsoft and 3) apple
I did the following:
-I turned on screen time and prevented account changes, passcode changes and changes to location services.
-I made sure my passwords to the three main accounts were not stored in safari, edge, or chrome password managers.
-I made sure to add another phone number a 2FA to my Apple account
-I deleted the Use of Microsoft authenticator app to log me into my Microsoft account, because a thief can make changes to that account with just having my phone.
- I removed my cell number from my Microsoft account, because again the same problem if they use forgot my password (Microsoft seems just as bad as Apple)
-Google was the ONLY smart one in handling this situation…they make you wait 6 hours for a password reset if trying to reset using only 2FAs. Brilliant.
-Added a pin to my OneDrive app.
-Added pins to CashApp and Venmo.
This is a huge security flaw on Apples part tho. I don’t think an Apple ID should be able to be reset with just an iOS pin. Also access to KeyChain should not be accessible with just the pin, rather Face ID or Apple ID password.
Wow. I just tried that and youre correct. That’s crazy.
My thoughts:
1) Convenience and security are but two sides of the same coin. A longer passcode is also more inconvenient for users to key in on a day to day basis. Making it harder to remember may also lead to less secure practices such as writing it down. Which is why many people default to a 4-6 digit passcode, and I don't think that is going to change anytime soon.
2) My understanding of the problem is that it's a social one - people are openly typing their passwords in public, but framing it as such won't make for as engaging a headline because then, it places the blame on the user instead of on Apple. In this case, they really are using their phone wrong. This is another classic case of clickbait headlines by a news outlet to attract clicks and views.
3) I can see why Apple is not able to respond directly to this, because their rebuttal (you are using your phone wrong) would have likely come across as shirking responsibility and victim blaming. But at the end of the day, I don't think Apple did anything wrong or has otherwise been remiss in any way.
4) I can think of another solution - linking your Apple Watch to your iPhone so it can only be unlocked when you are near it. This would be another way of doing away with the need to use a passcode in public (assuming Face ID is not an option for some reason). However, this doesn't extend to passwords for like say, when you are paying with Apple Pay. Perhaps Apple could go one step further here (eg: if I am wearing my Apple Watch and meeting a certain set of criteria, I don't need to key in my passcode for a couple of actions on my phone).
All in all, much ado over nothing.
1) Convenience and security are but two sides of the same coin. A longer passcode is also more inconvenient for users to key in on a day to day basis. Making it harder to remember may also lead to less secure practices such as writing it down. Which is why many people default to a 4-6 digit passcode, and I don't think that is going to change anytime soon.
2) My understanding of the problem is that it's a social one - people are openly typing their passwords in public, but framing it as such won't make for as engaging a headline because then, it places the blame on the user instead of on Apple. In this case, they really are using their phone wrong. This is another classic case of clickbait headlines by a news outlet to attract clicks and views.
3) I can see why Apple is not able to respond directly to this, because their rebuttal (you are using your phone wrong) would have likely come across as shirking responsibility and victim blaming. But at the end of the day, I don't think Apple did anything wrong or has otherwise been remiss in any way.
4) I can think of another solution - linking your Apple Watch to your iPhone so it can only be unlocked when you are near it. This would be another way of doing away with the need to use a passcode in public (assuming Face ID is not an option for some reason). However, this doesn't extend to passwords for like say, when you are paying with Apple Pay. Perhaps Apple could go one step further here (eg: if I am wearing my Apple Watch and meeting a certain set of criteria, I don't need to key in my passcode for a couple of actions on my phone).
All in all, much ado over nothing.
This is exactly correct. Secure a phone so that's it's difficult to change or update things and people won't use it.
Yes, with 2 billion iphones this is a drop in the bucket social engineering scan as that bru-haha years ago about the "hacking into iclould" to get private pictures. Now to apples' credit they added some not so burdensome security measures to make this type of phishing attack more difficult.
I agree. People in this thread want to the iphone so locked down in the event of a lost or misremembered password they would never be able to recover anything.
I agree with some there should be somewhat of a delay on the iphone if you use the device passcode to change the apple id password. What that delay looks like and what it does, I don't know. That's apples job to figure out.
I've been warning about emails for a long time and no one listened... a few posts ago, read it here. This was the 1st thing I mentioned about...
Don't put any cellphone as a method of redefining passwords or recovering accounts, too... you never know when your SMS/number will be compromised. Or worse, make you lose your account (even if it's just the email) forever, thanks to a 2FA badly configured.
Emails are the major backdoors that should have been taken care, yet all these people know is to mention Touch/FaceID, passcodes...
Listen, kids, all this BS isn't going to save you if you keep putting a compromised email account in your device, logged 24/7, regardless of your (email) SOFTWARE having any protection.
If a thief can bypass that protection, then the email account is in his hands, too.
That Apple ID email account needs to be hidden even from you.
Log out from ALL devices and don't associate any with this particular email. And obviously create more email accounts in the same fashion, so you don't lose the main one because you were too lazy to know the importance of a recovery email address.
Aside from all these tips, it's quite clear to me Apple is the one that benefits most from this chaos, if people are losing their phones, they will end up profiting anyway, because the victims will continue buying from them. If they wanted, all these problems would be gone in the next iOS update. Ask yourselves why this never happens.
And I find hard to believe a hacker could not break a 4-digit passcode from Screen Time. If these people are using fake receipts to access iCloud-locked iPhones, bypassing that won't be a FBI task...
100%. Activation Lock is marketed as a feature to deter thieves. Does it deter thieves? Not in the slightest. Thieves either steal more phones to make up for the decreased value of a locked phone, and some make their attacks more sophisticated by doing stuff like this article mentions in an attempt to disable Find My. Its better to have your phone stolen and wiped by the thief than be forced to provide your passcode at knife/gunpoint. Things are now worse. Does Apple not realise this is worse?
So what does Activation Lock do? It prevents perfectly working phones from being used, which makes money for Apple.
Touch ID will be nice but security based on
1. What you have (Physical Security Key)
2. What you know (Passcode)
3. What you are (Face ID and Touch ID)
add Face ID and Touch ID doesnt change anything, thieves can access via passcode. Unless Apple require user to access digital life with Passcode AND Security key.
Bug, Apple should fix this.
You may wonder why this should be considered to be a bug?
1) Try to disable „Find My“ in the Settings. iOS will ask you to enter your AppleID password. This is the correct implementation.
2) Now navigate to Privacy and Security, try to change your AppleID password. iOS now only asks you for your device passcode. This is a faulty implementation, since it conflicts with 1) and undermines the security of your iCloud account.
Apple should fix this. To change the AppleID password, you need to enter the current AppleID password. Problem solved.
You may wonder why this should be considered to be a bug?
1) Try to disable „Find My“ in the Settings. iOS will ask you to enter your AppleID password. This is the correct implementation.
2) Now navigate to Privacy and Security, try to change your AppleID password. iOS now only asks you for your device passcode. This is a faulty implementation, since it conflicts with 1) and undermines the security of your iCloud account.
Apple should fix this. To change the AppleID password, you need to enter the current AppleID password. Problem solved.
It's not a bug, but a deliberate choice by Apple engineers. In my opinion they could keep the way it is working right now but should give more security conscious users a way to improve security. An optional requirement to use a security key to change the password would be one way to do it.
What is your problem with what he wrote? Is it a clever reference to the movie Zoolander?
TidBits has an excellent piece here on the subject…
[/URL]
…including an embedded video which is worth watching.
As the victim in the video notes, once the thief had her iPhone and passcode, within minutes they had gone to Settings on the iPhone, changed her Apple ID password and locked her out of her iCloud.com account.
Here’s my question: at roughly 6’ 50" into the video, the interviewer says the victim was ”unable to access years of contacts, photos, notes and more.”
How is this possible?
You have a computer.
You get an iPhone.
You turn on Sync for your photos/contacts/notes in Settings on your computer.
You turn on Sync for your photos/contacts/notes in Settings on your iPhone.
The photos/contacts/notes are all resident on your computer so how can the victim be unable to access these photos/contacts/notes on her computer or, if she has a backup, on her backup.
Many thanks.
|
…including an embedded video which is worth watching.
As the victim in the video notes, once the thief had her iPhone and passcode, within minutes they had gone to Settings on the iPhone, changed her Apple ID password and locked her out of her iCloud.com account.
Here’s my question: at roughly 6’ 50" into the video, the interviewer says the victim was ”unable to access years of contacts, photos, notes and more.”
How is this possible?
You have a computer.
You get an iPhone.
You turn on Sync for your photos/contacts/notes in Settings on your computer.
You turn on Sync for your photos/contacts/notes in Settings on your iPhone.
The photos/contacts/notes are all resident on your computer so how can the victim be unable to access these photos/contacts/notes on her computer or, if she has a backup, on her backup.
Many thanks.
The victim wasn’t “syncing” local copies with “iTunes” and making back-ups like we did pre-iCloud. Until Saturday, I was doing exactly what the victim was doing: keeping all personal data on one iCloud account that was also logged into iPhone and Mac and locking them out to anyone who didn’t know the account credentials. The victim’s Mac is now a brick unless Apple unlocks it ([edit:
Last edited:
It's not a bug. It's a feature. It's to provide access to your iphone if you forget your apple id. My guess is when Apple designed this the way it is, an armed robbery scenario was what they were not trying to protect the phone against. Maybe they should rethink that scenario. And maybe if they do, people will get hurt when they didn't before.
I do think Apple should do two things though:
- Don't let the screen time password get wiped when the device password is used to reset the appleid. This still could be very inconvnient to the masses. We have no statistics on how many people legitimately have to recover a password using the device password.
- Similar to advance data protection create a mode called advance device protection. When on the apple id can't be reset by the device password. You have to recover your apple id from a trusted device. Of course this doesn't benefit those who only have an iphone. And in this mode you would need another trusted device to turn off advance device protection.
Of course we are doing Apples' requirements gathering in this thread and who knows what Apple will, could or should do.