Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[WWPD]

It seems that the short 4-digit passcodes are not very secure so maybe best to use alphanumeric and/or long passcodes (12 or more digits) ?

 

[Damian83]

This is why you should enable Face ID

seriously? do u own at least a smartphone (any)? are u at least living on planet earth? 🤦‍♂️🤦‍♂️

 

[I7guy]

So one work-around that has been discussed elsewhere is to use Screen Time to disable access to changing the account and the passcode. You can protect Screen Time using a *different* 4 digit passcode. Just be sure to record that new passcode someplace else, off your iPhone in case you forget it. And *don't* use the option to recover the Screen Time passcode using your Apple ID otherwise the thief can just recover it and reset it.

The options are in Settings:

Settings -> Screen Time -> Use Screen Time Passcode
When it asks for Screen Time Passcode Recovery, hit the "cancel" button in the upper left corner, then press "Skip" when prompted, "Are you sure?"

Then disable access to the following:

Settings -> Screen Time -> Content & Privacy Restrictions
Passcode Changes: Don't Allow
Account Changes: Don't Allow

EDIT: More details about disabling Apple ID recovery - when you disable Screen Time Passcode Recovery from having an Apple ID, the difference is that you can *still* reset the Screen Time passcode, the only issue is that instead of only needing the Device passcode, you will be asked for your device's Apple ID password, which theoretically you are not typing in as often in front of strangers in public. So it *should* be more secure.

Totally forgot about this. Yes, it will protect your apple id but not apple pay if set up. At least you have a fighting chance to erase it.

 

[Picklefoot]

Nothingburger article.

Except that we’re definitely getting pushed into their “digital ID” solution.

 

[mnsportsgeek]

But the thief can’t get your passcode if you’re not using your passcode.

Still a handful of cases where you’re forced to use the code.

 

[FelineTech]

Ventura-based Mac's have the same issue. If you can gain access to the Mac (when someone uses a simple login password, or auto-login), then you can go to iCloud and change the password without macOS EVER asking for what the original iCloud password was.

This is a CRAZY gap by Apple. They are taking the whole concept of a "trusted device" too far. Heck, even if you want to change your local user account password on your Mac you need to know the original password.

 

[mnsportsgeek]

Face ID is how you prevent the thief from knowing your passcode.

It helps. Still plenty of times I have to type it in.

 

[nt5672]

"socializing at bars and other public places at night". OMG, what has the world come to. This is not your mother's or father's safe early adulthood. You wished for it, you have it.

 

[MilaM]

Turning off any iCloud setting (like Find my iPhone) or resetting the recovery key requires your iCloud password and not just the pin.

True. But you can change the iCloud password on the phone by only providing the passcode. You don't have to know the current password. After that it's game over. You can disable Find My immediately and even remote wipe other connected devices or mess with Apple pay.

 

[I7guy]

So if Face ID or Touch ID aren't working due to environmental issues then users are supposed to just go without using their phones?

One should be careful and aware. And also not make the edge case the general case.

Looking at your phone or putting your finger on a fingerprint sensor is difficult, for something done as infrequently as resetting one's iCloud password?

This is one way to make things MUCH more difficult. https://forums.macrumors.com/thread...our-entire-digital-life.2381922/post-31992184

You seem to argue just for the sake of arguing.

Says the poster who is arguing.

 

[dannyyankou]

seriously? do u own at least a smartphone (any)? are u at least living on planet earth? 🤦‍♂️🤦‍♂️

Huh?

 

[MilaM]

I'm really surprised by all the negative comments here blaming the victim.

I'm also very surprised that you can change the iCloud password just by knowing the iPhones passcode. Apple needs to think hard how to improve the security in this regard.

To all the apologists, watch the video. It's very balanced reporting with some good tips in the end. The victim actually tried to do the right thing and log into Find My immediately on a friends phone to prevent further damage. But the thief apparently was very quick to change the iCloud password. She was locked out of her Apple ID for good. And the thief also locked here out of her MacBook remotely.

One important lesson I think is that you should not use iCloud keychain for important passwords. This would have prevented some of the damage.

 

[I7guy]

I'm really surprised by all the negative comments here blaming the victim.

I'm also very surprised that you can change the iCloud password just by knowing the iPhones passcode. Apple needs to think hard how to improve the security in this regard.

Someone posted a mitigation and it's called screen time password.

[...]watch the video. The victim tried to log into Find My immediately on a friends phone to prevent further damage. But the thief apparently was very quick to change the iCloud password. She was locked out of here Apple ID for good. And the thief also locked here out of her MacBook remotely.

One important lesson I think is that you should not use iCloud keychain for important passwords. This would have prevented a lot of the damage.

The iphone does allow a range of customizations from no password to secure with face id and screen time password. This cuts down the attack vector. If the password is known Apple pay still is vulnerable but the rest of the phone is secured with screen time password. If the password is not known and the phone is ripped from your hands the control center is still accessible but passwords cannot be changed.

 

[fromgophonetoiphone]

It seems that the short 4-digit passcodes are not very secure so maybe best to use alphanumeric and/or long passcodes (12 or more digits) ?

Back in the day before FaceID and TouchID were even a thing I would refuse to use passcodes up until MDM policies started cracking down. I get it, but from a convenience standpoint having to enter a PIN was annoying, particularly MDM policies that required 6 - 8 digits. But as more and more things started to be available on the phone, I get the risk of needing to keep your phone secure. Once biometrics became a thing, I also took the opportunity to upgrade my PIN to a alphanumeric passcode with numbers, letters, symbols. Yes you have to enter it, but it's like once a week max, not a huge deal. I now recommend everyone to use an alphanumeric passcode. You're using FaceID/TouchID for 99% of your unlocks. It's not a big deal to use something more secure.

 

[maj71303]

This is why when people tell me that Apple is secure, I laugh in their face. Apple has always lagged on security concepts because people are so lazy with letting them do everything for them. If you disable or change any form of login security on my Google Pixel phone all apps reset themselves to asking for passwords because device security has been changed. Also, the thief will be in a world of hurt trying to change my Google password since I use a physical security key on the Google account which is required for any account changes like password. They have had this protection for years and Apple just finally added physical security key protection within the last 6 months.

I have it enabled on my Apple account now even though I don't really use an apple device anymore. No more prompts on devices to make changes to my Apple account either now, because once you add the physical security key is required for all changes.

But because Apple users are not known for being security centric, an excellent feature just falls by the wayside. Most people can't keep up with the change in their pocket, let alone keep track of a FIDO/Physical security keys. Just realize that you must be responsible with using the security key route. IF you lose your security keys you are locked out of accounts forever.

 

[Realityck]

Ventura-based Mac's have the same issue. If you can gain access to the Mac (when someone uses a simple login password, or auto-login), then you can go to iCloud and change the password without Apple EVER asking for what the original iCloud password was.

This is a CRAZY gap by Apple. They are taking the whole concept of a "trusted device" too far. Heck, even if you want to change your local user account password on your Mac you need to know the original password.

Remember the old LOTR saying
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them

 

[dk001]

I didn’t read every post but found the article interesting. Had seen it before I ran across this thread.
This situation isn’t just iOS specific. Can also apply to Android.

I personally find it disheartening the number of “It’s not Apple’s fault!” folk here. Kind of expected based on other threads, but still… If nothing else, this should remind people to be aware of your situation and surroundings.

 

[dotnet]

This isn’t a sign of iPhones being less secure, it’s a sign of increased desperation in an increasingly impoverished world.

Tech journalists need to eat, too.

 

[MilaM]

Someone posted a mitigation and it's called screen time password.

I saw that, thanks.

I'm not concerned so much about myself. I don't use iCloud Keychain, my Banking apps require separate passwords and I also don't hang around bars that much anymore 😜.

But I will definitely be more careful when entering my passcode in public from now on.

 

[macos9rules]

This is why you should enable Face ID

As reported in the article: « Even if Face ID or Touch ID is enabled on the iPhone, thieves can simply bypass these authentication methods and an option to input the device's passcode is presented. » So enabling Face ID is not enough. You have to use Face ID exclusively.

 

[I7guy]

I didn’t read every post but found the article interesting. Had seen it before I ran across this thread.
This situation isn’t just iOS specific. Can also apply to Android.

That's what the article said...can apply to android.

I personally find it disheartening the number of “It’s not Apple’s fault!” folk here.

Just as disheartening as the number who criticize apple. If someone steals your car keys is Ford at fault if you steal the car?

Kind of expected based on other threads, but still… If nothing else, this should remind people to be aware of your situation and surroundings.

Considering the article didn't mention screen time password which locks down an attack vector, that's a big omission.

 

[CharlesShaw]

Still a handful of cases where you’re forced to use the code.

Or forced to give up the code as some of us watched on the local news from doorbell cam footage, the victim of a phone theft being forced to give up their passcode at gunpoint.

 

[doboy]

What a pointless article.really?

click bait

 

[dk001]

That's what the article said...can apply to android.

Just as disheartening as the number who criticize apple. If someone steals your car keys is Ford at fault if you steal the car?

Considering the article didn't mention screen time password which locks down an attack vector, that's a big omission.

Android was but just briefly at best. 1%? That did surprise me.

 

[BaErv]

This also just in from the editors at Duh News..."If you wear a bacon jacket while hiking you may be attacked by bears"