Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life'

[anticipate]

This is why when people tell me that Apple is secure, I laugh in their face. Apple has always lagged on security concepts because people are so lazy with letting them do everything for them. If you disable or change any form of login security on my Google Pixel phone all apps reset themselves to asking for passwords because device security has been changed. Also, the thief will be in a world of hurt trying to change my Google password since I use a physical security key on the Google account which is required for any account changes like password. They have had this protection for years and Apple just finally added physical security key protection within the last 6 months.

I have it enabled on my Apple account now even though I don't really use an apple device anymore. No more prompts on devices to make changes to my Apple account either now, because once you add the physical security key is required for all changes.

But because Apple users are not known for being security centric, an excellent feature just falls by the wayside. Most people can't keep up with the change in their pocket, let alone keep track of a FIDO/Physical security keys. Just realize that you must be responsible with using the security key route. IF you lose your security keys you are locked out of accounts forever.

Just keep in mind even if you have a physical security key it is NOT required to change the Apple ID password on an unlocked device that was already signed in.

(That surprised me too). If you have the iPhone passcode (or any apple device passcode), you have the keys to the kingdom. No security key is needed even if you registered them.

What should really happen is they either require the old password to change to the new one PLUS the passcode, or the physical security key PLUS the passcode. Something you have, something you know - 2 factor.

Right now it’s a huge hole because if you have the passcode to the phone - which is very easy in some cases to get (I’ve seen many “1111” codes while out, friends etc). You can have access to their entire iCloud everything. Including resetting FaceID or TouchID.

Bottom line - make the passcode more difficult and HIDE it when you enter it in public. Never share it.

 

[fromgophonetoiphone]

That's what the article said...can apply to android.

For this one, I tried changing my iCloud password on my Mac and iPhone. It required the device passcode (which we assume is already cracked here), but it doesn't ever ask me for my existing iCloud password and only a new password, so yes this is a flaw.

On the Android side, I tried going into the security settings, and just like you do it from the web on a desktop you need to enter your Google account password before tweaking settings like password, 2FA, etc. So like a proper change password prompt, you are required to enter your existing password + a new password. That is the standard at most websites.

Not sure why iCloud password changing doesn't require your CURRENT password.

Tested on Pixel 7 Pro, iPhone 13 Pro, MacBook Pro M1 Pro

 

[fromgophonetoiphone]

Bottom line - make the passcode more difficult and HIDE it when you enter it in public. Never share it.

Stop using 4 digit PINs? You can use a complex passcode and use Face/TouchID to access your phone 99% of the time easily.

 

[juxr]

Apple has made it increasingly hard to use a stolen device, provided that the keys, i.e. passcode, is secure. If you give someone the keys to your car, they can take your car; if you give someone the pin to your ATM card, they can take your money.

Not really equivalent. It would be like a thief looking at your pin then stealing your debit card. Afterwards gaining control of your bank account, your savings account, credit cards and locking you out of everything without the ability to report to the bank the stolen card.
If this happens in reality you only lose control of the card and can report it inmediatly and lock it. Not so with Apple.

 

[genovelle]

tl;dr: Shoulder Surfing attacks can happen with our phones too. This is why we have Face ID and Touch ID.

Once again: The iPhone and iPad ruined a generation of computer users. Apple's made so many people soft and forget basic cybersecurity as they think their phone and Apple will do it all for them.

I disagree with the soft aspect. There are billions of iPhone users who have never know basic cybersecurity in the first place. 95% of those people will implement whatever security Apple leads them to do at setup. The other 5% thinks they are smarter than Apple or have been influenced by someone thinking this way. They skip this part and suffer because of it.

 

[juxr]

This is why when people tell me that Apple is secure, I laugh in their face. Apple has always lagged on security concepts because people are so lazy with letting them do everything for them. If you disable or change any form of login security on my Google Pixel phone all apps reset themselves to asking for passwords because device security has been changed. Also, the thief will be in a world of hurt trying to change my Google password since I use a physical security key on the Google account which is required for any account changes like password. They have had this protection for years and Apple just finally added physical security key protection within the last 6 months.

I have it enabled on my Apple account now even though I don't really use an apple device anymore. No more prompts on devices to make changes to my Apple account either now, because once you add the physical security key is required for all changes.

But because Apple users are not known for being security centric, an excellent feature just falls by the wayside. Most people can't keep up with the change in their pocket, let alone keep track of a FIDO/Physical security keys. Just realize that you must be responsible with using the security key route. IF you lose your security keys you are locked out of accounts forever.

This is inaccurate. You CAN gain COMPLETE control of an account protected with security keys with just the passcode and the device.

All you need to do is go to settings and cick on "remove security keys". Iphone will not ask for anything else but the passcode.

 

[MilaM]

Just keep in mind even if you have a physical security key it is NOT required to change the Apple ID password on an unlocked device that was already signed in.

Thanks for checking this. This is also not what I would expect. So essentially an unlocked device is equivalent to a security key. I would have thought that the security key gives you extra protection. But that does not seem to be the case. Kind of disappointing.

 

[I7guy]

For this one, I tried changing my iCloud password on my Mac and iPhone. It required the device passcode (which we assume is already cracked here), but it doesn't ever ask me for my existing iCloud password and only a new password, so yes this is a flaw.

On the Android side, I tried going into the security settings, and just like you do it from the web on a desktop you need to enter your Google account password before tweaking settings like password, 2FA, etc. So like a proper change password prompt, you are required to enter your existing password + a new password. That is the standard at most websites.

Not sure why iCloud password changing doesn't require your CURRENT password.

Tested on Pixel 7 Pro, iPhone 13 Pro, MacBook Pro M1 Pro

Did you try a screen time password? Locks down the phone with a second level.

 

[maj71303]

Just keep in mind even if you have a physical security key it is NOT required to change the Apple ID password on an unlocked device that was already signed in.

(That surprised me too). If you have the iPhone passcode (or any apple device passcode), you have the keys to the kingdom. No security key is needed even if you registered them.

What should really happen is they either require the old password to change to the new one PLUS the passcode, or the physical security key PLUS the passcode. Something you have, something you know - 2 factor.

Right now it’s a huge hole because if you have the passcode to the phone - which is very easy in some cases to get (I’ve seen many “1111” codes while out, friends etc). You can have access to their entire iCloud everything. Including resetting FaceID or TouchID.

Bottom line - make the passcode more difficult and HIDE it when you enter it in public. Never share it.

Yep just tried and wow what a big security hole that is. On Android you must reenter even at the minimum the current Google account password for it to be changed.

 

[maj71303]

Thanks for checking this. This is also not what I would expect. So essentially an unlocked device is equivalent to a security key. I would have thought that the security key gives you extra protection. But that does not seem to be the case. Kind of disappointing.

Yep, that is just insane and makes a security key useless with apple. What I thought Apple has always been which is security for show and not even real.

 

[fromgophonetoiphone]

Did you try a screen time password? Locks down the phone with a second level.

What's the point of that though? That's just a second password. Seems more like a workaround. I understand what it's doing, but at a fundamental basis, changing a password should require you to enter the existing password. Apple should just change that and we would be far more secure.

I'm not trying to blame Apple here, but I do think a HUGE part of security is the user itself. People continuing to use 1111 PIN codes are really not doing themselves any favors.

The action of requiring a device password for changing a password isn't horrible, but it's quite useless if people's PINs are getting cracked. In my case since I use alphanumeric, someone grabbing a phone out of my hand can't change the password easily. With that said being able to access apps, emails, etc is already a huge pain and probably they can wreak plenty of havoc that way without ever entering my device password again

 

[smirking]

This also just in from the editors at Duh News..."If you wear a bacon jacket while hiking you may be attacked by bears"

On the contrary, I found it to be very useful. Yeah, don't let anyone steal your password sounds like rather obvious advice, but it hadn't occurred to me exactly how much of a world of hurt you'd be in if the thief also stole your device at the same time.

It's a lot worse than just being hacked or losing your wallet alone. You have a lot less time to compose yourself and shut down all the services you need to shut down all while not having the exact device you'd be using to make those communications.

It'd be like being hacked as your wallet and computer are also stolen. THAT was the real story.

 

[TotalMacMove]

In other words, don’t be an idiot.

You would have to be drunk beyond recognition for Face ID to not recognize your face and request a PIN. If you’re wearing a mask, just look down to unlock.

Why would anyone be entering their PIN in front of other strangers?

I think the real issue here is if you get cornered by a thief pointing a gun at you demanding your phone and passcode, they can literally change your icloud password without having the existing icloud password.

This is what happened to my friend a few weeks back, and they accessed all of his data/apps/saved passwords. He wasn't able to lock the phone since it wasn't signed into icloud anymore

 

[OSGUIA]

Then we need duress passcode that let the iPhone look normal for so many minutes and then totally lock down and broadcast itself as stolen, and will not allow anything vital to be done, or also make it appear it is working but nothing actually happens.

Apple should improve its log-on/off process to address the gap identified in the report, as follows:

At first instance of any day, logging on iPhone should be via passcode. If validated, the next step should be mandatory biometric verification (Face ID or Touch ID). Failing this, the log-on should fail.

In the course of the day, if the iPhone had been powered off, the same process as described above should be implemented to enable use of the iPhone.

In the course of the day, if the iPhone had been turned off but not powered off, enabling the iPhone should only be via the use of biometric check. Passcode verification should be disabled. If biometric check fails, the iPhone is automatically turned off after the user is so informed and the only way to access the phone is to power it on after it's been automatically turned off.

 

[maj71303]

What's the point of that though? That's just a second password. Seems more like a workaround. I understand what it's doing, but at a fundamental basis, changing a password should require you to enter the existing password. Apple should just change that and we would be far more secure.

I'm not trying to blame Apple here, but I do think a HUGE part of security is the user itself. People continuing to use 1111 PIN codes are really not doing themselves any favors.

The action of requiring a device password for changing a password isn't horrible, but it's quite useless if people's PINs are getting cracked. In my case since I use alphanumeric, someone grabbing a phone out of my hand can't change the password easily. With that said being able to access apps, emails, etc is already a huge pain and probably they can wreak plenty of havoc that way without ever entering my device password again

Yeah, the problem is when you are forced to give up that pin code at gunpoint then with apple devices you are screwed as that is all that's required to change the apple account password.
It should require your apple account password at a minimum to change your password and if you have two factor authentication a secondary password or physical security key as well.
For Android your device pin or password can't change your actual Google account password, they require you to login with your account password at the minimum.

 

[MacDaddyPanda]

Easy way to fix that is to require the old password to change AppleID. That's how it's done if you try changing it from the browser. OR Desktop I believe? I can't remember. But that would fix that. Just letting you change it with the passcode shouldn't be all that's needed.

 

[robd003]

Isn't the solution to this problem as simple as always carry a firearm? Thieves wouldn't rob people if they thought the probability of being shot was higher than just getting away with their crime.

 

[JPack]

I think the real issue here is if you get cornered by a thief pointing a gun at you demanding your phone and passcode, they can literally change your icloud password without having the existing icloud password.

This is what happened to my friend a few weeks back, and they accessed all of his data/apps/saved passwords. He wasn't able to lock the phone since it wasn't signed into icloud anymore

If you live in a place where such a thing can happen, then it’s not Apple’s fault. Whether it’s a PIN, password, or title to to property, they’ll get it if your life is threatened.

 

[sebseb81]

Set a Screen Time PIN
Go to Content & Privacy Restrictions
Disable Account Changes
Disable Passcode Changes

Update: turns out, if the attacker knows the Apple ID you used for recovery of a forgotten Screen Time PIN, they can reset that password via the forgot passcode flow. So, to be more secure, use a different Apple ID (a secondary one you have, or your partner’s).

 

[anthogag]

Thieves probably target iPhones because it has the easy to see large number pad. I've seen many android users using swipe-to-unlock...and newer android phones are at least 20% slower compared to newer iPhones. Time is money.

 

[CharlesShaw]

Yeah, the problem is when you are forced to give up that pin code at gunpoint then with apple devices you are screwed as that is all that's required to change the apple account password.

And in a city with tech savvy young thieves working in groups, one could conceivably be forced to give up the secondary (screen time) password when they immediately check to see if they have access the settings they need.

I’m glad I read this article and comments on a day when I have the time to make an assessment of what is at risk on my phone and watch and figure out a strategy to minimize my risk. Edit: meaning, I’d like to be able to hand over my unlocked device and walk away unharmed and unworried about my digital security.

 

[2010mini]

The weakest point of any security measure is the end user.

 

[eifelbube]

This is why you should enable Face ID

Under poor lighting conditions — such as in bars — in my personal experience Face ID fails frequently and forces the passcode as a result. With my TouchID iPhones, I NEVER had that issue. I would be interested to know in how many of these cases, the passcode entry was necessitated by a FaceID failure versus a TouchID failure (for those who still have those older iPhones) …

 

[carrrrrlos]

Are there any other riveting articles out there like about how iPhone screens may crack when dropped - or possibly how battery life on iPhones is so horrible when used all day long?

 

[eifelbube]

...what, exactly, was the point of the 'report'?

"If someone steals your house keys, they could get in your house and take your stuff!" - Joanna Stern later today, probably.

… but you cannot steal a house key with your eyes