You can't design something to be secure some of the time. iPhone is used my millions around the world and needs to provide safety features like this one for every single user all of the time.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone
- Thread starter MacRumors
- Start date
- Sort by reaction score
Screen Time protection may be bypassable. How exactly has already been described in this discussion: https://forums.macrumors.com/thread...l-and-apple-cannot-help.2388366/post-32694116
If I understood @P_Watt correctly, then Stolen Device Protection can also be bypassed?
If I understood @P_Watt correctly, then Stolen Device Protection can also be bypassed?
Not necessarily. This is beta 1 and somethings may need to be fixed in upcoming betas.
This bypass of protection bug seems to have been fixed in iOS17.3 beta 2
"Reset all settings" now mandates use of Face ID.
"Reset all settings" now mandates use of Face ID.
Screen time can be easily bypassed due to a bug in passcode reset. Plus, you can do even more damage because it points you straight to main iCloud password reset (wtf xD). There’s also 2nd bug in reset all settings which also allows to change iCloud password just by providing the lockscreen code.
Hopefully both bugs (imo, these are bugs) will get fixed with 17.3 or at least Face ID will be required to move forward.
Hopefully both bugs (imo, these are bugs) will get fixed with 17.3 or at least Face ID will be required to move forward.
Like I said you cannot do Reset All Settings since iOS17.3 beta 2 that was released yesterday without Face ID or Touch ID, unless you found another way in?
Last edited:
Could you maybe walk through that - I’d like to test it. I rely on screen time to provide additional account and passcode protection in 17.2
Thanks
That post by Mike Boreham was from November before iOS17.3
Yes I could bypass it in 17.3 beta 1 with Reset all Settings, but cannot bypass it now in beta 2 as that reset now requires biometrics.
Unfortunately I’m not able to check it because I do not install beta software
But steps are exactly as Mime described in the other linked topic by you:
1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. Wait 3 seconds
5. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.
OK it can be prevented (I hope) byUnfortunately I’m not able to check it because I do not install beta software
But steps are exactly as Mime described in the other linked topic by you:
1. Screen Time settings > Change Screen Time passcode.
2. Click Forgot Passcode
3. Enter Apple ID email but not password…click forgot Apple ID password
4. Wait 3 seconds
5. This produces a screen asking for iPhone Passcode which thief has. Enter Passcode leads to screen to enter new Apple ID password.
1. disallow account changes in Screen Time, that way the Apple ID is harder to see. The My Name panel is grayed out, I also disallow passcode changes
2. use somebody else’s apple ID (or no ID) when you save screen time password. I use my Wife’s.
As Holmes would say, I have written a small monograph on the subject https://discussions.apple.com/docs/DOC-250007287
Last edited:
What of you don’t set up any biometric id? I know a few people on both sides of the OS aisle that don’t use it.
Then you cannot turn the new feature on but you are no worse off than you are now.
In my opinion they turned their back on them in iOS15 when they made Lock Screen passcode the key to the Crown Jewels and sacked the staff who used to deal with forgotten passwords.
The feature depends on location. The original article was somewhat lacking in that regard.
According to Apple, it's only when your phone is located away from home. Therefore, I have enabled it.
https://support.apple.com/en-us/HT212510
There was a further update in March or April 2024, which enabled you to chose to have this turned on all the time (regardless of location). I've turned it on so it always needs the one hour delay.
@ADrunkenMarcus, when using Stolen Device Protection (SDP) set to "Always," is there a workaround to access protected system settings at a "familiar location" in the event that Face ID fails to operate properly?
For example, if the Face ID sensor develops a hardware problem, how does the owner of the iPhone regain access to the protected system settings in order to perform actions such as changing the device passcode or the Apple ID password? If these settings are protected by SDP "always," and SDP is protected by biometrics, and biometrics are no longer operational - then, what happens?
@Morac, unfortunately, an unauthenticated user is blocked from performing a "wipe the phone" operation by Stolen Device Protection (SDP) - i.e., "Erase all content and settings" and "Reset All Settings" actions are unavailable (see here).
Thus, if SDP is set to "Always" and Face ID is not functional, is the owner of the iPhone permanently prevented from changing any of the security settings protected by SDP - including accessing passwords in Keychain, or changing the iPhone passcode?
I have SDP set to always on my 15 Pro. Should Face ID fail, I would enter my phone passcode and have to wait an hour to make any changes.
It would require using a computer (either Mac with Finder or Windows with iTunes) to do a restore. Worse come to worse you could do a recovery mode restore - https://support.apple.com/en-asia/118430
There’s nothing blocking you from making a backup so you can back the phone up, wipe using a computer and then restore the backup (presumably to a new working iphone).
@Apple_Robert, have you tested this solution?
For example, would you kindly be willing to (1) force Face ID to fail (e.g., by wearing sunglasses or a disguise) while attempting to access a password saved in Keychain at a "familiar location," (2) wait an hour, and (3) see if a prompt appears to enter a passcode in order to circumvent the Face ID failure? My understanding is that "no passcode alternative or fallback" mechanism exists (see here).
Thank you.
@Morac, this (very insightful) solution assumes that Stolen Device Protection (SDP) is automatically reset to a disabled state as a consequence of the restore operation. That may be (and hopefully would be) the case, especially since Face ID itself is disabled and needs to setup anew after restoring a phone from a backup.
Nonetheless, have you had an occasion to test the approach, to verify that it works as expected in practice?