Security Concerns + AppleCare Support (All Devices)

[Black Magic]

I've been thinking about this for some time and was curious about what others thought about some of the practices of the Geniuses at the Apple Stores during support cases. Basically, if you bring in a defective device like an iPhone, many times they ask for you to unlock it then they take it to the back for review. This could be something as simple as dust in the camera lens.

On the Mac side, they want your password for your Apple ID tied to your account. They will also document said password into their systems. Does this not alarm anyone?

When you see events like the "Frappening", kinda makes you wonder. Your thoughts?

 

[I7guy]

How are they going to run diagnostics on a locked phone?

 

[mbaran]

This is not always true. I took my my late-2013 rMBP for battery service.

They did not take my account password (nor would I have given it to them). They returned the device with all data intact and a replaced battery.

 

[iNinja08]

It's not just apple, it's any computer/tech repair outfit. Nothing will prevent shady employees from being shady. There is some level of control a company can offer but there will always be a risk if your peepee is on your phone or computer, it could end up in the wild.

 

[Rigby]

I have only used Apple's service 2 times so far (one time for a Mac and one for a phone), but in both cases I have not been asked for passwords, or even to let them take an unlocked device to the back. And I see absolutely no justification for giving them your Apple ID password and doubt very much that this is company policy at Apple. Just don't do it. For things like testing the camera after removing dust they can bring it back to the front.

 

[metsjetsfan]

I beleive the main reason for unlocking the phone is to prove that the phone is actually yours. Otherwise people can bring in stolen or bought stolen devices.

Dont know about the macbook thing tho

 

[Rigby]

I beleive the main reason for unlocking the phone is to prove that the phone is actually yours. Otherwise people can bring in stolen or bought stolen devices.

If that was the case you could just lock it again before they take it out of your sight.

 

[doboy]

Other option is you can encrypted backup your phone to your computer and wipe it before taking it in for service. It's a pain, but if you need to have your phone serviced...

 

[melman101]

I had to change my password as soon as I got my computer back.

 

[Black Magic]

How are they going to run diagnostics on a locked phone?

I would expect them to do it right in front of me like they done before or you can do it via web where they send you a text message.

 

[Black Magic]

This is not always true. I took my my late-2013 rMBP for battery service.

They did not take my account password (nor would I have given it to them). They returned the device with all data intact and a replaced battery.

Keyword is battery. If you had a memory issue with constant lockups, that would have been another story.

 

[yg17]

Change your PIN or password before you give it to them, change it back when they're done with the repair. Simple solution to the problem

 

[leesweet]

Definitely. I would never give them a password and with the password I have in 1Password, I couldn't. Unlock it and do something for them, sure. People need to get in the frame of mind that these aren't 'phones' any longer, with all the health and other personal data on here.

As was said, if they really need it unlocked and open, be sure to back it up first and then wipe it. But as I've said elsewhere, that would be a lot easier if there was a product that did a complete byte-by-byte backup of your phone you could lay right back down on it when you got it or a replacement back.

 

[Black Magic]

Change your PIN or password before you give it to them, change it back when they're done with the repair. Simple solution to the problem

You haven't thought this through. You unlock it then they take your phone. All the data they will have access too like pictures and such. The safest bet is probably erasing your phone.

On the mac side, having a second hard drive you can pop in that's erased with a support account is doable on devices that alow you to change out that component. otherwise you need to erase that too and have a good backup. Those devices they ship off to a vendor for repair.

 

[CNeufeld]

People need to get in the frame of mind that these aren't 'phones' any longer, with all the health and other personal data on here.

While I understand the concerns about other personal data (pictures of my junk, banking info, etc), what's the concern about your "health" data? How is the number of steps I walked or flights of stairs I climbed a risk to me? Or even my heart rate as I take a poop?

Just asking, because I've noticed a number of people commenting on the health data and Apple's decision to make that part of the encrypted only backup.

C

 

[Rigby]

On the mac side, having a second hard drive you can pop in that's erased with a support account is doable on devices that alow you to change out that component. otherwise you need to erase that too and have a good backup. Those devices they ship off to a vendor for repair.

On a Mac, simply make sure that your HDD is encrypted using Filevault so they can't access your files. If the repair shop needs to run diagnostics with the running computer, they can boot a recovery environment from a USB drive (if you have a firmware password set, you should clear it before handing in the computer, so they can select the boot device on startup).

 

[bradl]

I had to change my password as soon as I got my computer back.

This still won't help you.

Case in point: Option-S when starting your Mac. They boot to another disk, mount your drive (as if it were external), and boom! Access to your data.

This is where FileVault 2 comes in, where your entire drive is encrypted, and can not be unlocked or accessed, even when starting your Mac with another drive acting as the boot device.

this is the same issue that anyone would have, regardless of taking it to the Genius Bar, Applecare+ support, stolen, or otherwise. Changing your password won't matter if your data lies in an unencrypted state on your drive.

BL.

 

[Subwaymac]

99% of people don't have anything of value or information worth taking.

Maybe Hillary could blame her email scandal on an Apple Store employee?

 

[metsjetsfan]

? If you unlock it then its your device what does it matter if you relock it. Yes there are ways around it.

 

[mbaran]

Keyword is battery. If you had a memory issue with constant lockups, that would have been another story.

Wouldn't they use bootable diagnostics? Part of diagnosing a true hardware error is to ensure it's not caused by user install software.

I'm not denying what they may do, but they're not getting my password. I would rather wipe it first and bring it empty.

 

[metsjetsfan]

If that was the case you could just lock it again before they take it out of your sight.

I beleive you can. Just ask. You just need to turn off find my iphone bc of something tondo with activation lock if they mess ur your phone while fixing it.

 

[leesweet]

If it was wiped while it was locked and Find My iPhone was on, it would probably be toast. That's the point of the app, no?

 

[leesweet]

While I understand the concerns about other personal data (pictures of my junk, banking info, etc), what's the concern about your "health" data? How is the number of steps I walked or flights of stairs I climbed a risk to me? Or even my heart rate as I take a poop?

Just asking, because I've noticed a number of people commenting on the health data and Apple's decision to make that part of the encrypted only backup.

C

Beyond the health data, per se, in the health section is birth date and other info that is PII data which could be easily lead to identity theft. As for any personal data, you want to keep it as secure as possible.

 

[Eileen89]

Why do they take it to another room? When my daughters iPhone 5S was having a battery issue last month, the Apple employee ran the diagnostics at the desk right in front of us. He never took her 5S in another room.

 

[Rigby]

While I understand the concerns about other personal data (pictures of my junk, banking info, etc), what's the concern about your "health" data? How is the number of steps I walked or flights of stairs I climbed a risk to me? Or even my heart rate as I take a poop?

If people start using Healthkit to its full extent, there could potentially be a lot more in there, such as medical test results, reproductive health data, as well as your medical ID containing medical conditions etc. Just check out the Health app.

Besides that, an unlocked device may also give access to your private and/or job emails, messages, contacts, call history, location history etc. I think people often underestimate how much potentially sensitive information they have on their devices.

I would never let a stranger take my phone out of my sight while unlocked. When giving it away for longer you'd preferably even shut it down, since that discards the encryption keys for the data protection. In this state it's very difficult to access the stored information , provided you have a reasonably secure passcode (that's why the FBI complained about Apple's device encryption).