Beating around the bush for the first 70 % of the article about that mystery “basic iPhone feature”. In the end, it’s this:
> Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it.
>“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter the code.”
That isn't exactly fair. While shoulder surfing has been around forever, Apple has made it possible to reset everything -- including changing account recovery codes, thus locking you out of your account forever -- by learning a short PIN.
Also, some comments on the article indicate that this only happens if you enable 2FA. If you don't enable 2FA, iOS demands your account password before making changes. That's a big deal, and something people should know.
There is one very easy thing you can do to break the first step of the attack
- enable Screen Time
- set a Screen Time password, make it different than the iPhone password
- use Screen Time to disable making changes to your account
With this the attacker would not be able to go to the step of changing the account password without entering the different Screen Time password.
I wonder why this is not mentioned or recommended, seems kind of obvious. Sure it is a bit inconvenient but you probably very rarely make changes to your account.
> • Enable additional protection. Some apps, such as Venmo, PayPal and Cash App, let you add a passcode. Just don’t use the same one as your iPhone.
> You can also set up a Screen Time passcode for yourself, then enable account restrictions to prevent an Apple ID password change, the way parents do with their kids’ devices. In Settings, go to Screen Time > Content & Privacy Restrictions, then toggle Content & Privacy Restrictions on. If you haven’t already set up Screen Time, you’ll need to choose a passcode. (Again, make it different from your iPhone’s.)
> Scroll down to the Allow Changes section, and where it says Account Changes, select Don’t Allow. Whenever you need to access your iCloud account settings, you’ll have to go to Screen Time and re-enable this.
You can enable restrictions in Screen Time, and not just restricting screentime. You can completely block Siri and dictation for example, or block account changes like the parent comment said.
> The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords.
My multiple banking apps all require me to authenticate again at least with FaceID every single time I use them, with very short timeouts. Which bank’s app can be looted with the phone passcode alone?
This is true for apple pay but not in the banking apps, if FaceID fails in the banking app it asks to reauthenticate yourself with your mobile bank app credentials.
I just use a real password to unlock the phone, not some lazy 4 digit pin. Yeah, it's a pain on the rare occasion I have to type it, but it's worth it.
If I'm in any sort of situation, I disable facetime by pressing the power button 5 times quickly. This means the next unlock requires the full password.
I also have the phone set to erase itself after 10 failed attempts at this password.
I can also erase it remotely with findmy.
And I never, under any circumstances, let anyone other than myself touch my phone, or any of my computing devices, while they are unlocked. Ever. No exceptions. Even in an emergency situation the people I trust most have no reason to access one of my devices while unlocked. None.
Someone might steal my phone, but they won't get anything beyond the device itself.
Faster way to disable FaceTime is to hold power and volume-up for a few seconds to bring up the power-down interface. You don't need to power down or do anything - once that interface loads, the iPhone will disable FaceTime login.
The iPhone "feature" referenced by the headline is that you can change the AppleID's password knowing only the phone's passcode; no need to enter old password, no 2FA (technically having phone + passcode is 2FA according to Apple), nothing but the passcode. This presumably shields Apple from a torrent of support requests by forgetful users, but seems like a major security hole in the case that someone steals your phone. Once they change your AppleID pw they have EVERYTHING -- FindMy disabled, all other devices forced logged out, photos gone forever, etc.
And once they enable "Recovery Key" on your iCloud account, Apple will never let you back in no matter what you do.
I think the iPhone does not have a fingerprint reader like some high end Samsung Galaxy phones?
Anyway, iPhone is advertised and considered as a secure and privacy conscious compared to Android. It doesn't allow sideloading stating that security is compromised. Plus it's very expensive compared to other phones. So it's bigger news than being the same as Android phones.
I recently looked for a way to use my Yubikey as my Android screen unlock, and unfortunately it seemed like there is no way to do this.
But then I read the article yesterday about reprogramming the Yubikey to be able to output a static password instead of its normal behavior. I thought, maybe this is a good way to input a super long secure password to unlock a phone.
Is anyone using any unusual or exotic phone unlock security methods?
I'm curious what mitigations against this people would suggest.
- Using a very long passcode? (Harder to shoulder surf)
- Using a third-party password manager instead of keychain (something with its own master password independent of Apple ID); in fact you could store intentionally wrong passwords in keychain as a decoy, heh.
- Configure financial apps to disable passcode authentication, requiring their own password/2FA on every login (this becomes inconvenient though... wonder if they can be configured for FaceID only without passcode auth)
- Some process (doesn't have to run on the phone) for rsyncing iCloud content to another service or NAS.
It is kind of BS though that someone who simply steals your phone and passcode can, with nothing else, completely lock you and all of your other devices out of your iCloud account (including photos and documents) for the rest of your life with no recourse.
The article does a terrible job of burying this important detail.
It only gets a passing mention in the article, but this same method of compromise also exists on Android phones with GMS. Your Google Account's password can be reset with nothing but your phone's passcode. The only way to prevent this is to enable Advanced Protection on your Google Account.
This compromise does not exist in Android. Account password reset process is current password (not lock code) / enter new password / 2FA (which is further locked behind a password or biometrics if you're using Aegis[0] or MS authenticator[1] - although you can opt into lower security at this stage if you're feeling lucky).
Paywalled, but seeing excerpts here, and I’m wondering, how is this an article in the WSJ today? Your passcode can be observed and thieves will try ways to observe it? Is there more to this?
Use the archive link posted elsewhere in this thread to read it. What makes this notable is that the thief can change your AppleID/iCloud password knowing only your passcode and nothing else. Once they do that they own you completely... FindMy gone, all other devices force logged out, all photos gone forever, etc. And Apple will never let you back in.
Sorry, people: My computing pre-dates smart phones. Soooo, the tools and features I use in computing also pre-date. Soooo, I don't have a smart phone or any mobile computer, and a simple glance confirms that a mobile computer brings new computer security issues.
But, I've done some shopping and am about to get a mobile computer. I don't want it. I will be reluctant ever to take it out of my office or home. And I don't want it in my car. I certainly don't want it in a restaurant. In a bar? Gads!!! Hopefully never. I'm pretty safe about a bar -- never been in one!
Yup, mobile computing has become wildly popular, but there are security problems.
> Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it.
>“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter the code.”