How a Thief with Your iPhone Passcode Can Ruin Your Digital Life

Originally published at: How a Thief with Your iPhone Passcode Can Ruin Your Digital Life - TidBITS

The Wall Street Journal reports on a spate of attacks in which iPhone thieves obtain your passcode and then change your Apple ID password, disable Find My, make purchases with Apple Pay, and more. Some attacks are as simple as the miscreants surreptitiously watching you enter your passcode; others involve violence. Read on to learn how to protect yourself.

This is indeed a bit scary, especially for those of us who also use ApplePay/AppleCash or iCloud Keychain.

I use encrypted notes for some sensitive information. Usually this unlocks with FaceID, but testing that with my wife’s face I see that it also accepts passcode as backup for FaceID. Is there any way to force a different password for those encrypted notes?

I have a longer alphanumeric passcode which certainly makes it safer, but I’m under no illusion that this is entirely sufficient. Indeed, Apple should at the very least require you enter your old iCloud passcode before you can set a new one.

Even then, at the end of the day the underlying vulnerability is that we have all our eggs in a single iPhone/iCloud basket. Sure, I could use 3rd party password managers and such, but that breaks a lot of the elegance of Apple’s highly integrated approach we so much enjoy. Anyway, the easiest and cheapest method will always continue to work:

Source: xkcd

I am continually surprised by how many people store ordinary photos of sensitive documents on their phones without any special protections. I’ve stored that kind of information in 1Password (on my Mac) since long before I got my first iPhone.

Then again, I routinely find myself facepalming at how many people share front-and-back pictures of their credit or gift cards on social media, and later complain about being hacked. Basic personal security, like basic personal finance, really needs to be part of the standard school curriculum.

No, but Settings / Notes / Password and you can set a custom password (which will disable Face ID/Touch ID). I believe you have to unlock and relook notes that already exist with the (new - this started in iOS 16 I believe) biometric unlock method.

As for changing the Apple ID passphrase from the device with the device passcode, it should be mentioned (I don’t believe that Adam’s article does) that the WSJ suggested using a screen time passcode (different PIN from your phone’s PIN, obviously) and in Settings / Screen Time / Content and Privacy Restrictions change “Account Changes” to “Don’t Allow”. This will lock the change password function until you toggle this back on (and you can’t toggle back on without the screen time passcode). (If you make this change you’ll notice that you can no longer access the Apple ID settings at the top of the Settings app.)

Good article.

This trick:

Search in Photos—which can find text in images in the last two releases of Apple’s operating systems—on SSN , TIN , EIN , driver’s license , and passport , along with your actual Social Security and other identification numbers. Also search on Visa , MasterCard , Discover , American Express , and the names of any other credit cards you might have photographed as a backup.

Just today, I was blown away at how good this text recognition is. I was looking for pictures of my power meter (do you just photograph things these days to take a note, too?) by just typing the words “Meter”. Photos successfully pulled up a picture, taken 7 years ago with a handwritten note visible and turned sideways, that had the word “meter” scribbled. Very clever.

Rob

Adam, many thanks for passing this on! I’m about to head off for a business trip in an unfamiliar place, and while I usually use FaceTime to unlock my phone, it’s good to know about this significant security flaw with the passcode. I’ll be very careful if I have to enter it in public.

After reading the WSJ report and the associated article on how to protect your phone, I did what @ddmiller suggests and set up a Screen Time passcode, then disabled Account Changes on my phone. That seems like an easy way to prevent changing the Apple ID password, absent the kind of extortion that the xkcd posted by @Simon shows.

Very interesting, thank you.
I do not use Keychain as a password manager (I use Dashlane) but I see that iCloud Keychain is switched on on my iPhone and Mac. There are over 100 passwords in the Mac’s Keychain Access app many for com.apple.xxxx objects and very few for stuff I recognize. Questions:

1. What functionality do I lose if I switch iCloud Keychain off?
2. What damage could occur if I delete all the passwords in Keychain Access?

I may come in for criticism here but I think all of these security alarums are over the top for the average person.

The average person is much more likely to leave their ($1,000 Supercomputer!) phone on the table in the cafe than they are going to be drugged or mugged in a bar. They do it all the time. That is the prime security vulnerability. Just the other day at Starbucks I saw someone waltz off to the bathroom leaving their laptop and phone on the table. What!?

More so when you’re traveling. Thieves have learned that jet-lagged travelers are kind-of unconscious and are easy marks for a quick motor bike swoop and phone grab.

It’s clear that Apple must eliminate the iPhone passcode validation for an AppleId change and maybe should implement a separate level password for icloud keychain. Those are really bad and it’s surprising they chose to offer them. I’m guessing they’ll change them very quickly.

In the meantime, unless you live in bars and are frequently inebriated I’d wait to make huge, tiresome changes to your password system for a month or so to see what they do.

Oh! And get those ID pictures out of your Photos! Jeez!

Dave

Just searched for my surname in Photos, 196 images.

Some IDs but a lot of snaps taken for functionality as well which could be used, bills, etc.

Another argument for the watch for tap-to-pay. I only ever unlock that in the morning when I put it on.

You are right that this probably isn’t that big a risk for many people, but the WSJ article explained it’s not just being drugged or mugged.

Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it.

“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter the code.”

It sounds like it’s a lot of young, single people socializing who are vulnerable to this sort of attack. But I could see people tourists in foreign countries falling victim to something like that by charming locals in bars, too.

I know that this is a less of an attack that will risk losing your Apple ID, but another attack I’ve read about recently (this pops up on Reddit a lot) are people whose phones are stolen by people on bicycles as they stand on or near a street after unlocking their phones (on the curb, crossing a street, etc.) The thieves are watching for people taking out their phones and unlocking them (maybe to check on the location of their Uber driver, or getting directions, or just unlocking a device). These thieves don’t have the passcode, so some of the risks - draining bank accounts, etc. - may be less likely, but with the phone unlocked they can still scan photos for any personal info, perhaps send themselves money with Venmo, quickly turn off cellular and WiFi (to make tracking by find my impossible), and then just sell the phone for parts, or even sell them to rubes who don’t understand that they are Apple ID locked or IMEI blocked.

The WSJ article strikes me as one where the reporter found an interesting anecdote or set of anecdotes and spun that into a giant trend piece. There’s no actual evidence in the article that this is happening more frequently than it always has, just individual stories and police saying scary things. The focus on Apple fits with that, as it hooks it into the “Look What Apple’s Doing!” genre.

The two specific vectors mentioned are actually substantially different. If you get mugged/drugged/kidnapped, no level of reasonable security is going to help. The criminals will just keep asking for what they need, using (as Simon/XKCD pointed out) a $5 wrench to get it. The 1980s version of this was the ATM breach, where muggers would force people to withdraw money from their accounts at gunpoint. Not much use in having a complicated security setup if you have a muzzle in your face.

If they read your passcode and get your phone, then additional security can help, but it’s a balance. I guarantee that a lot of people are going to end up locked out of iCloud if they need to use a separate password for it. The ATM example is instructive here as well – if people needed to enter multiple different PIN numbers to get to various accounts, it would have caused a fair amount of chaos.

Generally, I’d like to see some evidence that this is actually happening frequently before panic sets in.

As a result of reading the WSJ article, I changed my four-digit iPhone lock code to an alphanumeric password. I rarely take action based on articles in the popular press, for most of the same reasons as some of the more cynical posts in this thread have pointed out (news media exists to sell advertising; disseminating information is at best a secondary goal). However in this case, the scenario of someone shoulder-surfing my fairly simple code and then stealing my phone seemed plausible enough, and the risks high enough, to warrant action. I decided to use the same password as my iCloud account, since this is essentially the same resource, and it is one of the only complex passwords I’ve committed to memory.

And you know what? The few times since making the change where I’ve had to enter that password, it actually feels right. I know that’s not a measurable benefit, but I’m already starting to look back at my four-digit days with a “what was I thinking?” mindset.

Does it require switching to a different screen for the alphabetic characters or is an alphabetic keyboard displayed in addition to the numeric one?

The standard alphanumeric keyboard is automatically displayed if you have a “complex” passcode. Bonus: I discovered testing this before I replied that if the “Enter passcode” prompt is on the screen, and you subsequently put your face in front of the camera, your (obscured) passcode is filled in automatically and the phone unlocks.

A number of digits more than 4 for me and my bride…that way it’s not obvious how many digits are involved…but it’s almost always unlocked via TouchID anyway for us…and we have the erase after 10 tries option enabled as well…although supposedly some of the hardware cracking devices from Israel can get around that IIRC.

Another item that the WSJ covers is how the thieves used access to the phone to create an iCloud Account Recovery Key, if one had not been made, which locked people out of their accounts entirely because they could no longer reset their password on their own.

While it would make sense to generate a recovery key ahead of time to prevent that, I haven’t found any good guidance on how to store it - obviously, if you keep it in Notes, it’s going to be accessible on your device and therefore too accessible if your device is stolen. But I also don’t think I want to print it out and keep it in my desk drawer if I needed to get at it while on a trip.

I keep ours in a secure note in Enpass, synced across all my devices.

I don’t have a very new iPhone, but I lock mine with a SIM PIN, too.