I don’t feel any of this discussion is unwarranted and I don’t sense any “panic” or overt sensationalism. It’s become fashionable these days to discredit sources just because they’re related to LE, but I don’t buy into that. Joanna Stern is, as usual, very serious and points out who is most likely affected by this, ending her segment with concrete steps people can take to protect against such attacks. @ace’s article is very similar and also most appropriately points out what next steps Apple needs to take to limit potential damage from such an attack. I’m very glad the story broke and was treated in the way it has been. I learned something and reconsidered some of my digital habits (even though I’m unlikely part of the “target demographic”). And judging by the replies here, several others have also benefited in similar ways. IMHO this has so far been an excellent exercise in prevention.
As it turns out, there is a way to bypass this - a horrible security bug by Apple in my opinion. Adam, I’ll post the procedure to follow if you want - I’m not sure that it’s a big secret, and I have a strong feeling that people who would be inclined to steal people’s phones already know of this workaround - but if you prefer to keep it off the Discourse, I’ll keep it to myself.
Basically it allows you to change the Apple ID password. You do need to know the Apple ID itself, but that’s generally findable in Settings / App Store, or in the iTunes Store app at the bottom, or just guessing one of the email addresses on the phone itself.
(I have a feeling that this a procedure that kids follow whose parents have put a screen time PIN on their devices to get around restrictions. But, maybe not.)
And I try so hard to avoid being fashionable. In any case, your point is not accurate for my comments since the additional sources I’m suggesting using are both law enforcement.
As to overt sensationalism, the WSJ article absolutely is sensationalizing it. The headlines alone – “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life: The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’” – are impressive clickbait.
If you delete everything from iCloud Keychain, nothing, as long as you keep the passwords stored elsewhere so you can still reference them.
If you delete them from Keychain Access (on your Mac) or Passwords (on your iDevice), you’ll probably have issues. Your known Wi-Fi networks passwords are stored there, as are your Mail.app account passwords. Yes, you can also store them in a password manager, but your Mac can’t automatically access those like it can the ones in Keychain, so you’d have to enter them yourself to connect to networks or check email. Also, most of the com.apple.XXXX entries are AppleID tokens for various apps, and will just reappear after you sign back in to your AppleID, so the only thing you get from deleting them is that you have to sign back in.
If you’ve been using iCloud Keychain, many of the entries will be irrelevant to your Mac, as they’re shared from your iDevice(s), and probably can be safely deleted. But don’t delete them from Keychain Access before turning off iCloud Keychain, or they’ll be deleted everywhere, and some of them may be critical on your device.
Generally speaking, unless you know something you see in Keychain Access is risky or outdated, it’s probably best to leave it alone. If it looks suspicious but you don’t know or aren’t sure what it is, Google it before deleting it. (If it looks suspicious and you do know what it is, that’s different.)
EDIT: Be sure to turn off iCloud Keychain before deleting anything from either Keychain Access or Passwords.
Thanks. Everything I need is in a password manager and in a separate password protected file. However, I’ll just leave Keychain as is for now. I have half a century IT experience and do not find this exactly obvious, no wonder inexperienced users get into trouble.
One additional factor to consider in this particular attack vector is the fact that possessing an unlocked iPhone will typically result in the thief having access to both email and SMS. Even without access to a third-party password manager, having access to either / both of those (but especially email) will typically allow for most password reset processes.
I would think to completely avoid the possibility of having financial accounts being accessible from a stolen phone + passcode would involve either not being logged into an email app with an account connected to the related accounts (perhaps only accessing those accounts through an incognito tab), or to use an email app which has a separate authentication (i.e. that doesn’t fall back to the phone passcode) step before emails can be accessed.
Same story for text message authentication — using a Google Voice number only accessed through the web interface would prevent the attacker from being able to successfully reset any passwords that way.
Not directly related to the topic, but the ability to recognize and grab text is quite good lately. Yesterday I took a photo of my home router, at a bad angle, in bad light, and grabbed Japanese text for a light I didn’t recognize and was able to paste it into Google Translate and find out what it meant. Pretty amazing.
doug
I keep credit card and password info in PasswordWallet. Maybe it’s older than 1Password, but I find it quite easy to use to enter passwords when I need it. Syncing between devices sometimes requires a manual sync step though. The developer is quite helpful whenever I have had problems.
Very important:
Apple allows a user to remove or change the screen time passcode using the Apple ID and then mstarting the “forgot pwd “ flow in screen time. Thief must know the Apple ID email which can be obtained if the user has a Family set up (just under iCloud name at the top of settings) or by opening email apps.
At the end the ID gets reseted again with the passcode.
This way locking with screentime is completely useless.
Also using the new hardware keys is useless. I tried it, via screen time , delete screen time code, lost ID, they won’t ask for the keys.
Means at the moment there is no workaround.
Also interesting, if you use the new hardware keys. If you know the device pin , you can just remove the keys. The os won’t ask for the keys or any password.
Didn’t Apple stop this, so that even turning-off the phone doesn’t stop Find My tracking now – as literally doing any of these was stopping the point of the service. Sure I guess if the thief stops cellular service somehow then that’s it (one reason to use eSIM, as that can’t be physically removed), but at least turning the phone off (with the extra battery they keep in reserve), isn’t meant to stop Find My.
Right, for relatively newer phones. (Since iPhone 11 I think?)
But accessing the control center from the lock screen and turning on airplane mode will stop find my from sharing your location (unless the person who has the phone brings it to a place where WiFi will connect.) And the attack I was mentioning - somebody in a crossroad, or a sidewalk, actively using an unlocked phone, stolen from their hand by a passing bicycle or scooter - the phone is unlocked. The thief doesn’t know the passcode, but they can turn on airplane mode, turn off wifi, etc., quite quickly as long as they do so before the device display times out.
If the phone never connects to a network, find my won’t reveal the location. Thankfully these people are protected from this particular attack mentioned in the WSJ - changing the Apple ID from the device - because they don’t know the passphrase.
The discussion is implicitly invoking the “Swiss Cheese” model of security, where there are multiple layers of protection, each with its own holes, but if the holes don’t line up, then one layer will protect against an attack that another layer will let through. The danger is if the holes all line up (as they do with the way Apple uses the passcode).
But it also occurs to me that some layers are more important than others, at least in terms of threat & inconvenience. The first layer is to protect against the phone getting stolen at all. If it doesn’t get stolen, then none of the other risks materialize. That makes it the most important layer to worry about. The second layer, unlocking the phone, is the second most important. If the thief can’t unlock the phone, then all the owner has lost is the phone itself.
I’d rather have Apple (and people) focus on hardening those first two layers than get obsessed with the ones further down. There are ways to do it: have the screen reduce brightness and contrast when you’re entering the passcode to make it harder for people to see from a distance; have the numbers on the screen be randomly scrambled so people can’t “read” your motions when you type them in. Etc.
For people, being aware of using the phone in public is critical. Don’t use it in such a way that you’re vulnerable to having it snatched. Don’t store it in an obvious place that is accessible when you’re not paying attention. Etc. etc.
I know you’re not suggesting these are actually implemented. But I want to point out to anyone who thinks they’re a good idea that either of these would make the phone unusable for a sizeable portion of the population. The most likely effect would be for many people to disable a passcode altogether. What looks like a security improvement might turn out to be the opposite on a population level.
Very good point – as always, Apple would have to balance security vs. usability (and not just general usability, but usability for specific communities).
These could be non-default options for people who might want better security. Advanced Data Protection is an option, and Apple makes it clear when you turn that on that they cannot help you recover the account if you forget the password and lose the recovery keys; why not add an option to prevent resetting the Apple ID from a device with just the passcode from that device? There is, in fact, an option on MacOS to allow or prevent using the Apple ID password to reset the user account password. Why not this level of control on iOS in the Apple ID settings?
Yes, I know that sometimes there seem to be too many options, but after the WSJ article detailing this vulnerability (to losing control of your Apple ID just by a thief knowing the device passphrase), it seems like a worthwhile option to me.
I think because the people who would take advantage of the options are already keeping things extra secure. I’d prefer a simple universal solution that ups the security level for everyone (it even helps those extra secure people because if thieves know that every iPhone is pretty darn secure, it reduces the incentive to steal any iPhone).
Agreed! Another idea I like is trying to avoid asking for the passcode unless the iPhone is in a known location, like Home or Work. Obviously, that won’t work all the time, but anything Apple can do to reduce the likelihood that a passcode is typed in public, the better.
Looks like Apple is planning to block the majority of these problems.