How a Thief with Your iPhone Passcode Can Ruin Your Digital Life

This is indeed a bit scary, especially for those of us who also use ApplePay/AppleCash or iCloud Keychain.

I use encrypted notes for some sensitive information. Usually this unlocks with FaceID, but testing that with my wife’s face I see that it also accepts passcode as backup for FaceID. Is there any way to force a different password for those encrypted notes?

I have a longer alphanumeric passcode which certainly makes it safer, but I’m under no illusion that this is entirely sufficient. Indeed, Apple should at the very least require you enter your old iCloud passcode before you can set a new one.

Even then, at the end of the day the underlying vulnerability is that we have all our eggs in a single iPhone/iCloud basket. Sure, I could use 3rd party password managers and such, but that breaks a lot of the elegance of Apple’s highly integrated approach we so much enjoy. Anyway, the easiest and cheapest method will always continue to work:

Source: xkcd

I am continually surprised by how many people store ordinary photos of sensitive documents on their phones without any special protections. I’ve stored that kind of information in 1Password (on my Mac) since long before I got my first iPhone.

Then again, I routinely find myself facepalming at how many people share front-and-back pictures of their credit or gift cards on social media, and later complain about being hacked. Basic personal security, like basic personal finance, really needs to be part of the standard school curriculum.

No, but Settings / Notes / Password and you can set a custom password (which will disable Face ID/Touch ID). I believe you have to unlock and relook notes that already exist with the (new - this started in iOS 16 I believe) biometric unlock method.

As for changing the Apple ID passphrase from the device with the device passcode, it should be mentioned (I don’t believe that Adam’s article does) that the WSJ suggested using a screen time passcode (different PIN from your phone’s PIN, obviously) and in Settings / Screen Time / Content and Privacy Restrictions change “Account Changes” to “Don’t Allow”. This will lock the change password function until you toggle this back on (and you can’t toggle back on without the screen time passcode). (If you make this change you’ll notice that you can no longer access the Apple ID settings at the top of the Settings app.)

Good article.

This trick:

Search in Photos—which can find text in images in the last two releases of Apple’s operating systems—on SSN , TIN , EIN , driver’s license , and passport , along with your actual Social Security and other identification numbers. Also search on Visa , MasterCard , Discover , American Express , and the names of any other credit cards you might have photographed as a backup.

Just today, I was blown away at how good this text recognition is. I was looking for pictures of my power meter (do you just photograph things these days to take a note, too?) by just typing the words “Meter”. Photos successfully pulled up a picture, taken 7 years ago with a handwritten note visible and turned sideways, that had the word “meter” scribbled. Very clever.

Rob

Adam, many thanks for passing this on! I’m about to head off for a business trip in an unfamiliar place, and while I usually use FaceTime to unlock my phone, it’s good to know about this significant security flaw with the passcode. I’ll be very careful if I have to enter it in public.

After reading the WSJ report and the associated article on how to protect your phone, I did what @ddmiller suggests and set up a Screen Time passcode, then disabled Account Changes on my phone. That seems like an easy way to prevent changing the Apple ID password, absent the kind of extortion that the xkcd posted by @Simon shows.

Very interesting, thank you.
I do not use Keychain as a password manager (I use Dashlane) but I see that iCloud Keychain is switched on on my iPhone and Mac. There are over 100 passwords in the Mac’s Keychain Access app many for com.apple.xxxx objects and very few for stuff I recognize. Questions:

1. What functionality do I lose if I switch iCloud Keychain off?
2. What damage could occur if I delete all the passwords in Keychain Access?

I may come in for criticism here but I think all of these security alarums are over the top for the average person.

The average person is much more likely to leave their ($1,000 Supercomputer!) phone on the table in the cafe than they are going to be drugged or mugged in a bar. They do it all the time. That is the prime security vulnerability. Just the other day at Starbucks I saw someone waltz off to the bathroom leaving their laptop and phone on the table. What!?

More so when you’re traveling. Thieves have learned that jet-lagged travelers are kind-of unconscious and are easy marks for a quick motor bike swoop and phone grab.

It’s clear that Apple must eliminate the iPhone passcode validation for an AppleId change and maybe should implement a separate level password for icloud keychain. Those are really bad and it’s surprising they chose to offer them. I’m guessing they’ll change them very quickly.

In the meantime, unless you live in bars and are frequently inebriated I’d wait to make huge, tiresome changes to your password system for a month or so to see what they do.

Oh! And get those ID pictures out of your Photos! Jeez!

Dave

Just searched for my surname in Photos, 196 images.

Some IDs but a lot of snaps taken for functionality as well which could be used, bills, etc.

Another argument for the watch for tap-to-pay. I only ever unlock that in the morning when I put it on.

You are right that this probably isn’t that big a risk for many people, but the WSJ article explained it’s not just being drugged or mugged.

Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it.

“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter the code.”

It sounds like it’s a lot of young, single people socializing who are vulnerable to this sort of attack. But I could see people tourists in foreign countries falling victim to something like that by charming locals in bars, too.

I know that this is a less of an attack that will risk losing your Apple ID, but another attack I’ve read about recently (this pops up on Reddit a lot) are people whose phones are stolen by people on bicycles as they stand on or near a street after unlocking their phones (on the curb, crossing a street, etc.) The thieves are watching for people taking out their phones and unlocking them (maybe to check on the location of their Uber driver, or getting directions, or just unlocking a device). These thieves don’t have the passcode, so some of the risks - draining bank accounts, etc. - may be less likely, but with the phone unlocked they can still scan photos for any personal info, perhaps send themselves money with Venmo, quickly turn off cellular and WiFi (to make tracking by find my impossible), and then just sell the phone for parts, or even sell them to rubes who don’t understand that they are Apple ID locked or IMEI blocked.

The WSJ article strikes me as one where the reporter found an interesting anecdote or set of anecdotes and spun that into a giant trend piece. There’s no actual evidence in the article that this is happening more frequently than it always has, just individual stories and police saying scary things. The focus on Apple fits with that, as it hooks it into the “Look What Apple’s Doing!” genre.

The two specific vectors mentioned are actually substantially different. If you get mugged/drugged/kidnapped, no level of reasonable security is going to help. The criminals will just keep asking for what they need, using (as Simon/XKCD pointed out) a $5 wrench to get it. The 1980s version of this was the ATM breach, where muggers would force people to withdraw money from their accounts at gunpoint. Not much use in having a complicated security setup if you have a muzzle in your face.

If they read your passcode and get your phone, then additional security can help, but it’s a balance. I guarantee that a lot of people are going to end up locked out of iCloud if they need to use a separate password for it. The ATM example is instructive here as well – if people needed to enter multiple different PIN numbers to get to various accounts, it would have caused a fair amount of chaos.

Generally, I’d like to see some evidence that this is actually happening frequently before panic sets in.

As a result of reading the WSJ article, I changed my four-digit iPhone lock code to an alphanumeric password. I rarely take action based on articles in the popular press, for most of the same reasons as some of the more cynical posts in this thread have pointed out (news media exists to sell advertising; disseminating information is at best a secondary goal). However in this case, the scenario of someone shoulder-surfing my fairly simple code and then stealing my phone seemed plausible enough, and the risks high enough, to warrant action. I decided to use the same password as my iCloud account, since this is essentially the same resource, and it is one of the only complex passwords I’ve committed to memory.

And you know what? The few times since making the change where I’ve had to enter that password, it actually feels right. I know that’s not a measurable benefit, but I’m already starting to look back at my four-digit days with a “what was I thinking?” mindset.

Does it require switching to a different screen for the alphabetic characters or is an alphabetic keyboard displayed in addition to the numeric one?

The standard alphanumeric keyboard is automatically displayed if you have a “complex” passcode. Bonus: I discovered testing this before I replied that if the “Enter passcode” prompt is on the screen, and you subsequently put your face in front of the camera, your (obscured) passcode is filled in automatically and the phone unlocks.

A number of digits more than 4 for me and my bride…that way it’s not obvious how many digits are involved…but it’s almost always unlocked via TouchID anyway for us…and we have the erase after 10 tries option enabled as well…although supposedly some of the hardware cracking devices from Israel can get around that IIRC.

Another item that the WSJ covers is how the thieves used access to the phone to create an iCloud Account Recovery Key, if one had not been made, which locked people out of their accounts entirely because they could no longer reset their password on their own.

While it would make sense to generate a recovery key ahead of time to prevent that, I haven’t found any good guidance on how to store it - obviously, if you keep it in Notes, it’s going to be accessible on your device and therefore too accessible if your device is stolen. But I also don’t think I want to print it out and keep it in my desk drawer if I needed to get at it while on a trip.

I keep ours in a secure note in Enpass, synced across all my devices.

I don’t have a very new iPhone, but I lock mine with a SIM PIN, too.

I have mine in 1Password plus recorded in an encrypted disk image on one of my Macs. If you use an encrypted Note using a passphrase (rather than using your device passcode and biometrics to unlock), that would not be readable.

Also, going back to the WSJ recommendations: if you use iCloud Keychain and fall victim to this PIN surfing attack, locking out the ability to change the Apple ID password with a screen time passphrase isn’t much of a protection if the Apple ID passphrase is stored in the iCloud Keychain. They can just log in to the Apple ID with another device, use your phone as a trusted device to approve the new log in, and then change the password there.

The article does point out that using a third party password manager that has a separate passphrase is much more secure.

Perhaps Apple should think about some way to protect iCloud Keychain (with a separate PIN perhaps) that allows unlock with biometrics and times out after a period of time. Perhaps one of the screen time restrictions, so it’s optional and not a default behavior?

Is there a way to lock your phone with you Apple Watch, so if people get your phone, you can lock them out?

You can via “Find Devices” on watch, but the idiotic thing is Lost Mode can be turned off with just the device’s passcode, so if the thieves have that (like in the original WSJ article), this won’t be of much use.

Well that was illuminating. I had no idea of how many of the old undeleted temporary note photos I have on my phone have sensitive data. I found one page of a tax return from a couple of years ago, several hand written passwords, too many sales receipts, accidental screenshots, photos of monitors with more than the window I was aiming at…

But I also discovered that using search won’t find everything. It seems to be better at words than pictures, but I’m still finding plenty that need to be deleted as I look through everything by hand. The worst so far is a screenshot from when I was looking at my Apple Card number. (I have double back tap set to do screenshots, and also the habit of drumming on the phone while doing things. Oops.)

Yeah, I added this yesterday after the initial posting of the article. I played with it a bit and it was so utterly annoying that I can’t see many people seeing it as worth the tradeoff in standard use (but possibly worthwhile for a limited period, such as a trip). I had hoped that it would prompt for the Screen Time passcode when you went to change the Apple ID password, for instance, which would be fine, but instead it blocks all access to all account settings, and the only way to regain access is to disable the Account Changes setting. (After which you’d have to re-enable it again.)

Sure, and I pointed out that physical security is important, but lax physical security just reinforces the need for protecting the passcode even more.

I don’t think there’s any claim in the article that these crimes are happening more frequently in the past, just that the reporters have just now assembled all the stories and technical underpinnings. My conclusion was that law enforcement has only recently started to put all these crimes into the same statistical bucket. It’s possible that the article will cause more police departments to realize what’s happening. As far as numbers, they’re not hard statistics, but the relevant quotes would seem to be these, and while they come from police, I’m not sure where else they could come from.

“Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft ring as a New York Police Department detective before retiring last fall.
He said there have been hundreds of these sorts of crimes in the city in the past two years. “This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.”

Minnesota prosecutors say Mr. Thompson, age 42, was a victim of a theft ring that accumulated nearly $300,000 by stealing iPhones and their passcodes from at least 40 victims.

Similar cases have been reported in Austin, Denver, Boston and London.

Mr. Argiro, the New York City detective who participated in the investigation of Mr. Umberger’s death before retiring in September, said authorities came to believe he was the victim of a group of thieves that target New York bar-goers, launder money via apps and then resell the phones. This particular group is believed to be responsible for more than 30 incidents, he added.

I don’t think this will make any difference to the passcode attacks because it only affects cellular usage and only after a restart or SIM swap. Apple says:

To protect your SIM card from others using it for phone calls or cellular data, you can use a SIM PIN. Then, every time you restart your device or remove the SIM card, your SIM card will automatically lock and you’ll see “Locked SIM” in the status bar.

If you rely on Dashlane, I can’t see that you’d lose any functionality if you turn iCloud Keychain off. And, as long as the passwords you have in iCloud Keychain are also in Dashlane (which was my situation), there’s no harm in deleting them.

Ben Evans on Twitter reminds us of the already existing content and privacy restrictions in "Screen Time " settings that provide a layer of protection to your Apple ID and Passcode.

https://twitter.com/benedictevans/status/1629541926956351488?s=20

The basic steps are:

1. Enable a passcode for Screen Time
   Settings\Screen Time\Screen Time Passcode
   Note - just don’t use the passcode of your device. Also store a copy of the new pin somewhere safe

2. Restrict Access to Passcode
   Settings\Screen Time\Content and Privacy Restrictions\Allow Changes\Passcode Changes\Don’t allow

3. Restrict Access to Apple ID
   Settings\Screen Time\Content and Privacy Restrictions\Allow Changes\Account Changes\Don’t allow

When you implement the changes, the settings for Apple ID and FaceTime (Passcode) will be greyed out.

Workflow.
Whilst “don’t allow” is set you will not be able to access the Apple ID and iCloud settings on you device. The same applies for FaceTime settings.

When you do need access to these areas, just go into Screen Time and adjust the above settings to “allow”.

You will be prompted for your Screen Time PIN when this happens. Also remember to reset this to “Don’t allow” when done.

Future State
It make senses that Apple provides a more elegant approach to managing your system settings on iOS/IPadOS similar to the padlock approach, or better, on the MacBook.

The entire article is framed as if this is a new and increasing threat: cases are “piling up in police stations around the country.” "“This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.” There has been a “recent spate of thefts.”

The problem is not using cops for insight, it’s when that is the only insight. The stories & quotes are anecdotal and played for maximum drama, but without any underlying evidence that shows this is a serious and widespread issue.

To give an example of what I mean, both the FBI Crime Data Reporter and the NYPD’s CompStat dashboard show robberies and burglaries down substantially year over year, both nationwide and in NYC.* Does that mean that there couldn’t be a wave of iPhone robberies like in the story? No, but it does make the picture a bit more complex and was something the journalists needed to have included.

*https://cde.ucr.cjis.gov/LATEST/webapp/#/pages/explorer/crime/crime-trend /
NYPD CompStat 2.0

I don’t feel any of this discussion is unwarranted and I don’t sense any “panic” or overt sensationalism. It’s become fashionable these days to discredit sources just because they’re related to LE, but I don’t buy into that. Joanna Stern is, as usual, very serious and points out who is most likely affected by this, ending her segment with concrete steps people can take to protect against such attacks. @ace’s article is very similar and also most appropriately points out what next steps Apple needs to take to limit potential damage from such an attack. I’m very glad the story broke and was treated in the way it has been. I learned something and reconsidered some of my digital habits (even though I’m unlikely part of the “target demographic”). And judging by the replies here, several others have also benefited in similar ways. IMHO this has so far been an excellent exercise in prevention.

As it turns out, there is a way to bypass this - a horrible security bug by Apple in my opinion. Adam, I’ll post the procedure to follow if you want - I’m not sure that it’s a big secret, and I have a strong feeling that people who would be inclined to steal people’s phones already know of this workaround - but if you prefer to keep it off the Discourse, I’ll keep it to myself.

Basically it allows you to change the Apple ID password. You do need to know the Apple ID itself, but that’s generally findable in Settings / App Store, or in the iTunes Store app at the bottom, or just guessing one of the email addresses on the phone itself.

(I have a feeling that this a procedure that kids follow whose parents have put a screen time PIN on their devices to get around restrictions. But, maybe not.)

And I try so hard to avoid being fashionable. In any case, your point is not accurate for my comments since the additional sources I’m suggesting using are both law enforcement.

As to overt sensationalism, the WSJ article absolutely is sensationalizing it. The headlines alone – “A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life: The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’” – are impressive clickbait.

If you delete everything from iCloud Keychain, nothing, as long as you keep the passwords stored elsewhere so you can still reference them.

If you delete them from Keychain Access (on your Mac) or Passwords (on your iDevice), you’ll probably have issues. Your known Wi-Fi networks passwords are stored there, as are your Mail.app account passwords. Yes, you can also store them in a password manager, but your Mac can’t automatically access those like it can the ones in Keychain, so you’d have to enter them yourself to connect to networks or check email. Also, most of the com.apple.XXXX entries are AppleID tokens for various apps, and will just reappear after you sign back in to your AppleID, so the only thing you get from deleting them is that you have to sign back in.

If you’ve been using iCloud Keychain, many of the entries will be irrelevant to your Mac, as they’re shared from your iDevice(s), and probably can be safely deleted. But don’t delete them from Keychain Access before turning off iCloud Keychain, or they’ll be deleted everywhere, and some of them may be critical on your device.

Generally speaking, unless you know something you see in Keychain Access is risky or outdated, it’s probably best to leave it alone. If it looks suspicious but you don’t know or aren’t sure what it is, Google it before deleting it. (If it looks suspicious and you do know what it is, that’s different.)

EDIT: Be sure to turn off iCloud Keychain before deleting anything from either Keychain Access or Passwords.

Thanks. Everything I need is in a password manager and in a separate password protected file. However, I’ll just leave Keychain as is for now. I have half a century IT experience and do not find this exactly obvious, no wonder inexperienced users get into trouble.

One additional factor to consider in this particular attack vector is the fact that possessing an unlocked iPhone will typically result in the thief having access to both email and SMS. Even without access to a third-party password manager, having access to either / both of those (but especially email) will typically allow for most password reset processes.

I would think to completely avoid the possibility of having financial accounts being accessible from a stolen phone + passcode would involve either not being logged into an email app with an account connected to the related accounts (perhaps only accessing those accounts through an incognito tab), or to use an email app which has a separate authentication (i.e. that doesn’t fall back to the phone passcode) step before emails can be accessed.

Same story for text message authentication — using a Google Voice number only accessed through the web interface would prevent the attacker from being able to successfully reset any passwords that way.

Not directly related to the topic, but the ability to recognize and grab text is quite good lately. Yesterday I took a photo of my home router, at a bad angle, in bad light, and grabbed Japanese text for a light I didn’t recognize and was able to paste it into Google Translate and find out what it meant. Pretty amazing.

doug

I keep credit card and password info in PasswordWallet. Maybe it’s older than 1Password, but I find it quite easy to use to enter passwords when I need it. Syncing between devices sometimes requires a manual sync step though. The developer is quite helpful whenever I have had problems.

Very important:

Apple allows a user to remove or change the screen time passcode using the Apple ID and then mstarting the “forgot pwd “ flow in screen time. Thief must know the Apple ID email which can be obtained if the user has a Family set up (just under iCloud name at the top of settings) or by opening email apps.
At the end the ID gets reseted again with the passcode.

This way locking with screentime is completely useless.

Also using the new hardware keys is useless. I tried it, via screen time , delete screen time code, lost ID, they won’t ask for the keys.

Means at the moment there is no workaround.

Also interesting, if you use the new hardware keys. If you know the device pin , you can just remove the keys. The os won’t ask for the keys or any password.

Didn’t Apple stop this, so that even turning-off the phone doesn’t stop Find My tracking now – as literally doing any of these was stopping the point of the service. Sure I guess if the thief stops cellular service somehow then that’s it (one reason to use eSIM, as that can’t be physically removed), but at least turning the phone off (with the extra battery they keep in reserve), isn’t meant to stop Find My.

Right, for relatively newer phones. (Since iPhone 11 I think?)

But accessing the control center from the lock screen and turning on airplane mode will stop find my from sharing your location (unless the person who has the phone brings it to a place where WiFi will connect.) And the attack I was mentioning - somebody in a crossroad, or a sidewalk, actively using an unlocked phone, stolen from their hand by a passing bicycle or scooter - the phone is unlocked. The thief doesn’t know the passcode, but they can turn on airplane mode, turn off wifi, etc., quite quickly as long as they do so before the device display times out.

If the phone never connects to a network, find my won’t reveal the location. Thankfully these people are protected from this particular attack mentioned in the WSJ - changing the Apple ID from the device - because they don’t know the passphrase.

The discussion is implicitly invoking the “Swiss Cheese” model of security, where there are multiple layers of protection, each with its own holes, but if the holes don’t line up, then one layer will protect against an attack that another layer will let through. The danger is if the holes all line up (as they do with the way Apple uses the passcode).

But it also occurs to me that some layers are more important than others, at least in terms of threat & inconvenience. The first layer is to protect against the phone getting stolen at all. If it doesn’t get stolen, then none of the other risks materialize. That makes it the most important layer to worry about. The second layer, unlocking the phone, is the second most important. If the thief can’t unlock the phone, then all the owner has lost is the phone itself.

I’d rather have Apple (and people) focus on hardening those first two layers than get obsessed with the ones further down. There are ways to do it: have the screen reduce brightness and contrast when you’re entering the passcode to make it harder for people to see from a distance; have the numbers on the screen be randomly scrambled so people can’t “read” your motions when you type them in. Etc.

For people, being aware of using the phone in public is critical. Don’t use it in such a way that you’re vulnerable to having it snatched. Don’t store it in an obvious place that is accessible when you’re not paying attention. Etc. etc.

I know you’re not suggesting these are actually implemented. But I want to point out to anyone who thinks they’re a good idea that either of these would make the phone unusable for a sizeable portion of the population. The most likely effect would be for many people to disable a passcode altogether. What looks like a security improvement might turn out to be the opposite on a population level.

Very good point – as always, Apple would have to balance security vs. usability (and not just general usability, but usability for specific communities).

These could be non-default options for people who might want better security. Advanced Data Protection is an option, and Apple makes it clear when you turn that on that they cannot help you recover the account if you forget the password and lose the recovery keys; why not add an option to prevent resetting the Apple ID from a device with just the passcode from that device? There is, in fact, an option on MacOS to allow or prevent using the Apple ID password to reset the user account password. Why not this level of control on iOS in the Apple ID settings?

Yes, I know that sometimes there seem to be too many options, but after the WSJ article detailing this vulnerability (to losing control of your Apple ID just by a thief knowing the device passphrase), it seems like a worthwhile option to me.

I think because the people who would take advantage of the options are already keeping things extra secure. I’d prefer a simple universal solution that ups the security level for everyone (it even helps those extra secure people because if thieves know that every iPhone is pretty darn secure, it reduces the incentive to steal any iPhone).

Agreed! Another idea I like is trying to avoid asking for the passcode unless the iPhone is in a known location, like Home or Work. Obviously, that won’t work all the time, but anything Apple can do to reduce the likelihood that a passcode is typed in public, the better.

Looks like Apple is planning to block the majority of these problems.