Tech reporters Nicole Nguyen and Joanna Stern of the Wall Street Journal are back with a follow-up on their exposé of Apple’s problematic iPhone security design decisions. In the first article, they showed how a shoulder-surfing thief could discover a user’s passcode, steal their iPhone, and change their Apple ID password to disable Find My before making purchases with Apple Pay, accessing passwords in iCloud Keychain, and scanning through Photos for pictures to aid in identity theft (see “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,” 26 February 2023).
In another article (paywalled) and accompanying video, Nguyen and Stern now explore the ramifications of what happens when a passcode thief changes the user’s Apple ID recovery key, which is again doable with nothing more than the iPhone passcode. In short, the thief can lock the victim out of their iCloud account, possibly permanently, preventing access to precious photos and more. Apple has responded sympathetically but hasn’t helped—or been able to help—users get back into their accounts.
One Recovery Key to Rule Them All
The problem is that once the thief sets or resets a recovery key, it becomes the only way to regain access to an Apple ID account once the password has been lost—Apple says it can no longer help through its usual account recovery process. Apple is clear about how creating a recovery key puts additional responsibility on the user, but that’s an acceptable trade-off for a technically savvy, organized user.
What’s not acceptable is allowing a thief with nothing more than a stolen iPhone’s passcode to set or reset a recovery key. That creates a situation where a user becomes vulnerable to their account being locked even if they had no intention of setting a recovery key or were already managing it securely. The article says:
After Cameron Devine’s iPhone 13 Pro was stolen from a Boston bar in August, the 24-year-old said he spent hours on the phone with Apple customer support trying to regain access to over a decade of data. Each representative told him the same thing: No recovery key, no access. Mr. Devine said he had never heard of the key, let alone set one up.
The article does give another example of a person for whom Apple was able to disable the recovery key, allowing the user to regain access to the account. Although Apple declined to comment on that situation, the user reportedly used some Apple “business services,” suggesting that his iPhone might have been enrolled in device management and thus different from a regular user’s iPhone.
Although I haven’t been able to find a detailed explanation of how the recovery key works in Apple’s Platform Security Guide, my understanding is that it essentially acts as a second copy of a user-managed encryption key that takes over from Apple’s usual account recovery option.
To enable end-to-end encryption, such as with Apple’s Advanced Data Protection for iCloud, the user must generate and maintain the encryption keys (see “Apple’s Advanced Data Protection Gives You More Keys to iCloud Data,” 8 December 2022). In the Apple world, those keys are generated automatically and stored in the Secure Enclave, and to protect against their loss, Apple requires that anyone turning on Advanced Data Protection specify account recovery contacts or set a recovery key. That’s necessary because Apple doesn’t control the encryption keys and thus can’t help a user get into an account if the password has been lost or reset by a thief.
What Apple Can Do to Address This Vulnerability
If my understanding is correct, Apple is not being disingenuous or obstructionist when it comes to helping people who have suffered a passcode and iPhone theft. Once that recovery key is set, the company can do nothing to help—it no longer controls the necessary encryption keys. That’s why I say that users may be locked out of their accounts permanently.
When the Wall Street Journal article talks about how victims attempt to prove ownership of their accounts with various forms of identification, it’s missing the point—identification is not in question; the data is simply inaccessible because it’s encrypted with a key that Apple doesn’t control.
The ultimate fix comes down to reducing the power of the passcode. We’re constantly told that we must create strong, unique passwords, and yet the most important device in many people’s lives is locked with nothing more than a six-digit passcode. Apple could protect users against the more severe ramifications of passcode theft by requiring additional authentication—perhaps using Face ID or Touch ID without the passcode as a fallback—before allowing someone to reset the Apple ID password or recovery key option.
Saying that is easy, but I’m fully aware that many devils dance in the details. Apple is walking a fine line between strong security and being able to help users who lose access to their accounts. Apple might be weighing the risks to the relatively few people whose passcodes and iPhones are stolen against the problems faced by numerous unsophisticated users who forget their Apple ID passwords and have no other Apple devices. Then again, Apple is willing to inconvenience everyone with frequent security updates for vulnerabilities that might be used against only a few high-value targets. Security is always a balancing act.
What You Can Do to Protect Yourself
For the most part, my advice surrounding passcode protection hasn’t changed from my previous article. In “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life,” I wrote that you should:
- Pay attention to your iPhone’s physical security in public.
- Always use Face ID or Touch ID in public.
- If you must use your passcode in public, conceal it from anyone nearby.
- Never share your passcode beyond highly trusted family members.
Creating a longer alphanumeric passcode, as Nguyen and Stern suggest, could help, but only if it’s sufficiently long and complex that a shoulder surfer wouldn’t be able to memorize it. However, such a person could surreptitiously record you entering it and then refer to the video after stealing your iPhone. They might be more obvious while recording, but you would be less aware of your surroundings as you tap in the complex passcode. And none of this would protect against the threat of physical harm unless you reveal your passcode.
The best protection right now is to use Screen Time, as I discussed in my previous article. If you enable Screen Time, set a separate four-digit Screen Time passcode, navigate into Content & Privacy Restrictions, and select Account Changes > Don’t Allow, thieves can’t easily change your Apple ID password or recovery key options without that passcode.
Unfortunately, the Screen Time passcode does that by preventing anyone, including you, from entering Settings > Your Name to make changes without first going to Settings > Screen Time > Content & Privacy Restrictions > Account Changes > Screen Time Passcode > Allow. You’d also need to set that option back to Don’t Allow once you’re done. If Apple tweaked iOS 17 to prompt for the Screen Time passcode as a secondary security check when accessing the blocked options, it would be much easier to recommend.
More problematically, I believe it’s possible to reset the Apple ID password during the process of disabling the Screen Time passcode, thus bypassing Screen Time’s restriction on account changes. Apple reportedly addressed some of this vulnerability in iOS 16.4.1, but I was still able to change my Apple ID password knowing nothing beyond the passcode. My testing wasn’t as complete as I would have liked because I risked locking my Apple ID account for days, but Apple definitely has more work to do here.
There is one final thing you can do to protect your data: make local backups of everything stored in iCloud. Most of the users who lost access to their iCloud accounts were particularly distraught about losing their photos, which is understandable but easily avoidable.
Set Photos on a Mac to download originals, and then make sure that those original images are included in your backup strategy, which should include at least Time Machine and an offsite backup, and preferably also a bootable duplicate. You’ll need sufficient free space for them all; if that’s a problem, you can relocate your Photos Library to an external hard drive.
This backup won’t keep the photos out of the hands of a thief who has taken over your account, but at least you won’t lose your images.
Stay safe out there.