Apple to Introduce Stolen Device Protection in the Upcoming iOS 17.3
Remember the stellar reporting by the Wall Street Journal’s Joanna Stern and Nicole Nguyen about how thieves could shoulder-surf someone entering their iPhone passcode, snatch the iPhone, and then use the passcode to reset the victim’s Apple ID password? We covered it in “How a Thief with Your iPhone Passcode Can Ruin Your Digital Life” (26 February 2023) and “How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently” (20 April 2023). The much-shared Screen Time passcode is easily bypassed, so the only practical protections were:
- Pay attention to your iPhone’s physical security in public.
- Always use Face ID or Touch ID in public.
- If you must use your passcode in public, conceal it from anyone nearby.
- Never share your passcode beyond highly trusted family members.
Even then, the journalists revealed incidents of drugging and assault for which those four principles wouldn’t have helped at all.
Stern and Nguyen are now reporting that Apple has included a new Stolen Device Protection feature in the current beta release of iOS 17.3, which I expect Apple to release to the public in January or February 2024. Stolen Device Protection tries to minimize the potential of passcode theft by relying more heavily on biometric authentication and familiar locations, like your home and work.
With the feature enabled, when you want to change your Apple ID password or add a recovery key (which thieves used to lock victims out of their iCloud accounts), there are no new requirements as long as you’re at what your iPhone believes to be a familiar location (like home or work).
However, when you’re anywhere else, your iPhone will require two Face ID or Touch ID scans an hour apart before completing those actions. Requiring just one biometric authentication blocks the snatch-and-grab approach because the passcode won’t be sufficient on its own to do anything. Requiring the second scan an hour later ensures that even a forced scan during a mugging or drugging won’t be sufficient unless you’ve been held hostage for that time.
One concern is that viewing Settings > Privacy & Security > Location Services > System Services > Significant Locations must also require biometric authentication, or else the thief could go to one of those locations to complete the takeover. In iOS 17.2, viewing that screen requires Face ID or Touch ID, but failures can be overridden with the passcode.
Additional features that require two biometric scans with an hour gap when initiated from an unfamiliar location include changing a trusted phone number or contact, adding another face to Face ID or fingerprint to Touch ID, turning off Face ID or Touch ID, disabling Find My, and turning off Stolen Device Protection.
Another significant impact of passcode theft was that the thief could access the victim’s passwords in iCloud Keychain. If you turn on Stolen Device Protection, that will no longer be possible: accessing passwords will require Face ID or Touch ID authentication. Other features that will require biometric authentication (but not the hour wait) include applying for a new Apple Card, erasing all content and settings, turning off Lost Mode, sending Apple Cash to a bank account, using the iPhone to set up a new device (which copies all the data), and using payment methods saved in Safari. It’s the first time Apple has required Face ID or Touch ID instead of a device passcode to prove one’s identity or intent.
Apple won’t turn Stolen Device Mode on for you, but iOS 17.3 will alert users to the feature when they update. That seems reasonable for the first release, and I plan to turn it on. I wouldn’t be surprised if a future iOS version were to push it strongly during setup as Apple has increasingly done with other security features, including two-factor authentication for Apple ID accounts (required in nearly all cases now) and Find My (heavily promoted during upgrades if not already enabled).
Why would someone not want to enable Stolen Device Protection? Some people experience poor results with Touch ID—less so with Face ID—so leaving it off needs to be an option for them. I can also imagine it possibly introducing friction while traveling, but that may be a reasonable tradeoff for the increased chance of being robbed while on vacation.
People who avoid biometric authentication because they think biometrics are less secure than passcodes can continue to be wrong. Ironically, they may end up at less risk if the herd immunity of wide adoption of Stolen Device Protection causes thieves to give up on passcode theft as not worth the minimal reward. (It seems like Authentication Lock and Find My had some deterrent effect when introduced years ago.)
I look forward to seeing reports on the impact of Stolen Device Protection on users. Those who spend most of their time in familiar locations probably won’t even notice its additional requirements. The people for whom Stolen Device Protection would be the biggest pain are those who forget their Apple ID password and want to reset it immediately via their device without having to go through a process and an hour wait—although I would wager most people in that scenario are at home or work, thus sidestepping the wait.
Finally, just because you turn on Stolen Device Protection doesn’t prevent a thief from stealing your passcode and your iPhone, and accessing any apps that don’t require an additional PIN or biometric authentication. Make sure to enable such layered authentication in any app that manages money or sensitive information.
And, as I said initially, just don’t use your passcode in public.
I intend to turn this on. Unfortunately, my wife is still using a 6S. Be nice if this was added as a security update for older phones. What I really like to see is the ability to just brick the phone from another device instead of worrying if someone figured a work around. Turn on Stolen Device, click a box and the phone is dead. Be useful if it gets stolen when you’re on vacation where the odds are you’ll never see it again.
Will we able to turn it on from our watch or do we have to log into a computer or another device?
I seriously doubt that will ever be an option. It’s designed to protect immediately after the iPhone is stolen. A thief in possession of your passcode will have already taken control of it, preventing you from enabling protection from a watch, computer or other device. It needs to be activated before stolen.
While I’m glad that Apple will add this, I would still prefer a step further - do not allow resetting the Apple ID password with the device passcode ever. For me this is similar to advanced data protection, which I have turned on: it would allow me to say it’s now my responsibility to protect my Apple ID.
The balance is between security and usability. People are going to end up forgetting their AppleID and not being able to recover it if they can’t use the passcode.
The Stern/WSJ article that started this whole kerfuffle had no good numbers on how often this kind of thing happened (thieves stealing not only the phone but the passcode). It just had a lot of ominously worded statements from police departments, who – as we saw with the NameDrop fiasco – don’t have the greatest tech sense. Absent real evidence that there’s a wave of this going on, I’d rather not have Apple screw the doors shut so tightly that many people have trouble getting in or out.
I agree. But I don’t want the significant location loophole, or the one hour delay, for my account. It could be a third option for advanced users, like me.
Even if it was something that could only be turned on by calling Apple support - fine with me.
By the way, the articles included experiences of real people who had their Apple IDs locked out with this technique, one of whom I believe was finally able to get help from Apple to recover the Apple ID.
I realize you’re replying to @ddmiller’s suggestion that there be an option to disable changing the Apple ID password with just the device passcode, but I think it’s worth noting that there were some numbers. In the first article, the Wall Street Journal names five people who shared their stories, and the implication is that they interviewed more who did not appear in the article. The retired NYC police detective said there were “hundreds” of these sorts of crimes in the city in the past two years.
The second article names two more people and says that the Journal contacted dozens of victims in at least nine US cities.
Given the difficulty of getting hard data on specific types of crimes, the fact that the Journal could dig up that many people feels to me like it’s happening frequently.
More generally, I’m not sure the number of people affected matters. Apple is clearly willing to spend vast amounts of money to track down security vulnerabilities that are used by spyware like Pegasus, to implement features like Lockdown Mode and Contact Verification Key, and to subject the entire iPhone user base to iOS updates that do nothing but fix those bugs. How many people are victimized by Pegasus and the like? I’m sure there are no hard numbers on that either, but I doubt it’s large (though the possible number of targets is probably pretty high). The consequences are very high, but they’re pretty high with these passcode thefts too.
So Stolen Device Protection seems like a great optional feature to add, and I think it would be fine to go further too with the option to block passcode-driven Apple ID password changes as Doug suggests. It would have to be an option and have to clearly inform users that Apple wouldn’t be able to help them recover from a lost password, just as Advanced Data Protection comes with warnings about how Apple won’t be able to help recover data because of the end-to-end encryption.
Ok, I see. Once I activate it, it’s on. I misunderstood how it works. Completely makes sense. Thank You
When I had my iPhone at the Apple Store for a battery replacement, I asked the Genius how many people don’t know their Apple ID and/or password, and he said “A lot.”
I’ll reiterate that I agree with @silbey that there are vastly more people who need the ability to reset their Apple ID with a device passcode than who have their Apple ID stolen in the manner described. It’s an important feature for many people.
Let me amend my original statement – the article has no data that can be checked. The numerical evidence it does have is sourced to police departments (or retired police detectives) asserting things. There’s no way to know if it’s accurate or if it’s genuinely rising. A lot of folks talking about these issues have a vested interest in making the issue look as large as possible, with the result that what they say is not particularly trustworthy.
It’s about security vs. usability. Apple can lock down the iPhone to be intensely secure but at the larger cost that people are going to lock themselves out and not be able to get back in. That latter isn’t as sexy as “crime wave of organized gangs finagling people’s passcodes and then stealing their phones” but it’s a problem too.
In this climate, Apple giving users an option to protect their devices and their cloud lives, is very welcome. It’s not like the cops or the DA are going to put a dent in any of it in the near future. It makes sense entirely to let users not opt in since for some remembering an iCloud user/pass apparently is onerous. But to those of us who prefer to memorize a user/pass but otherwise be able to lock down our digital lives, this should be a very welcome addition — in fact, like @ddmiller, I’d prefer an even stronger (“advanced user”) option for myself.
Some edits above to keep the discussion on topic.
True, but we don’t ask for numbers about how many people are being targeted by Pegasus and the like when Apple introduces other optional features like Lockdown Mode and Contact Key Verification. Apple clearly feels it’s important to protect those high-value targets, and I’m glad that the company is adding this additional optional feature that everyday users can enable—probably with very little inconvenience—to increase their security.
You don’t ask for numbers. I do.
But yes, I think Apple’s handled this moral panic about as well as they could by making it optional in a way that hopefully won’t impact most users.
Perhaps I should say that I don’t expect solid numbers in scenarios like this. I look for them, but they’re seldom available to people outside the collecting organizations, if they exist at all. And when they are available, it’s often worth questioning whether they’re accurate or not, between data collection limitations and institutional agendas. Lies, damned lies, and statistics…
Since so much has been made of the passcode problem, why can’t users rely solely on the faceid? Then thieves could not get access via the passcode they saw you use. My iPhone requires the passcode almost every day. I rarely can use faceid when in a public location. The passcode is such an obvious security threat.
A couple of thoughts…
Is this going to be a requirement on Macs as well? Or are they considered secure enough that this sort of protection is not needed?
Will we still be able to change the Apple ID password on our Macs which may not be able to do biometric authentication?
I have always been amused that when I login to my Apple ID on a device with two factor authentication, the alert for the second factor appears on the same device because it is a trusted device. So if someone manages to steal my device and get in with a passcode, they can try to login to my Apple ID using Safari, and will be asked to verify that it is a genuine login. Does not seem very secure.
PS. If you put a device in for repair, is the repairer going to be able to access the device?
This sounds like a wonderful feature if FaceID works reliably, but for me it does not. Although I appear to successfully set it up at home, my iPhone 10 does not recognize me and I have to use the Passcode. I went to the Genius Bar and it worked for the Genius. They watched while I went through the set up process and in a quick test seemed to work. But back home no luck. If these features were made mandatory I would not be able to use an iPhone. The Genius had no other suggestions.
I did turn off the Require Attention feature thinking that might make recognition easier, but didn’t seem to help
@alanh47gm - Your face doesn’t look like this does it?
No wonder it never works!
/s
Agreed – which is why I have a problem with the original WSJ article. If the data was checkable, I could at least look at the original source and make a partial judgment. The WSJ takes the sensationalist route by not having checkable data but nonetheless taking advantage of our cultural fascination with numbers by invoking vaguely ominous claims.
One of the effects* of making the physical security of cars much stronger was that car-jackings went up because it was almost impossible to steal a car off the street. I’d rather not duplicate that effect for phones.
*https://knowablemagazine.org/content/article/society/2023/understanding-carjacking
An article which, by contrast to the WSJ, does use sources that can be checked.
Numbers or no numbers, rarity of the issue - to me it doesn’t matter. The WSJ articles exposed a potential Apple ID security loophole that I didn’t know about, that I am glad to have heard about, and resulted in at least a better option for those of us who are careful about securing passphrases to our Apple IDs and prefer to close the loophole.
As for switching purely to biometrics rather than have a device passcode, I think Apple would have to do a lot of reengineering of device security in order to accomplish that, and it would still require some sort of fallback to a device passcode for those of us who cannot use biometrics for some reason. Those people do exist, probably in greater numbers than who fall victim of the Apple ID theft from stolen passcodes. And Face ID sensors fail quite often - you see people complain about this often on message boards like reddit. If the phone relied solely on Face ID and the sensors fail, the phone would become a brick at that point.
Because it’s not perfect, as someone noted below. It works very well for most people, but can’t be the only solution. And, of course, someone could theoretically unlock your iPhone using your face without your permission. (Though of course they could just threaten to hit you until you type in the passcode too.)
No, it’s iOS only as far as anyone has said so far. Nothing should change on Macs.
Joanna Stern has followed up by interviewing a gentlemen who’s spending the next 8 years in a Minnesota slammer for this scheme (apparently in MN, unlike here, crime is still illegal). It’s interesting to hear him describe the mechanics of it and how he turned profits.
He claims he robbed hundreds (!) of iPhones. His warrant stated $300,000 in damages, but he claims that overall he made $1-2M. This is the work of just one individual. This is by no means a small problem. If somebody were strolling around, beating hundreds of people to get their wallets totalling a couple hundred grand people would be up in arms. I’m glad to see Apple move. I hope they move some more.
https://www.wsj.com/tech/personal-tech/he-stole-hundreds-of-iphones-and-looted-peoples-life-savings-he-told-us-how-fbd81ab5
That’s quite an alarming video. I’m not a pub or club sort of guy but kids - especially those who imbibe a little too much - seem quite vulnerable.
Again, that was my sense as well. (Though being a trusting young man and drunk at a bar seems to be a rather common risk factor with this individual, and I’m not young and it’s been over 40 years since I was ever that impaired myself, plus I tend to be wary around strangers anyway, so I’m probably not at risk for this. I can’t imagine handing over my unlocked iPhone to a stranger for any reason - I hate doing it with friends and family to be honest.)
That said: tech journalists like John Gruber and Jason Snell who have inside contacts at Apple report that they are told that the number of people affected by this are greatly dwarfed by the number of people who call support after forgetting their Apple ID password, which many people create when they get their first iPhone and are so rarely prompted for it that they end up forgetting it. The default of giving people the ability to use their iPhone passphrase (which you need to enter at least once a week and is likely much easier to remember) is really the right choice.
I agree. I’m usually all for options. I have no problem with Apple keeping the previous behavior default. Those of us who prefer to keep it more secure at the expense of having to remember the iCloud user/pass get an option to make our digital lives more secure. Everybody wins. I hope in the future Apple might allow an option to lock it down even harder as I’m not convinced the 1-hr delay and location requirement are tough enough.
There is exactly 1 person I would hand my unlocked phone to…outside of my spouse of 47 years, nah…not happening.
This underscores a problem that goes beyond mobile phones - shoulder surfing in general. Lots of scams (especially involving ATM skimmers) involve a person or camera watching you key in a PIN, which is then used to access your accounts after your card is stolen.
In addition to not entering your lock code where people can see it, be sure to always cover a PIN-pad with your hand while entering the digits for any transaction, whether via a phone, card or any other mechanism. This simple step can prevent quite a lot of common attacks from succeeding.
Brian Krebs has written a lot of articles about skimmers. Well worth your time to read these.
One of my pet hates is ‘security’ cameras in supermarket self-serve areas which point directly down on the keypad of their EFTPOS terminals. If you don’t cover up when entering your PIN, whoever has access to those cameras could easily get you banking PIN.
I guess this is a good reason to use Apple Pay and FaceID/TouchID rather than a physical card.
Or tap-to-pay with a credit card.
I’m not sure about the rest of the world but in Australia if it’s over $100 (a decent grocery shop often is) a PIN is required even with tap & go.
Many years ago I started making a habit of covering my fingers with the other hand whenever entering my PIN. It’s simple to do and once you get used to it, happens automatically regardless of store, gas station pump, or restaurant/hotel. Once you’re accustomed to making sure you cover, no more need to worry about glances or CTV.
In the US, there are no such laws. Rules like that are dependent on the terms of the merchant agreement between the store and the bank processing the charges.
PINs in the US are generally only used for debit cards - with credit cards asking for signatures. But that having been said, I’ve had some stores insist on a signature for trivial Apple Pay purchases, and I’ve had other stores not require a signature even for very large purchases.
I’m sure some merchants have different agreements but the ‘standard’ amount is $100. I can’t remember the last time I was asked for a signature - it would be several years at least, possibly 10 or more.
Even when a tap-to-pay credit card requires a PIN or signature, I still regard it as a more secure payment method than a debit card because there are no direct links to a checking or savings account. As well, most countries have better consumer protections for credit card use than debit card use.
E-banking on the iPhone here where I live is almost standard. Faster and easier than on a Mac. With Face ID you get to your account very fast. Paying bills, selling shares, and transferring money all done in no time.
Seeing that video was quite a shock.
I am wondering if there is not a possibility for app developers to implement more security. For example…if Face ID has been deleted and newly setup since the last login then ask for the password or some other details for verification. Does something like that exist?