April 20, 2023
The Wall Street Journal has been doing the public a favor, highlighting some HUGE security flaws in the Apple eco-system. These are not software bugs, rather they are poor design choices on Apple's part. The biggest issue is that if a bad guy gets hold of an iPhone and knows the passcode to unlock it, the owner of the phone is totally screwed, despite assorted defenses. Apple made miserable hierarchy choices and an unlocked iPhone gives the person with the phone total control over everything. The assorted defenses that Apple puts forth are just security theater. Directly below are the articles in question and further below is my take on all this.
- A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life by Joanna Stern and Nicole Nguyen. Feb. 24, 2023. The passcode that unlocks your phone can give thieves access to your money and data; 'it’s like a treasure box'
- How to Protect Your iPhone Data From Thieves by Nicole Nguyen and Joanna Stern Feb. 24, 2023. Strengthen your passcode and use Screen Time controls to keep a predator you meet in real life from hijacking your digital life.
- The iPhone Setting Thieves Use to Lock You Out of Your Apple Account by Nicole Nguyen and Joanna Stern April 19, 2023. The recovery key was designed to make Apple IDs safer. Instead, these victims permanently lost family photos and other precious digital possessions.
My favorite part of this article is the paragraph that describes how Google does a better job of letting victims back into their account after a bad guy has taken it over. To me, this says that Google is smarter than Apple. Also of particular interest here is that sometimes Apple over-rides their systems and gives victims access to their stolen accounts. Sometimes, but not
often and there don't seem to be rules about this.
APPLE'S MISTAKES IN BRIEF
The design mistakes below are critical when someone (assumed to be a bad guy) has your iPhone and knows the code to unlock it.
- The bad guy can change the password to your Apple account. A better system would require the bad guy to first enter the current password, but that is not
the way it works. Apple gave priority to convenience rather than security.
- The bad guy can add a Recovery Key to the Apple account which further locks the victim out of their account.
- The bad guy has access to all the passwords stored in the iCloud Keychain. Here again, Apple gave priority to convenience rather than security.
- If you use hardware Security Keys to defend your Apple account from exactly this sort of attack, fuggedaboutit. Apple lets the bad guy remove the Security Keys from your
account, rendering them useless. It is as if Apple wanted the headlines for good security, but not the hassle of dealing with actual good security.
It looks like Apple is not even trying, when it comes to making all the pieces of their eco-system fit together well.
The biggest defense is buried deep in the System Settings. It is a small minor throw-away option of Screen Time, the feature designed for adults to limit what children can do. Turns out it can also limit what a bad guy who stole your phone can do.
The steps to set up Screen Time depend on whether you're using Family Sharing or not. It is best to check the documentation from Apple:
Use Screen Time on your iPhone, iPad, or iPod touch (Published September 2022 and not revised). My cheat sheet below is from iOS version 16.4.1 which was current as of April 2023. It was verified on an iPad, I don't have an iPhone. This is much more detailed than the explanation provided in the WSJ articles.
- Settings -> Screen Time. If Screen Time is on, it will say "turn off Screen Time" in red. If Screen time is off it will say "turn on Screen Time" in blue.
- When you first turn on Screen Time, the system will ask if the device is for yourself or your child. I said it was for myself.
- Screen time does not require a password/passcode but it is critical that there be one, so click on "use screen time passcode".
- The screen time password gets no respect, it is limited to 4 digits. The two important things about this password are that it differs from the passcode to unlock an iOS device and that you never forget it.
- After picking a Screen Time password, you are asked about Screen Time passcode recovery. If you forget the screen time passcode, then you can use your Apple ID to reset it . I am no expert in the Apple eco-system but this strikes me as a bad idea since we are using Screen Time to block a bad guy who has access to our account. If you trust Apple, then enter both your Apple ID and password here. If you are willing to remember the Screen Time password and never lose it, then you can skip this step by first selecting "Cancel" and then
- Now that Screen Time is enabled, we have to configure it to do something useful. Go to Content & Privacy Restrictions and toggle it on.
- For the light at the end of this tunnel, Go to the Account Changes option and select Don't Allow.
- FYI: There is another option in the Content & Privacy Restrictions section called "passcode changes" Which passcode? It does not say.
Again, it is very important that you not lose the Screen Time password. Write it down in two places, tell a friend, save it in a non-iOS password manager. Whatever you do with your Citibank password, do the same with this.
FYI: Documentation from Apple on the many options in Screen Time is here: Use parental controls on your child's iPhone, iPad, and iPod touch (Published September 2022 and not revised).
There are many things an iPhone user can do to both prevent a bad guy from learning their passcode and minimize the damage that a bad guy with the passcode can inflict. This is a whole blog in and of itself and I have much more on this on the iOS page of my Defensive Computing site. Below is a sampling.
- Use Face ID in public. In addition to the obvious advantage of not having a passcode to spy on, it also does not unlock all the phone features. A passcode, in contrast, gives the user full access to everything on the phone. In addition, turn on the Attention Detection for Face ID option (Settings -> Face ID & Passcode) to prevent a victim who was drugged from being able to unlock the phone with their face.
- Use a longer passcode so that it is harder to observe over your shoulder. Better yet, use an alphanumeric passcode. When in public, cover the phone with one hand when entering the passcode. Treat it like an ATM PIN code.
- Maybe the thief missed one character or digit of the unlocking passcode. If so, they will have to guess a bit. You can set an iOS device to erase all data after 10 failed attempts to enter the passcode.
- To prevent full identity theft by someone who gains access to your Apple ID, do not store photos of your drivers license or passport in iCloud. One place to store secure copies of these photos is in a third party (not from Apple) password manager.
- Do not use the iCloud Keychain feature to save your passwords because a bad guy with your unlocked phone has access to these passwords.
- The Locked Notes feature of iOS protects both text-based notes and pictures attached to the notes. The cost for this protection is yet another password, one that needs to be different from the passcode to unlock the phone to be of any use. Treat it like the Screen Time password in terms of saving it and securing it, but don't make it the same as the Screen Time password. All Locked Notes share one password.
Can Apple be shamed into doing better? Time will tell. When I exposed their miserable VPN practices, they could not be shamed into doing better. But, I am not the Wall Street Journal.
My suggestion: any change to an apple ID password should be delayed for 10 hours (give or take). In the case of a stolen phone this would give the victim time to report to the theft.