Michael Horowitz
Home => Defending Yourself From Apple's Design Mistakes
[Formatted for Printing] From the personal web site of  Michael Horowitz

Defending Yourself From Apple's Design Mistakes

April 20, 2023

The Wall Street Journal has been doing the public a favor, highlighting some HUGE security flaws in the Apple eco-system. These are not software bugs, rather they are poor design choices on Apple's part. The biggest issue is that if a bad guy gets hold of an iPhone and knows the passcode to unlock it, the owner of the phone is totally screwed, despite assorted defenses. Apple made miserable hierarchy choices and an unlocked iPhone gives the person with the phone total control over everything. The assorted defenses that Apple puts forth are just security theater. Directly below are the articles in question and further below is my take on all this.

  1. A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life by Joanna Stern and Nicole Nguyen. Feb. 24, 2023. The passcode that unlocks your phone can give thieves access to your money and data; 'it’s like a treasure box'

  2. How to Protect Your iPhone Data From Thieves by Nicole Nguyen and Joanna Stern Feb. 24, 2023. Strengthen your passcode and use Screen Time controls to keep a predator you meet in real life from hijacking your digital life.

  3. The iPhone Setting Thieves Use to Lock You Out of Your Apple Account by Nicole Nguyen and Joanna Stern April 19, 2023. The recovery key was designed to make Apple IDs safer. Instead, these victims permanently lost family photos and other precious digital possessions.
    My favorite part of this article is the paragraph that describes how Google does a better job of letting victims back into their account after a bad guy has taken it over. To me, this says that Google is smarter than Apple. Also of particular interest here is that sometimes Apple over-rides their systems and gives victims access to their stolen accounts. Sometimes, but not often and there don't seem to be rules about this.

APPLE'S MISTAKES IN BRIEF

The design mistakes below are critical when someone (assumed to be a bad guy) has your iPhone and knows the code to unlock it.

  1. The bad guy can change the password to your Apple account. A better system would require the bad guy to first enter the current password, but that is not the way it works. Apple gave priority to convenience rather than security.
  2. The bad guy can add a Recovery Key to the Apple account which further locks the victim out of their account.
  3. The bad guy has access to all the passwords stored in the iCloud Keychain. Here again, Apple gave priority to convenience rather than security.
  4. If you use hardware Security Keys to defend your Apple account from exactly this sort of attack, fuggedaboutit. Apple lets the bad guy remove the Security Keys from your account, rendering them useless. It is as if Apple wanted the headlines for good security, but not the hassle of dealing with actual good security.
It looks like Apple is not even trying, when it comes to making all the pieces of their eco-system fit together well.

BIGGEST DEFENSE

The biggest defense is buried deep in the System Settings. It is a small minor throw-away option of Screen Time, the feature designed for adults to limit what children can do. Turns out it can also limit what a bad guy who stole your phone can do.

The steps to set up Screen Time depend on whether you're using Family Sharing or not. It is best to check the documentation from Apple: Use Screen Time on your iPhone, iPad, or iPod touch (Published September 2022 and not revised). My cheat sheet below is from iOS version 16.4.1 which was current as of April 2023. It was verified on an iPad, I don't have an iPhone. This is much more detailed than the explanation provided in the WSJ articles.

  1. Settings -> Screen Time. If Screen Time is on, it will say "turn off Screen Time" in red. If Screen time is off it will say "turn on Screen Time" in blue.
  2. When you first turn on Screen Time, the system will ask if the device is for yourself or your child. I said it was for myself.
  3. Screen time does not require a password/passcode but it is critical that there be one, so click on "use screen time passcode".
  4. The screen time password gets no respect, it is limited to 4 digits. The two important things about this password are that it differs from the passcode to unlock an iOS device and that you never forget it.
  5. After picking a Screen Time password, you are asked about Screen Time passcode recovery. If you forget the screen time passcode, then you can use your Apple ID to reset it . I am no expert in the Apple eco-system but this strikes me as a bad idea since we are using Screen Time to block a bad guy who has access to our account. If you trust Apple, then enter both your Apple ID and password here. If you are willing to remember the Screen Time password and never lose it, then you can skip this step by first selecting "Cancel" and then "Skip".
  6. Now that Screen Time is enabled, we have to configure it to do something useful. Go to Content & Privacy Restrictions and toggle it on.
  7. For the light at the end of this tunnel, Go to the Account Changes option and select Don't Allow.
  8. FYI: There is another option in the Content & Privacy Restrictions section called "passcode changes" Which passcode? It does not say.

Again, it is very important that you not lose the Screen Time password. Write it down in two places, tell a friend, save it in a non-iOS password manager. Whatever you do with your Citibank password, do the same with this.

FYI: Documentation from Apple on the many options in Screen Time is here: Use parental controls on your child's iPhone, iPad, and iPod touch (Published September 2022 and not revised).

SMALLER DEFENSES

There are many things an iPhone user can do to both prevent a bad guy from learning their passcode and minimize the damage that a bad guy with the passcode can inflict. This is a whole blog in and of itself and I have much more on this on the iOS page of my Defensive Computing site. Below is a sampling.

GOING FORWARD

Can Apple be shamed into doing better? Time will tell. When I exposed their miserable VPN practices, they could not be shamed into doing better. But, I am not the Wall Street Journal.

My suggestion: any change to an apple ID password should be delayed for 10 hours (give or take). In the case of a stolen phone this would give the victim time to report to the theft.

 

 

 @defensivecomput TOP Home => Defending Yourself From Apple's Design Mistakes   
 michael--at--michaelhorowitz.com   Last Updated: April 26, 2023 2PM UTC  
  License Plate
Copyright 2001-2024
Copyright 2001-2024  
Printed at:   May 29, 2024 8:11pm   ET
Viewed 8,212 times since April 21, 2023 (20/day over 404 days)