After a iPhone theft in Europe earlier this year, I don't quite trust Apple's assurances with regard to stolen iPhones.
My phone was snatched from my hands in the street. I was able to wipe it via 'Find Devices' within a few minutes; I was able to track its location for the rest of the day, until I requested that my carrier irrevocably disable its network service. There was no evidence of any accesses of my information or accounts linked on the phone, then or since.
In the following days, it was still visible in my Apple device lists as mine, with reference information like its model and serial number – as it should have remained, indefinitely, to prevent anyone else from associating it with their accounts. (Until recently, I still had an iPhone 4 listed there that hasn't been turned on for many years.)
But sometime since then, it was removed from my Apple account – without my permission, and with no notification to me. This step would also apparently allow someone else to use the device with Apple services.
Apple Support insists only a person who authenticated to them as me could have done that, and that they have no records of when/how that happened – a policy that seems designed to help criminals cover their tracks, with no help to customers other than: "you should change your password".
Further, even if I provide the serial-number/IMEI with a police report, Apple says they can't determine if they've activated Apple services to that stolen property for someone else or provide me with any further help.
I thus suspect theft networks have figured a way around Apple's breezy assurances about locking-out stolen devices, perhaps similar to how they've often deeply pierced major telecom providers in order to carry out SIM-swap attacks.
But: if anyone on HN knows more about how the smartphone theft/fencing (chop shop?) operations typically work, or how Apple's systems do or don't protect against post-theft hijacking of registered Apple devices, I'd love to hear perspectives that either flesh-out, or refute, my impressions that Apple's related systems involve some false bluster & "security theater".
I got an iPhone from a relative, the relative had forgotten the passcode and the Apple ID password.
I did a factory reset of it via iTunes and of course when it started up and I started with the setup it said it was locked to *@*.com.
I contacted Apple support and they said I needed proof of purchase for them to unlock it.
I did not have any proof of purchase and neither did my relative.
But I refused to let that stop me. So I made a proof of purchase, printed it and went to an Apple store.
I told the Apple Genius about the iPhone and that it was locked but factory reset and presented the "proof of purchase".
The Apple Genius went to get a manager or something and the manager checked the "proof of purchase" and then connected the iPhone to the store Wi-Fi and did some stuff on their iPad and rebooted the iPhone. The iPhone did a reset and then it was unlocked and ready to be setup without any hurdles.
So I am guessing some thieves have figured this out.
> The Apple Genius went to get a manager or something and the manager checked the "proof of purchase" and then connected the iPhone to the store Wi-Fi and did some stuff on their iPad and rebooted the iPhone. The iPhone did a reset and then it was unlocked and ready to be setup without any hurdles.
The thieves figured out you just need to know (or be) an employee of any of the 500+ Apple stores. I assume that some theft rings have this process quite streamlined.
A similarly-compromised front-line T-Mobile employee once enabled a "SIM-swap" on my active iPhone phone number.
It was reported in T-Mobile's systems as my personal visit, with supporting documentation/ID, to one of their retail locations in Oklahoma – thousands of miles from anywhere I'd recently been. So, while remotely possible that their employee gullibily-reviewed credible false documents, it seemed far more likely to be:…
- an insider abuse by a corrupt employee;
- a deep hack of T-Mobile's systems, allowing such admin actions with forged audit-trails; or…
- compromise of an authorized employee's credentials plus access to capable internal-system front-ends.
The Apple Support person I spoke to insisted that an analogous compromise here was impossible - that no Apple employee had the power take such an action without my Apple ID password. Based on other reports in this thread, I highly suspect she was
lying to me, probably in conformance with Apple policy.
Makes sense. No theft deterrence is perfect, and your solution required a lot of investment of time and would not scale to a substantially large theft ring.
When I managed a hospital's iPhone deployment I made it a point to always back up our receipts electronically because I have... had to make quite a few emails to AppleCare Security to release a few Activation Locked devices. It's not a terribly difficult process once you've done it a couple times, and I reasonably think I could release as many phones as I wanted these days with enough fake receipts.
The fake receipt
Is the easy part, it’s the staffing and logistics and risk to send people into lots of Apple stores to use them. One, sure. But an organized theft ring stealing 1000 iPhones a month is probably not going to work at that scale.
There are lots of Apple Stores, many in jurisdictions that don't prioritize vigorous prosecution of small thefts or mere possession-of-stolen-property. There are lots of individuals who'd take the chance to make a quick buck. So it doesn't need to be one scaled organization: just a functioning black market.
Imagine the false docs are often accepted, rather than triggering a criminal prosecution. The practical maximum downside may be mere impoundment of the device, rather than a conviction/jailing.
(And, even that would require Apple's policy to be to assertive & confrontational: "you presented us suspicious documentation, we're holding this device – that you carried here, in your possession – until police sort it out." Does Apple want to take the risk of that backfiring on them? Or would store staff, in practice, simply say: "we can't accept that documentation, you and your device should leave.")
Then Apple's lenience here will support a positive resale value of stolen devices, enough for the weakness in their systems to be exploited.
It's mind-bogglingly easy to bypass MDM/DEP on even a T2-enabled/Apple Silicon MacBook.
Like three minutes, and not overly complex. Without spelling it out here, null route three DNS entries, install macOS Monterey, edit /etc/hosts similarly, and then upgrade to Sonoma. You can even remove the null routing after (it's only needed to bypass network calls in the installer).
Nothing broken, no errors, 100% DEP-escaped.
I suspect that the only thing you can't do at that point is reset to the OOB experience for selling it.
Hahahah when I worked at the hospital my director's answer to any of that was "Exchange is our MDM" despite me pushing for it, so I was stuck with the receipts regardless.
... My personal stuff is enrolled into my own personal Jamf instance and because I went through a bunch of motions with Apple Business my personal phones and Macs are all DEP locked ;)
According to my friend at Apple, sometimes fairly low level employees have access to the internal system which can be used to dissociate devices from AppleIDs. I wouldn't be surprised if some of them were compromised, as the pay is not great.
What's more surprising is if they have no audit logs that would let them discover the compromised employee in these cases.
That sounds credible. The Apple Support person I spoke with denied such audit logs even exist, probably in some officially-coached language that they can bluff as being truthful when pressed.
Against their own advice, the moment it is stolen you should erase it from Find My as a priority. Until that is done it can be used to authenticate with your iCloud account as an MFA device and can then be removed anyway if they get past the device lock. In that window the security posture is somewhat unknown. I'm sure there is a good market of off the shelf exploits which can leverage that in some way, despite Apple's excellent general efforts on this front so far.
The key thing is to protect your data first and that means wiping it remotely. Leave it attached to your iCloud account device list though because that'll leave the provisioning / device lock in place. I'm sure they have a way around that now but it'll make it more difficult and devalue it for the thief at least.
A good example of why I try to keep anything I consider really important out of iCloud entirely! (That's quite hard with Apple's various dark patterns to boost iCloud usage & lock-in.)
But yes - it looks to me like dishonest actors managed to get the device out of my "iCloud account device list" without my permission, and thus evade the "provisioning / device lock".
I'm unable to factory reset my own iPhone as it's linked to a friend's Apple account. I know the passcode. Apple are unwilling to do this for me unless I show proof of purchase (which I don't have as it was many years ago).
Pretty high bar, so assuming must be inside job.
Per another reply's report, you can just forge a plausible-looking plain-piece-of-paper "proof of purchase" – y'know, how crooks might have done so 100 years ago, with some predigital printing supplies.
Show that to the right Apple employee, you should be good to go.
That seems like a very big deal if true. Very interested too if someone has more information. I could imagine they may be able to reuse the phone by changing parts, but how would that remove it from your Apple account?
From the reports in this thread, it seems that front-line Apple employees presented with a reasonable-looking (even if forged) "proof of purchase" can re-enable a device registered to another person's account. Perhaps, that yanks it from the previously-registered account.
That's my best guess as to what happened here.
The alternative, that the thieves fully compromised my account via obtaining my Apple password and circumventing the various secondary checks via my other devices, seems very unlikely to me.
There's been no evidence of unintended account accesses – like the confirmation challenges that pop-up on other devices. Unfortunately, Apple seems to lack the user-reviewable log of all authentication events that others like Google offer.
The sorts of compromises that would have revealed my password – like a keylogger on one of my primary Apple devices – should've shown up as other attacks on targets of more value than a single street-snatched several-years-old iPhone.
im going to add to this, long time ago my macbook was stolen when i was on holiday, i did all the things you mentioned, once i got back home i called Apple Support and they said "your warranty with us is over (it was 2 days lapsing from my travel) and to help you, you're going to need to buy apple care again" disgusting.
Great news, I was pretty shocked that the original flaw still existed. Getting your phone stolen is annoying but the worst case is you buy a new phone, but thieves being able to take over your digital life is potentially catastrophic.
Hopefully this works well, I assume third party apps such as banking will be able to opt in to the additional protection (not sure if this is strictly required actually, I checked my banking app and if Face ID fails you have to enter the banking PIN, you can’t enter the device PIN).
Is there a way to lock individual apps so they require Face ID even if they weren’t designed to? A smart thief having access to the Gmail app for example, if the phone was unlocked when stolen, could wreak havoc.
What I really wish apple had is the ability to have multiple passcodes with different behavior.
Something like one passcode for ordinary phone use, one that would immediately and covertly send an emergency text to your family with your current location, one that would instantly wipe the device and one that would give you access to the hidden gay dating app you don't want people to know about.
The problem is that Apple engineers and PM's are not used to living in third-world countries, where your life is way less important than your phone. When you don't have to face that kind of challenge daily, it is difficult to think of such a solution without people mocking you for being paranoid.
I understand, and they are not wrong for not thinking through all the brutal scenarios that real life likes to play out. But I believe that engineering teams that have a security focus should have at least some consultant from areas where violence is normal.
So, effectively, all scenarios they think about is normal theft: forgetting the phone someone, or someone snatching the phone from you. They never think about someone sticking a gun to your face and forcing you to unlock the phone so they can run away in a motorcycle, while depleting your accounts. A distress code could be extremely helpful for bank institutions to flag every transaction post-distress. And locking your digital accounts (iCloud, DropBox, etc)
Absolutely, the idea of "coercion codes"/"distress codes" or the like goes back a very long time, long before electronic devices even, it's a pretty natural idea that someone could use different canned expressions to code for different responses that attackers wouldn't be able to distinguish. All the core aspects are in place on iOS to do a system both user friendly and quite powerful around that, and years and years later it remains too bad that's hard. In fact in a touch of irony it was at one point quite feasible and pleasant to do with a jailbroken iPhone and Touch ID. The Touch ID system actually distinguished between the various registered fingers (up to five), which in turn meant you could use fingers themselves to trigger other behavior. So "unlock with either index finger" could be "normal", but "unlock with thumb" or middle finger could then run scripts of your choosing in the background.
It would be a real boon if Apple themselves did it, incorporating not just codes or biometrics even but also arbitrary information from phones sensors if advanced users wanted. So for example you could explicitly set a few geofences and say that certain actions could only be done within them (and only at certain times of day even), or certain apps viewed at all (by literally keeping the encryption keys for them locked away unless all conditions were met). If it's not even possible for you to comply when traveling in the first place and that's widely known and transparent it reduces the value in trying to coerce you.
Such a system could also be useful outside of security fwiw, just in ordering our lives. Someone finding distraction hard could lock all their games and social media apps in a view accessible only at home and forbid any app store purchases as an aid in avoiding temptation. Anti-engagement instead of trying to get more engagement.
Related: Set up screen time, and disable password changes and account changes, and set a (different to your regular passcode) screen time passcode. Then you have a separate passcode that keeps sensitive account changes locked.
Account changes doesn't lock changes to your Apple ID for example, it's just about email accounts and pass keychain. Passcode change is not useful, why would a thief do it anyway...
This is a good development. Making phone theft less appealing is a good thing, and locking away precious personal data and accounts if it does still happen is great. It’s an ordeal to face against thieves to change any login information they could find looking through the data on a phone. I hope this will be secure and work as advertised.
When the screen time settings are protected by a separate Apple ID with a separate phone number registered for 2FA (obviously the SIM card or eSIM shouldn’t be on the same phone), this works. In this situation you need access to that second account’s SIM card (which can be locked with a PIN) to remove the lock.
Keep in mind afaict this is the situation with 2nd account having Rescue Code enabled. Things might be different if it’s not.
Email me for how to actually restrict yourself with iOS Screen Time (without 3rd party apps) in a way which you really-really can’t bypass when you feel down. Disclaimer: Not an Apple employee, but a former smartphone addict, ahem, I’m sorry, user.[1]
1: I believe all smartphone users are addicts as much as rest of their lives allows it, without the use of hard restrictions.
Are you sure? According to Apple [0] it requires your Apple ID password. Also, I can't reproduce this on my iOS device: it's locked by a timer which increases exponentially.
This is fantastic to see, although bitter-sweet considering I just had my phone and Apple ID stolen in August. I suspect the thief was watching as I unlocked my phone and got the passcode that way, although I was drugged and have amnesia (worst Tinder date ever) so it's possible I unlocked the phone for her.
However they got the passcode, it was enough to immediately change the 'trusted phone number' with Apple and lock me out of my account. Even after hours on the phone with Apple Support explaining the situation and offering to provide a police report and any documentation they wanted to verify my identity, the weren't able/willing to help me without that phone number. There have been numerous hassles to moving to a new Apple ID, including having to provide proof-of-purchase for all my other Apple devices to get them unlinked from the stolen account. But the worst by far was losing years worth of photos, which I foolishly trusted to be stored safe in iCloud and are now locked away from me and available to criminals.
This is a step in the right direction but I'd love for Apple to improve their policies around proving ownership of a stolen account. Even with this new protection, if you're ever robbed at gunpoint or coerced while drugged, your Apple ID can be taken and there's no path (that I've been able to find) to recover it.
This was in Mexico City. I've traveled there many times and generally feel very safe, but learned a valuable lesson in being overly trusting of new people.
I'm thankful to be alive, since I don't know what drug I was given and how much. And fortunately she left my passport so I was able to get home. But what a mess, I really can't recommend it.
I always found it odd that sensitive apps like Banking I could just fall back to the same pin I use on my phone... that seems a bit wrong?
Like ok I get it, there should be a fall back to biometrics not working for whatever reason. But for getting into your phone, but for apps that use biometrics since generally those have their own fall back of just using your password to login.
Unless I am missing it, I don't see this being a change here? I hope that is coming if not.
This is basically a branding and broader application of the existing Keychain access control presence requirement, whose documentation specifically calls out these scenarios. All finance apps should be using presence verification post login and preceding an outgoing transaction or possible takeover action.
It forces an hour delay for people using the device passcode to reset the Apple ID password EXCEPT if its in a known location like home (also blocks changing the device passcode and turning off FindMy), and forces FaceID for these, even if the phone has been forced to forget the FaceID keys and require the device passcode.
And it requires FaceID without a passcode ID fallback for certain categories of authentication.
TouchID is far from "long time ago" tech. It's standard on Macs, and still present on iPhone and iPad models currently sold as new. Not to mention the large portion of their userbase that doesn't upgrade every three to five years.
I really wish there was a feature to lock the phone upon rapid movement, such as when a thief snatches the device while it is in use. It seems like an obvious mitigation to a common problem by way of the built in accelerometer.
It's a welcome change, especially the time-lock is something that I always thought about. SMS and EMail as 2FA are dead when someone can unlock your phone.
Still though, why don't iPhone owners use face unlock? Is it not good?
They do use it but you can force passcode requirement by holding down the power button until 'slide to power off' appears. From daringfireball:
'(One way the scam would run: Chat up the victim in a bar, and offer to use the target’s phone to snap a photo of the victim and their friends. Surreptitiously lock the phone out of Face ID when handing it back to the victim. Then, when next the victim wants to do anything on their phone, they need to enter their passcode. Either the thief or a partner in a team gleans the passcode. Then they steal the phone, knowing the device passcode.)'
If anyone is interested, I wrote a small utility to time-lock data, to be able to self-restrict myself in terms of Screen Time etc. passwords: https://github.com/aerbil313/timelock
But also the phone locks back to requiring a passcode with enough failed attempts, so presumably people stealing them know how to induce recognition failure.
Well, like most things Apple, we of course just have to take Apple’s word on it. And if ever you find out someone was able to access it, as usual, you’ll be told - “it’s not possible and we won’t be able to share audit logs” or “blah..long password..blah”.
Just like the horseshit that once an iPhone is stolen it’s bricked for a thief. A friend’s iPhone got stolen and after a week it was removed from his device list in iCloud account. Apple Support refused to even acknowledge it and then didn’t respond anymore. They shut him off.
My phone was snatched from my hands in the street. I was able to wipe it via 'Find Devices' within a few minutes; I was able to track its location for the rest of the day, until I requested that my carrier irrevocably disable its network service. There was no evidence of any accesses of my information or accounts linked on the phone, then or since.
In the following days, it was still visible in my Apple device lists as mine, with reference information like its model and serial number – as it should have remained, indefinitely, to prevent anyone else from associating it with their accounts. (Until recently, I still had an iPhone 4 listed there that hasn't been turned on for many years.)
But sometime since then, it was removed from my Apple account – without my permission, and with no notification to me. This step would also apparently allow someone else to use the device with Apple services.
Apple Support insists only a person who authenticated to them as me could have done that, and that they have no records of when/how that happened – a policy that seems designed to help criminals cover their tracks, with no help to customers other than: "you should change your password".
Further, even if I provide the serial-number/IMEI with a police report, Apple says they can't determine if they've activated Apple services to that stolen property for someone else or provide me with any further help.
I thus suspect theft networks have figured a way around Apple's breezy assurances about locking-out stolen devices, perhaps similar to how they've often deeply pierced major telecom providers in order to carry out SIM-swap attacks.
But: if anyone on HN knows more about how the smartphone theft/fencing (chop shop?) operations typically work, or how Apple's systems do or don't protect against post-theft hijacking of registered Apple devices, I'd love to hear perspectives that either flesh-out, or refute, my impressions that Apple's related systems involve some false bluster & "security theater".