Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


     How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly
                                  Permanently

   Adam Engst

   Tech reporters Nicole Nguyen and Joanna Stern of the Wall Street
   Journal are back with a follow-up on their exposé of Apple's
   problematic iPhone security design decisions. In the first article,
   they showed how a shoulder-surfing thief could discover a user's
   passcode, steal their iPhone, and change their Apple ID password to
   disable Find My before making purchases with Apple Pay, accessing
   passwords in iCloud Keychain, and scanning through Photos for pictures
   to aid in identity theft (see '[1]How a Thief with Your iPhone Passcode
   Can Ruin Your Digital Life,' 26 February 2023).

   In another [2]article (paywalled) and accompanying [3]video, Nguyen and
   Stern now explore the ramifications of what happens when a passcode
   thief changes the user's Apple ID recovery key, which is again doable
   with nothing more than the iPhone passcode. In short, the thief can
   lock the victim out of their iCloud account, possibly permanently,
   preventing access to precious photos and more. Apple has responded
   sympathetically but hasn't helped'or been able to help'users get back
   into their accounts.

   IFRAME: [4]https://www.youtube.com/embed/tCfb9Wizq9Q?feature=oembed

One Recovery Key to Rule Them All

   The problem is that once the thief sets or resets a recovery key, it
   becomes the only way to regain access to an Apple ID account once the
   password has been lost'Apple says it can no longer help through its
   usual [5]account recovery process. Apple is clear about how creating
   [6]a recovery key puts additional responsibility on the user, but
   that's an acceptable trade-off for a technically savvy, organized user.

   What's not acceptable is allowing a thief with nothing more than a
   stolen iPhone's passcode to set or reset a recovery key. That creates a
   situation where a user becomes vulnerable to their account being locked
   even if they had no intention of setting a recovery key or were already
   managing it securely. The article says:

     After Cameron Devine's iPhone 13 Pro was stolen from a Boston bar in
     August, the 24-year-old said he spent hours on the phone with Apple
     customer support trying to regain access to over a decade of data.
     Each representative told him the same thing: No recovery key, no
     access. Mr. Devine said he had never heard of the key, let alone set
     one up.

   The article does give another example of a person for whom Apple was
   able to disable the recovery key, allowing the user to regain access to
   the account. Although Apple declined to comment on that situation, the
   user reportedly used some Apple 'business services,' suggesting that
   his iPhone might have been enrolled in device management and thus
   different from a regular user's iPhone.

   Although I haven't been able to find a detailed explanation of how the
   recovery key works in Apple's [7]Platform Security Guide, my
   understanding is that it essentially acts as a second copy of a
   user-managed encryption key that takes over from Apple's usual account
   recovery option.

   To enable end-to-end encryption, such as with Apple's Advanced Data
   Protection for iCloud, the user must generate and maintain the
   encryption keys (see '[8]Apple's Advanced Data Protection Gives You
   More Keys to iCloud Data,' 8 December 2022). In the Apple world, those
   keys are generated automatically and stored in the Secure Enclave, and
   to protect against their loss, Apple requires that anyone turning on
   Advanced Data Protection specify account recovery contacts or set a
   recovery key. That's necessary because Apple doesn't control the
   encryption keys and thus can't help a user get into an account if the
   password has been lost or reset by a thief.

What Apple Can Do to Address This Vulnerability

   If my understanding is correct, Apple is not being disingenuous or
   obstructionist when it comes to helping people who have suffered a
   passcode and iPhone theft. Once that recovery key is set, the company
   can do nothing to help'it no longer controls the necessary encryption
   keys. That's why I say that users may be locked out of their accounts
   permanently.

   When the Wall Street Journal article talks about how victims attempt to
   prove ownership of their accounts with various forms of identification,
   it's missing the point'identification is not in question; the data is
   simply inaccessible because it's encrypted with a key that Apple
   doesn't control.

   The ultimate fix comes down to reducing the power of the passcode.
   We're constantly told that we must create strong, unique passwords, and
   yet the most important device in many people's lives is protected by
   nothing more than a six-digit passcode. Apple could protect users
   against the more severe ramifications of passcode theft by requiring
   additional authentication'perhaps using Face ID or Touch ID without the
   passcode as a fallback'before allowing someone to reset the Apple ID
   password or recovery key option.

   Saying that is easy, but I'm fully aware that many devils dance in the
   details. Apple is walking a fine line between strong security and being
   able to help users who lose access to their accounts. Apple might be
   weighing the risks to the relatively few people whose passcodes and
   iPhones are stolen against the problems faced by numerous
   unsophisticated users who forget their Apple ID passwords and have no
   other Apple devices. Then again, Apple is willing to inconvenience
   everyone with frequent security updates for vulnerabilities that might
   be used against only a few high-value targets. Security is always a
   balancing act.

What You Can Do to Protect Yourself

   For the most part, my advice surrounding passcode protection hasn't
   changed from my previous article. In '[9]How a Thief with Your iPhone
   Passcode Can Ruin Your Digital Life,' I wrote that you should:
     * Pay attention to your iPhone's physical security in public.
     * Always use Face ID or Touch ID in public.
     * If you must use your passcode in public, conceal it from anyone
       nearby.
     * Never share your passcode beyond highly trusted family members.

   Creating a longer alphanumeric passcode, as Nguyen and Stern suggest,
   could help, but only if it's sufficiently long and complex that a
   shoulder surfer wouldn't be able to memorize it. However, such a person
   could surreptitiously record you entering it and then refer to the
   video after stealing your iPhone. They might be more obvious while
   recording, but you would be less aware of your surroundings as you tap
   in the complex passcode. And none of this would protect against the
   threat of physical harm unless you reveal your passcode.

   The best protection right now is to use Screen Time, as I discussed in
   my previous article. If you enable Screen Time, set a separate
   four-digit Screen Time passcode (without Apple ID-based recovery, I
   presume), turn on Content & Privacy Restrictions, and select Account
   Changes > Don't Allow, no one can change your Apple ID password or
   recovery key options without that passcode.

   Unfortunately, it does that by preventing you from even entering
   Settings > Your Name without first going to Settings > Screen Time >
   Content & Privacy Restrictions > Account Changes > Screen Time Passcode
   > Allow, and then setting it back to Don't Allow once you're done. If
   Apple tweaked iOS 17 to prompt for the Screen Time passcode when
   accessing the blocked options, it would be much easier to recommend.

   There is one final thing you can do to protect your data: make local
   backups of everything stored in iCloud. Most of the users who lost
   access to their iCloud accounts were particularly distraught about
   losing their photos, which is understandable but easily avoidable.

   Set Photos on a Mac to download originals, and then make sure that
   those original images are included in your backup strategy, which
   should include at least Time Machine and an offsite backup, and
   preferably also a bootable duplicate.

   This won't keep the photos out of the hands of a thief who has accessed
   your account, but at least you won't lose your images.

   Stay safe out there.

   [10]Read original article

References

   Visible links
   1. https://tidbits.com/2023/02/26/how-a-thief-with-your-iphone-passcode-can-ruin-your-digital-life/
   2. https://www.wsj.com/articles/the-iphone-setting-thieves-use-to-lock-you-out-of-your-apple-account-716d350d
   3. https://www.youtube.com/watch?v=tCfb9Wizq9Q
   4. https://www.youtube.com/embed/tCfb9Wizq9Q?feature=oembed
   5. https://support.apple.com/en-us/HT204921
   6. https://support.apple.com/en-us/HT208072
   7. https://support.apple.com/guide/security/welcome/web
   8. https://tidbits.com/2022/12/08/apples-advanced-data-protection-gives-you-more-keys-to-icloud-data/
   9. https://tidbits.com/2023/02/26/how-a-thief-with-your-iphone-passcode-can-ruin-your-digital-life/
  10. https://www.wsj.com/articles/the-iphone-setting-thieves-use-to-lock-you-out-of-your-apple-account-716d350d

   Hidden links:
  11. https://tidbits.com/wp/../uploads/2023/04/Photos-download-to-Mac.png

.