[HN Gopher] Thieves took their iPhones. Apple won't give their d...
___________________________________________________________________
Thieves took their iPhones. Apple won't give their digital lives
back
Author : luafox
Score : 76 points
Date : 2025-04-21 19:52 UTC (3 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| nashashmi wrote:
| My cousin's phone was stolen in San Francisco. My mom's phone was
| hooked up to the same account. Somehow the thief was able to
| change the account password and email account to something else.
| Now my mom cannot reset her phone because she doesn't have access
| to the thieves account.
| lxgr wrote:
| > Somehow the thief was able to change the account password and
| email account
|
| That would be the fact that Apple lets anybody that knows the
| passcode reset the iCloud password as well, without any further
| authentication. And the passcode can be shoulder surfed by the
| thief...
|
| "Stolen device protection" was developed as a response to a
| wave of such thefts: https://support.apple.com/en-us/120340
|
| It seems like a good step forward but still not perfect, and I
| believe it's not on by default.
|
| On the other side, with Advanced Data Protection, it seems
| shockingly easy to permanently lock oneself out of an iCloud
| account: As far as I understand, there is absolutely no way to
| recover an account protected that way if the recovery code is
| lost - not even by deleting all data currently stored on it and
| starting from scratch (e.g. from a local backup).
|
| Given the fact that an iCloud account doesn't only contain a
| big pile of data, but access to some purchased products and
| services (subscriptions, app purchases, iTunes songs, the Apple
| Card etc.), that seems like a pretty big oversight.
| XorNot wrote:
| Admittedly we in security do a very poor job on equipping
| users with useful threat models: i.e. the number of times
| people either don't turn on any sort of security, or turn on
| extremely aggressive security but don't write down and store
| a recovery code is too damn high.
| crote wrote:
| And it's made even worse by companies not wanting to deal
| with meatspace. Secure account recovery isn't _too_
| difficult if you 're willing to do ID verification in
| physical stores, but no tech company wants to do that.
| jbombadil wrote:
| https://archive.is/1NMCR
| mmmlinux wrote:
| This sounds a lot like "I forgot my ultimate recovery password,
| but its someone else's fault."
| bell-cot wrote:
| Yes.
|
| But in general, the way that most humans "naturally expect"
| such things to work is simply incompatible with the _usually_
| -extremely-convenient nature of computer accounts and cloud
| services.
| throwaway48476 wrote:
| Then it is too convenient.
| throwaway48476 wrote:
| A security model that the user does not understand and contains
| traps is not a good security model.
| Hizonner wrote:
| OK, but what model would you suggest?
|
| Apple has no adequate way to actually verify who anybody is
| without (a) forcing them to physically visit one of a _small
| number_ of offices (it can 't be every store), and (b)
| probably charging a significant fee to cover the cost of
| doing real verification.
|
| And even that demands assuming that the identifying
| information on the account is right.
| wmf wrote:
| The person in the article who has their whole professional
| life in a stolen Apple account would probably be happy to
| visit Apple HQ in person.
| throwaway48476 wrote:
| For account recovery in store verification is viable.
| They're already collected data on their customers via
| payment processors.
|
| I would also force users to watch a video explaining the
| security features and quiz them before turning them on. You
| can't expect users to immediately understand how the
| security model works.
| newsclues wrote:
| Digital identity is an essential aspect of modern life.
|
| The fact that the government doesn't have a great standard
| for identity and it's left to banks and tech companies is
| crazy.
| 20after4 wrote:
| Identity is a really hard problem to solve. Just about
| any scheme you can think of to verify identity, some
| smart criminal can think of a way to exploit or
| circumvent/abuse the system.
| mingus88 wrote:
| I have a hard time believing this when they also have Apple
| Cash and Apple Pay.
|
| Even with their strong privacy fundamentals they know more
| about their account holders than any single business
| should.
| oarsinsync wrote:
| > Apple has no adequate way to actually verify who anybody
| is without (a) forcing them to physically visit one of a
| small number of offices (it can't be every store), and (b)
| probably charging a significant fee to cover the cost of
| doing real verification.
|
| My bank is able to verify me remotely to login to their app
| from a new device in under 15 minutes, just with a photo of
| my ID card and a video of my face. And the bank is liable
| for any losses caused if they misidentify me.
|
| Why can my bank do it but apple cant?
| JumpCrisscross wrote:
| > _Why can my bank do it but apple cant?_
|
| Banks write off tens of billions of dollars of fraud
| costs a year. They can do this because money is fungible.
| Hizonner wrote:
| Your bank verifies that against the copy of your ID that
| was collected in person when you opened the account
| (unless you're using some fly-by-night FinTech "bank",
| anyway). At a _minimum_ , the bank has already collected,
| and checked, a bunch of other information that it can use
| to verify you (more than Apple can collect without mass
| user rebellion). It has reasonable confidence you haven't
| lied about that information. The bank can use that
| information to look up more about you in public records
| (which the bank knows how to do because, unlike Apple, it
| doesn't operate in every jurisdiction in the world). And
| I suspect that the ID/video check is _on top_ of proving
| you already know a password.
|
| Perhaps even more important, the bank knows exactly
| _what_ liability it 's assuming, and what risk it's
| exposing _you_ to. There 's a limit on how much money the
| app will let you move (even if the bank doesn't tell you
| what it is). All the transactions you can do are defined
| by the bank, it knows what's going on at all times, and
| it can and does apply extra checks for risky-looking
| transactions.
|
| _And_ bank transactions in general have a whole
| reversal-based security layer on top of all that.
|
| On the other hand, people use their Apple accounts to log
| into God-knows-what third party systems with God-knows-
| what risks and God-knows-what other security measures or
| lack thereof.
|
| Oh, and also the bank charges you ongoing overt or hidden
| fees specifically to cover the costs of securing your
| money. And of insurance if it fails to do so.
| EA-3167 wrote:
| Is there a security model that's both highly secure, and
| foolproof regardless of the mental faculties of potentially
| billions of diverse users? I think the answer is, "Obviously
| not," so the real question is whether or not the necessary
| compromises made here represent acceptable measures.
| throwaway48476 wrote:
| Security requires education. A new purely mechanical lock
| took two weeks before it was routine.
| crazygringo wrote:
| I'm curious why Apple has let it get this far that court cases
| are underway and WaPo is writing an article about it.
|
| What's in it for Apple? Surely it's easy enough to define some
| kind of verification process based on various pieces -- phone
| number, credit card, purchase receipt, etc. -- and requiring a
| police report to be filed or something.
|
| And this isn't like Google or Facebook where accounts are free,
| preventing manual account recovery from being scalable. People
| spend thousands of dollars on Apple devices across phones and
| laptops and more. People who don't spend money on Apple generally
| aren't keeping their data in iCloud.
|
| I'm confused because it seems like the rational, profitable thing
| for Apple to do here is to have these procedures for account
| recovery. So what's stopping them? Is there some kind of huge
| liability question if they ever facilitate giving access to the
| wrong person?
| wmf wrote:
| If Apple can unlock the account from your stolen iPhone they
| can also unlock your account for the gestapo. Whether it's
| worth throwing normal people under the bus to protect a few
| dissidents is a matter of values on which people are going to
| have differing opinions of course.
| BolexNOLA wrote:
| >to protect a few dissidents
|
| Your opinion seems to be to trivialize how important this can
| be, which fine you do you, but I think saying it only
| protects "a few dissidents" is a bit ridiculous.
|
| Every protest I've filmed at I hit the lock button 5 times so
| it forces a passcode. I feel secure knowing the police can't
| just take it and start scrolling - they need a warrant or
| they're bust.
|
| You don't have to be a dissident to need your privacy.
| SR2Z wrote:
| I think the point here is that either Apple has the
| technical ability to access your account (in which case
| they will be forced to do it by the government regardless)
| or they don't (in which case this lawsuit is ridiculous).
|
| The middle ground option where Apple has the ability to do
| this but is also somehow able to take a stand against the
| government is kind of difficult to support, because it
| doesn't make much sense.
| crazygringo wrote:
| That doesn't make sense. This isn't a _technical_ hurdle, is
| it? Apple already can unlock your account "for the gestapo"
| if they choose to.
|
| If the users have enabled Advanced Data Protection and don't
| have another Apple device, then I can understand why it would
| be lost for good. But that doesn't seem to be the case in
| these lawsuits. They make it clear that Apple has access to
| the data, and could transfer/restore it if they wanted to.
| JumpCrisscross wrote:
| > _Apple already can unlock your account "for the gestapo"
| if they choose to_
|
| But they don't.
| IlikeKitties wrote:
| This irks me A LOT and is simplified to the point of being
| incorrect, yet lots of people here make the same logical
| errors.
|
| Protecting the contents of peoples devices and accounts with
| strong encryption and hardware security is great for the
| individual and protects them from thieves and governments
| alike. If Apple designed their devices so that they cannot
| unencrypt the content without the users secret passsword,
| that's sensible for a lot of users.
|
| But E-Mail Addresses and Accounts are derivatives of your
| identity and companies should have ways of returning your
| accounts to you, even if the content is lost, in case of
| stolen identities.
|
| I am pretty paranoid about this stuff and only store private
| data using encryption and on trusted devices running mostly
| hardened FOSS software (Graphene OS, Fedora Secure Blue,
| OpenSuse MicroOS, etc.) and my backups are rcloned encrypted
| to the cloud. Yet for my most important e-mail that is bound
| to paypal, banking, shopping etc. I use posteo. They do this
| exactly right. I have personally tested contacting their
| support to return access to the e-mail address in case of a
| "lost password". After some validation, they returned access
| for it to me, but the encrypted content was unrecoverable.
| That is exactly what any responsible company should do.
| throwaway48476 wrote:
| The people suing didn't turn on E2E encryption. The
| government could already get access to their data via
| subpoena. Apple already has access to their data as well.
| Apple just doesn't want to be forced into doing basic
| customer service.
| popalchemist wrote:
| My gut tells me that they don't want to either set the
| precedent or let it be known that they can access your data and
| give/revoke access remotely, because it pokes a hole in their
| E2E encryption claims and opens the door to demands for
| backdoor access from governments.
| throwaway48476 wrote:
| In this case it wasn't E2E encrypted in the first place.
| lelandbatey wrote:
| It doesn't "poke a hole" in anything. The only way you get
| the full E2E encryption Apple talks about is if you enable
| "Advanced Data Protection", which none of the people in the
| article did, per the article. Apple could decrypt and return
| the data because Apple has the keys. Apple is refusing to do
| so.
| lxgr wrote:
| Having access but pretending not to seems like the worst of
| both worlds.
|
| Various entities will still be able to get to the data, while
| users might incorrectly assume that that's not the case.
| cyral wrote:
| > Is there some kind of huge liability question if they ever
| facilitate giving access to the wrong person?
|
| This is what I was thinking as I read the article. Imagine what
| will be written about them when they do give iCloud access to
| an impostor. Depending on what's on their account thieves could
| dedicate a ton of time to social engineering Apple into
| recovering the account. The article mentions police reports
| being "proof", but that doesn't seem like solid evidence
| considering how easy it could be to fake a police report from
| one of the tens of thousands of jurisdictions in the US. This
| is a problem for a lot of industries actually, i.e. banks and
| death certificates.
| leptons wrote:
| >People spend thousands of dollars on Apple devices
|
| As long as the people cut off from the walled garden amount to
| less than a rounding error in Apple's bottom line, they simply
| don't care. They will only care when a judge forces them to
| care, as we had to find out the hard way in a class action
| lawsuit against Apple. We won, but they lost us as lifetime
| customers. My wife even owns Apple stock and refuses to buy
| anything else from them and warns others against it. They could
| have made it right for practically no cost to them, but they
| chose the dick move, and they were forced to pay out in the end
| anyway.
| aianus wrote:
| They don't want to give these powers to a large number of
| customer service reps who can be bribed or coerced or socially
| engineered into transferring accounts to bad guys.
|
| Look what happened to the mobile carriers and sim-jacking.
| duskwuff wrote:
| > Surely it's easy enough to define some kind of verification
| process based on various pieces -- phone number, credit card,
| purchase receipt, etc. -- and requiring a police report to be
| filed or something.
|
| Apple has such a process in place:
| https://support.apple.com/en-us/118574 (The details aren't all
| laid out on that web page, but Apple support may ask for
| information like purchase records to confirm ownership.)
|
| What I think is at issue here is that it will only _restore
| access_ to an account which is not currently being accessed. If
| an account is being accessed from a logged-in device, Apple is
| reluctant to deny the current user access to that account and
| restore it to another party.
|
| And, quite honestly, I can see where Apple is coming from with
| this policy. Arbitrating access to a contested account can get
| really messy (e.g. consider a scenario where an abusive partner
| is trying to access the victim's online accounts).
| crote wrote:
| I think you're jumping the gun here.
|
| An account is supposed to belong to a single person. If you
| are able to definitively prove that you are that person (for
| example, by showing up to an Apple store with your ID card),
| you should be able to restore access to it. An abusive
| partner won't have access to that.
|
| Refusing restoration when someone else has access to it is
| understandable, but it works the other way around as well: an
| abusive partner would be able to prevent the legitimate owner
| from accessing the account.
|
| I think it's far more likely that Apple just _can 't be
| bothered_. Dealing with stuff like this is messy and
| complicated, and they aren't going to lose any revenue from
| those few thousand people a year losing their account and all
| their data.
| JumpCrisscross wrote:
| > _Surely it 's easy enough to define some kind of verification
| process based on various pieces -- phone number, credit card,
| purchase receipt, etc. -- and requiring a police report to be
| filed or something_
|
| Given the stakes, Cupertino may have decided that it does not
| wish to arbiter such disputes. Requiring a court order shifts
| the dispute to that forum.
| wmf wrote:
| Will Apple obey court orders? Have they ever?
| alabastervlog wrote:
| It took me a minute to figure out how this works, but it must
| have something to do with using a "lost password" email reset on
| the iCloud account, and having the relevant email account logged
| in (or saved to the password manager) on the phone itself, so
| that all you need is the passcode to get into the iCloud account.
| Something like that?
| JKCalhoun wrote:
| I still can't figure it out.
|
| My daughter had her iPhone stolen in L.A. -- she immediately
| wiped it remotely. The thieves were unable to access it.
|
| I got her a new iPhone pretty fast (the budget one) and she was
| back in business, back in her iCloud account. (She was one of
| those that saw her device head to Asia. She got a handful of
| text messages pleading with her to remove the stolen device
| from her account but she ignored them.)
| alabastervlog wrote:
| Yeah, that's why I'm having to think at it some to figure out
| what's going on here. Usually I need my iCloud password to do
| anything related to that account, so I guess they're using
| some kind of iCloud password reset bypass that relies on the
| phone having access to necessary reset-related accounts (like
| email--though, IDK, I don't think I've ever tried to "lost
| password" reset my iCloud account, so I'm not sure if even
| that's enough)
| wmf wrote:
| You got lucky with dumb thieves.
| Mystery-Machine wrote:
| > she immediately wiped it remotely > She was one of those
| that saw her device head to Asia
|
| What, the guy just jumped into the Pacific and started
| swimming?
| justjonathan wrote:
| I believe "She" here refers to the original owner (the
| victim). Apple offers a feature to remotely wipe your
| device if lost, and that was what I understood the owner to
| have done. I've done the same thing for a stolen iPhone.
| tonyedgecombe wrote:
| Presumably they will need mail notifications enabled on the
| Lock Screen as well.
| alabastervlog wrote:
| The described attack in TFA seems to involve learning the
| phone owner's passcode (for the phone), so no lock screen
| shenanigans needed.
| crazygringo wrote:
| Yup, I'm guessing that's it:
|
| https://support.apple.com/en-us/102656
|
| This article seems to make it pretty clear that having a
| passcode on a signed-in device is enough to reset the password.
| XorNot wrote:
| That seems like an insane security hole really.
|
| One of the big distinctions I make in my life is whether a
| passcode is being typed in frequently and in view of the
| public. And since these are shorter codes, the entity on
| guessing from a distance is much lower.
| crote wrote:
| The even more insane security hole is allowing someone with
| physical access and the password to permanently lock out
| all recovery options.
| tacker2000 wrote:
| Why should Apple open this can of worms and give users access to
| locked out data. How would this process even work on a larger
| scale?
|
| In the end if you dont backup your data locally, then its not
| your data and you risk losing it.
|
| If your business shuts down because you lost your phone its your
| own fault for not mitigating this type of risk enough.
| mingus88 wrote:
| Have you ever tried to fully backup data from iCloud?
|
| I try to do it every month because I am that type of techie.
| They don't make it easy.
|
| For photos, i have a 2TB family plan. There is no export
| functionality I can centrally backup my families photos and
| shared albums
|
| The supported way to do this is to use a Mac, force it to store
| all images locally in settings, then highlight all your albums
| and File->export
|
| This takes hours. I need to stay connected to my network drive
| because I don't have 4TB of local storage on my laptop. If
| there is a failure it's game over. You can't resume or even
| know what failed. There is a tiny progress bar icon to work
| with. That's all
|
| iCloud Drive? Same thing. You need to force it to sync all your
| files, and there is no way to know if it's hung or what. You
| can't do this as family account owner for everyone.
|
| What about all that app data that is saved to iCloud? I don't
| even know how to access that to back it up.
|
| Apple makes many things very easy and other things practically
| impossible.
|
| Backing up your entire iCloud data for disaster recovery is one
| of those things that's basically impossible.
| deadbabe wrote:
| This isn't that hard, you can just automate this with a
| script and cron job running on a cheap Mac mini.
| monster_truck wrote:
| I've found it much easier to request a copy of my data and
| download it all in 25gb chunks. It's still not great, the
| download speeds are extremely slow and they are prone to
| failure. For being something that I (used to) pay for, this
| was one of the reasons I stopped.
| lelandbatey wrote:
| The data isn't full E2E encrypted and unreachable in all these
| cases in the article. The iCloud default is not to encrypt
| things such that Apple can't decrypt the data; a user has to
| enable "Advanced Data Protection" for that to happen.
|
| Apple could decrypt and return all the user data in all the
| cases in the article. They aren't doing that. Some folks are
| rightly pointing out "what is the point of storing all my stuff
| in your cloud if you're going to lock me out if I lose my
| phone?" That's not a backup, that's just paying a monthly fee
| to store more than what your phone alone can store.
| JCattheATM wrote:
| Not exactly helpful, but I have little sympathy for people who
| put their digital lives in the control of a free service from a
| company, that, frankly, doesn't care about you at all -
| 'consumers are the product', etc etc.
| voidspark wrote:
| It's not a free service. One of them had a 2TB+ iCloud account.
| That has a monthly cost. Not free. The free plan only gives you
| 5GB storage. Apple is not an advertising company. We pay for
| the phone and we pay for iCloud.
| ddtaylor wrote:
| You pay to rent the phone I'm pretty sure.
| voidspark wrote:
| I don't know what you are talking about. You can buy an
| iPhone. They sell 200 million iPhones every year. Just go
| to the shop and buy one.
| betimsl wrote:
| Apple's encryption, is designed with end-to-end encryption for
| many types of data.
|
| Some facts: Only the user's devices hold the
| keys to decrypt the data. Apple cannot decrypt it,
| even if served a subpoena.
|
| Apple chose privacy over convenience. Sue all you want, you're
| going to lose.
| lelandbatey wrote:
| Read the article, that's not true by default, the only way you
| get that level of cryptographic protection is if you enable
| "Advanced Data Protection". None of the people in the article
| did that, all of them can trivially prove they are who they say
| they are via government documents, Apple could decrypt their
| data and return it, but Apple is refusing to do so.
| lxgr wrote:
| Then delete that data and let the user start over. How come
| Apple gets to hold iTunes purchases (apps, movies etc.) and
| somebody's email address hostage just because they also happen
| to store some end-to-end encrypted data on the same cloud
| account?
|
| Just imagine Google letting people "brick" their accounts
| because they have a password protected PDF in their Google
| Drive they don't remember the password for...
|
| And that's to say nothing about the _not_ end-to-end encrypted
| data, which is still the default for most things in iCloud
| accounts (without ADP enabled).
| anonym29 wrote:
| Trust the megacorporations.
|
| Trust your government.
|
| _" It works well for everyone else, why are you being so weird
| by not doing what everyone else does?"_
|
| Grant the megacorporations control over your entire life.
|
| Your government will protect you from the megacorporations.
|
| _" Self hosting? Open source? Linux? You're weird, just get an
| iPhone."_
|
| The megacorporations never make mistakes.
|
| The government never makes mistakes either.
|
| _" What's wrong with you? Are you seriously too poor to afford
| an iPhone? Get a blue bubble already."_
|
| The megacorporations never lie to you, they never manipulate you.
|
| Even if they tried, your trustworthy government would stop them.
|
| This message brought to you by social conformity norms that are
| most certainly _NOT_ subtly reinforced by the same billionaires
| and trillion dollar companies that benefit from them.
|
| /s
| encom wrote:
| Social Credit Score++
___________________________________________________________________
(page generated 2025-04-21 23:02 UTC)