After a iPhone theft in Europe earlier this year, I don't quite trust Apple's assurances with regard to stolen iPhones.
My phone was snatched from my hands in the street. I was able to wipe it via 'Find Devices' within a few minutes; I was able to track its location for the rest of the day, until I requested that my carrier irrevocably disable its network service. There was no evidence of any accesses of my information or accounts linked on the phone, then or since.
In the following days, it was still visible in my Apple device lists as mine, with reference information like its model and serial number – as it should have remained, indefinitely, to prevent anyone else from associating it with their accounts. (Until recently, I still had an iPhone 4 listed there that hasn't been turned on for many years.)
But sometime since then, it was removed from my Apple account – without my permission, and with no notification to me. This step would also apparently allow someone else to use the device with Apple services.
Apple Support insists only a person who authenticated to them as me could have done that, and that they have no records of when/how that happened – a policy that seems designed to help criminals cover their tracks, with no help to customers other than: "you should change your password".
Further, even if I provide the serial-number/IMEI with a police report, Apple says they can't determine if they've activated Apple services to that stolen property for someone else or provide me with any further help.
I thus suspect theft networks have figured a way around Apple's breezy assurances about locking-out stolen devices, perhaps similar to how they've often deeply pierced major telecom providers in order to carry out SIM-swap attacks.
But: if anyone on HN knows more about how the smartphone theft/fencing (chop shop?) operations typically work, or how Apple's systems do or don't protect against post-theft hijacking of registered Apple devices, I'd love to hear perspectives that either flesh-out, or refute, my impressions that Apple's related systems involve some false bluster & "security theater".
I got an iPhone from a relative, the relative had forgotten the passcode and the Apple ID password.
I did a factory reset of it via iTunes and of course when it started up and I started with the setup it said it was locked to *@*.com.
I contacted Apple support and they said I needed proof of purchase for them to unlock it.
I did not have any proof of purchase and neither did my relative.
But I refused to let that stop me. So I made a proof of purchase, printed it and went to an Apple store.
I told the Apple Genius about the iPhone and that it was locked but factory reset and presented the "proof of purchase".
The Apple Genius went to get a manager or something and the manager checked the "proof of purchase" and then connected the iPhone to the store Wi-Fi and did some stuff on their iPad and rebooted the iPhone. The iPhone did a reset and then it was unlocked and ready to be setup without any hurdles.
So I am guessing some thieves have figured this out.
> The Apple Genius went to get a manager or something and the manager checked the "proof of purchase" and then connected the iPhone to the store Wi-Fi and did some stuff on their iPad and rebooted the iPhone. The iPhone did a reset and then it was unlocked and ready to be setup without any hurdles.
The thieves figured out you just need to know (or be) an employee of any of the 500+ Apple stores. I assume that some theft rings have this process quite streamlined.
Makes sense. No theft deterrence is perfect, and your solution required a lot of investment of time and would not scale to a substantially large theft ring.
According to my friend at Apple, sometimes fairly low level employees have access to the internal system which can be used to dissociate devices from AppleIDs. I wouldn't be surprised if some of them were compromised, as the pay is not great.
What's more surprising is if they have no audit logs that would let them discover the compromised employee in these cases.
Against their own advice, the moment it is stolen you should erase it from Find My as a priority. Until that is done it can be used to authenticate with your iCloud account as an MFA device and can then be removed anyway if they get past the device lock. In that window the security posture is somewhat unknown. I'm sure there is a good market of off the shelf exploits which can leverage that in some way, despite Apple's excellent general efforts on this front so far.
The key thing is to protect your data first and that means wiping it remotely. Leave it attached to your iCloud account device list though because that'll leave the provisioning / device lock in place. I'm sure they have a way around that now but it'll make it more difficult and devalue it for the thief at least.
A good example of why I try to keep anything I consider really important out of iCloud entirely! (That's quite hard with Apple's various dark patterns to boost iCloud usage & lock-in.)
But yes - it looks to me like dishonest actors managed to get the device out of my "iCloud account device list" without my permission, and thus evade the "provisioning / device lock".
I'm unable to factory reset my own iPhone as it's linked to a friend's Apple account. I know the passcode. Apple are unwilling to do this for me unless I show proof of purchase (which I don't have as it was many years ago).
Pretty high bar, so assuming must be inside job.
Per another reply's report, you can just forge a plausible-looking plain-piece-of-paper "proof of purchase" – y'know, how crooks might have done so 100 years ago, with some predigital printing supplies.
Show that to the right Apple employee, you should be good to go.
That seems like a very big deal if true. Very interested too if someone has more information. I could imagine they may be able to reuse the phone by changing parts, but how would that remove it from your Apple account?
From the reports in this thread, it seems that front-line Apple employees presented with a reasonable-looking (even if forged) "proof of purchase" can re-enable a device registered to another person's account. Perhaps, that yanks it from the previously-registered account.
That's my best guess as to what happened here.
The alternative, that the thieves fully compromised my account via obtaining my Apple password and circumventing the various secondary checks via my other devices, seems very unlikely to me.
There's been no evidence of unintended account accesses – like the confirmation challenges that pop-up on other devices. Unfortunately, Apple seems to lack the user-reviewable log of all authentication events that others like Google offer.
The sorts of compromises that would have revealed my password – like a keylogger on one of my primary Apple devices – should've shown up as other attacks on targets of more value than a single street-snatched several-years-old iPhone.
im going to add to this, long time ago my macbook was stolen when i was on holiday, i did all the things you mentioned, once i got back home i called Apple Support and they said "your warranty with us is over (it was 2 days lapsing from my travel) and to help you, you're going to need to buy apple care again" disgusting.
Great news, I was pretty shocked that the original flaw still existed. Getting your phone stolen is annoying but the worst case is you buy a new phone, but thieves being able to take over your digital life is potentially catastrophic.
Hopefully this works well, I assume third party apps such as banking will be able to opt in to the additional protection (not sure if this is strictly required actually, I checked my banking app and if Face ID fails you have to enter the banking PIN, you can’t enter the device PIN).
Is there a way to lock individual apps so they require Face ID even if they weren’t designed to? A smart thief having access to the Gmail app for example, if the phone was unlocked when stolen, could wreak havoc.
What I really wish apple had is the ability to have multiple passcodes with different behavior.
Something like one passcode for ordinary phone use, one that would immediately and covertly send an emergency text to your family with your current location, one that would instantly wipe the device and one that would give you access to the hidden gay dating app you don't want people to know about.
The problem is that Apple engineers and PM's are not used to living in third-world countries, where your life is way less important than your phone. When you don't have to face that kind of challenge daily, it is difficult to think of such a solution without people mocking you for being paranoid.
I understand, and they are not wrong for not thinking through all the brutal scenarios that real life likes to play out. But I believe that engineering teams that have a security focus should have at least some consultant from areas where violence is normal.
So, effectively, all scenarios they think about is normal theft: forgetting the phone someone, or someone snatching the phone from you. They never think about someone sticking a gun to your face and forcing you to unlock the phone so they can run away in a motorcycle, while depleting your accounts. A distress code could be extremely helpful for bank institutions to flag every transaction post-distress. And locking your digital accounts (iCloud, DropBox, etc)
Absolutely, the idea of "coercion codes"/"distress codes" or the like goes back a very long time, long before electronic devices even, it's a pretty natural idea that someone could use different canned expressions to code for different responses that attackers wouldn't be able to distinguish. All the core aspects are in place on iOS to do a system both user friendly and quite powerful around that, and years and years later it remains too bad that's hard. In fact in a touch of irony it was at one point quite feasible and pleasant to do with a jailbroken iPhone and Touch ID. The Touch ID system actually distinguished between the various registered fingers (up to five), which in turn meant you could use fingers themselves to trigger other behavior. So "unlock with either index finger" could be "normal", but "unlock with thumb" or middle finger could then run scripts of your choosing in the background.
It would be a real boon if Apple themselves did it, incorporating not just codes or biometrics even but also arbitrary information from phones sensors if advanced users wanted. So for example you could explicitly set a few geofences and say that certain actions could only be done within them (and only at certain times of day even), or certain apps viewed at all (by literally keeping the encryption keys for them locked away unless all conditions were met). If it's not even possible for you to comply when traveling in the first place and that's widely known and transparent it reduces the value in trying to coerce you.
Such a system could also be useful outside of security fwiw, just in ordering our lives. Someone finding distraction hard could lock all their games and social media apps in a view accessible only at home and forbid any app store purchases as an aid in avoiding temptation. Anti-engagement instead of trying to get more engagement.
Related: Set up screen time, and disable password changes and account changes, and set a (different to your regular passcode) screen time passcode. Then you have a separate passcode that keeps sensitive account changes locked.
Account changes doesn't lock changes to your Apple ID for example, it's just about email accounts and pass keychain. Passcode change is not useful, why would a thief do it anyway...
This is a good development. Making phone theft less appealing is a good thing, and locking away precious personal data and accounts if it does still happen is great. It’s an ordeal to face against thieves to change any login information they could find looking through the data on a phone. I hope this will be secure and work as advertised.
When the screen time settings are protected by a separate Apple ID with a separate phone number registered for 2FA (obviously the SIM card or eSIM shouldn’t be on the same phone), this works. In this situation you need access to that second account’s SIM card (which can be locked with a PIN) to remove the lock.
Keep in mind afaict this is the situation with 2nd account having Rescue Code enabled. Things might be different if it’s not.
Email me for how to actually restrict yourself with iOS Screen Time (without 3rd party apps) in a way which you really-really can’t bypass when you feel down. Disclaimer: Not an Apple employee, but a former smartphone addict, ahem, I’m sorry, user.[1]
1: I believe all smartphone users are addicts as much as rest of their lives allows it, without the use of hard restrictions.
Are you sure? According to Apple [0] it requires your Apple ID password. Also, I can't reproduce this on my iOS device: it's locked by a timer which increases exponentially.
This is fantastic to see, although bitter-sweet considering I just had my phone and Apple ID stolen in August. I suspect the thief was watching as I unlocked my phone and got the passcode that way, although I was drugged and have amnesia (worst Tinder date ever) so it's possible I unlocked the phone for her.
However they got the passcode, it was enough to immediately change the 'trusted phone number' with Apple and lock me out of my account. Even after hours on the phone with Apple Support explaining the situation and offering to provide a police report and any documentation they wanted to verify my identity, the weren't able/willing to help me without that phone number. There have been numerous hassles to moving to a new Apple ID, including having to provide proof-of-purchase for all my other Apple devices to get them unlinked from the stolen account. But the worst by far was losing years worth of photos, which I foolishly trusted to be stored safe in iCloud and are now locked away from me and available to criminals.
This is a step in the right direction but I'd love for Apple to improve their policies around proving ownership of a stolen account. Even with this new protection, if you're ever robbed at gunpoint or coerced while drugged, your Apple ID can be taken and there's no path (that I've been able to find) to recover it.
This was in Mexico City. I've traveled there many times and generally feel very safe, but learned a valuable lesson in being overly trusting of new people.
I'm thankful to be alive, since I don't know what drug I was given and how much. And fortunately she left my passport so I was able to get home. But what a mess, I really can't recommend it.
Readit News
My phone was snatched from my hands in the street. I was able to wipe it via 'Find Devices' within a few minutes; I was able to track its location for the rest of the day, until I requested that my carrier irrevocably disable its network service. There was no evidence of any accesses of my information or accounts linked on the phone, then or since.
In the following days, it was still visible in my Apple device lists as mine, with reference information like its model and serial number – as it should have remained, indefinitely, to prevent anyone else from associating it with their accounts. (Until recently, I still had an iPhone 4 listed there that hasn't been turned on for many years.)
But sometime since then, it was removed from my Apple account – without my permission, and with no notification to me. This step would also apparently allow someone else to use the device with Apple services.
Apple Support insists only a person who authenticated to them as me could have done that, and that they have no records of when/how that happened – a policy that seems designed to help criminals cover their tracks, with no help to customers other than: "you should change your password".
Further, even if I provide the serial-number/IMEI with a police report, Apple says they can't determine if they've activated Apple services to that stolen property for someone else or provide me with any further help.
I thus suspect theft networks have figured a way around Apple's breezy assurances about locking-out stolen devices, perhaps similar to how they've often deeply pierced major telecom providers in order to carry out SIM-swap attacks.
But: if anyone on HN knows more about how the smartphone theft/fencing (chop shop?) operations typically work, or how Apple's systems do or don't protect against post-theft hijacking of registered Apple devices, I'd love to hear perspectives that either flesh-out, or refute, my impressions that Apple's related systems involve some false bluster & "security theater".
I got an iPhone from a relative, the relative had forgotten the passcode and the Apple ID password.
I did a factory reset of it via iTunes and of course when it started up and I started with the setup it said it was locked to *@*.com.
I contacted Apple support and they said I needed proof of purchase for them to unlock it.
I did not have any proof of purchase and neither did my relative.
But I refused to let that stop me. So I made a proof of purchase, printed it and went to an Apple store.
I told the Apple Genius about the iPhone and that it was locked but factory reset and presented the "proof of purchase".
The Apple Genius went to get a manager or something and the manager checked the "proof of purchase" and then connected the iPhone to the store Wi-Fi and did some stuff on their iPad and rebooted the iPhone. The iPhone did a reset and then it was unlocked and ready to be setup without any hurdles.
So I am guessing some thieves have figured this out.
The thieves figured out you just need to know (or be) an employee of any of the 500+ Apple stores. I assume that some theft rings have this process quite streamlined.
What's more surprising is if they have no audit logs that would let them discover the compromised employee in these cases.
Also sounds like something doable by compromised Apple insiders. :/
The key thing is to protect your data first and that means wiping it remotely. Leave it attached to your iCloud account device list though because that'll leave the provisioning / device lock in place. I'm sure they have a way around that now but it'll make it more difficult and devalue it for the thief at least.
But yes - it looks to me like dishonest actors managed to get the device out of my "iCloud account device list" without my permission, and thus evade the "provisioning / device lock".
Show that to the right Apple employee, you should be good to go.
That's my best guess as to what happened here.
The alternative, that the thieves fully compromised my account via obtaining my Apple password and circumventing the various secondary checks via my other devices, seems very unlikely to me.
There's been no evidence of unintended account accesses – like the confirmation challenges that pop-up on other devices. Unfortunately, Apple seems to lack the user-reviewable log of all authentication events that others like Google offer.
The sorts of compromises that would have revealed my password – like a keylogger on one of my primary Apple devices – should've shown up as other attacks on targets of more value than a single street-snatched several-years-old iPhone.
Hopefully this works well, I assume third party apps such as banking will be able to opt in to the additional protection (not sure if this is strictly required actually, I checked my banking app and if Face ID fails you have to enter the banking PIN, you can’t enter the device PIN).
Is there a way to lock individual apps so they require Face ID even if they weren’t designed to? A smart thief having access to the Gmail app for example, if the phone was unlocked when stolen, could wreak havoc.
Something like one passcode for ordinary phone use, one that would immediately and covertly send an emergency text to your family with your current location, one that would instantly wipe the device and one that would give you access to the hidden gay dating app you don't want people to know about.
I understand, and they are not wrong for not thinking through all the brutal scenarios that real life likes to play out. But I believe that engineering teams that have a security focus should have at least some consultant from areas where violence is normal.
So, effectively, all scenarios they think about is normal theft: forgetting the phone someone, or someone snatching the phone from you. They never think about someone sticking a gun to your face and forcing you to unlock the phone so they can run away in a motorcycle, while depleting your accounts. A distress code could be extremely helpful for bank institutions to flag every transaction post-distress. And locking your digital accounts (iCloud, DropBox, etc)
It would be a real boon if Apple themselves did it, incorporating not just codes or biometrics even but also arbitrary information from phones sensors if advanced users wanted. So for example you could explicitly set a few geofences and say that certain actions could only be done within them (and only at certain times of day even), or certain apps viewed at all (by literally keeping the encryption keys for them locked away unless all conditions were met). If it's not even possible for you to comply when traveling in the first place and that's widely known and transparent it reduces the value in trying to coerce you.
Such a system could also be useful outside of security fwiw, just in ordering our lives. Someone finding distraction hard could lock all their games and social media apps in a view accessible only at home and forbid any app store purchases as an aid in avoiding temptation. Anti-engagement instead of trying to get more engagement.
https://news.ycombinator.com/item?id=34936015
Now it seems like thieves would not be able to immediately unlink a phone from Find My if they have the passcode, because of the security delay
In screentime you can set a different code, so when anyone else can access your phone, they can’t change the code and lock you out of your phone.
If you get the screen time password wrong a few times it will let you put the device passcode in.
Keep in mind afaict this is the situation with 2nd account having Rescue Code enabled. Things might be different if it’s not.
Email me for how to actually restrict yourself with iOS Screen Time (without 3rd party apps) in a way which you really-really can’t bypass when you feel down. Disclaimer: Not an Apple employee, but a former smartphone addict, ahem, I’m sorry, user.[1]
1: I believe all smartphone users are addicts as much as rest of their lives allows it, without the use of hard restrictions.
[0]: https://support.apple.com/en-gb/102677
However they got the passcode, it was enough to immediately change the 'trusted phone number' with Apple and lock me out of my account. Even after hours on the phone with Apple Support explaining the situation and offering to provide a police report and any documentation they wanted to verify my identity, the weren't able/willing to help me without that phone number. There have been numerous hassles to moving to a new Apple ID, including having to provide proof-of-purchase for all my other Apple devices to get them unlinked from the stolen account. But the worst by far was losing years worth of photos, which I foolishly trusted to be stored safe in iCloud and are now locked away from me and available to criminals.
This is a step in the right direction but I'd love for Apple to improve their policies around proving ownership of a stolen account. Even with this new protection, if you're ever robbed at gunpoint or coerced while drugged, your Apple ID can be taken and there's no path (that I've been able to find) to recover it.
I'm thankful to be alive, since I don't know what drug I was given and how much. And fortunately she left my passport so I was able to get home. But what a mess, I really can't recommend it.