Apple Responds to Report About Thieves Permanently Locking Out iPhone Users

The Wall Street Journal's Nicole Nguyen and Joanna Stern today published a report highlighting how thieves can use Apple's optional recovery key security option to permanently lock out iPhone users from their Apple ID account.

iphone passcode green
As the journalists first revealed in February, there have been increasing instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device and its contents, including financial apps. All of the victims interviewed in the initial report said their iPhones were stolen while they were out socializing at bars and other public places at night.

With knowledge of the iPhone's passcode, a thief can easily reset the victim's Apple ID password in the Settings app, even if Face ID or Touch ID is enabled. Subsequently, the thief can turn off Find My iPhone on the device, preventing the owner of the device from tracking its location or remotely erasing the device via iCloud.

Today's report places more focus on an additional step that thieves can take: using the stolen device to set or reset a recovery key, a randomly generated 28-character code that is required to regain access to an Apple ID once enabled.

"Apple's policy gives users virtually no way back into their accounts without that recovery key," the report states. With unmitigated access to a stolen iPhone, the device's passcode, and the Apple ID password, thieves can steal money via Apple Pay and potentially other banking apps, view sensitive information like photos and emails, and more.

Apple's website does warn that losing access to both your trusted devices and recovery key means that "you could be locked out of your account permanently." In this scenario, however, thieves spying on iPhone passcodes before stealing the devices means that victims only need to lose their device in order to potentially be permanently locked out. The report serves as a valuable reminder to protect your iPhone's passcode in public.

For more details, read our previous coverage.

Apple Responds

In a statement shared in response to the report, Apple said it is "always investigating additional protections against emerging threats like this one."

"We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare," an Apple spokesperson told The Wall Street Journal. "We work tirelessly every day to protect our users' accounts and data, and are always investigating additional protections against emerging threats like this one."

How to Stay Protected

iPhone users should use Face ID or Touch ID as much as possible when in public to prevent thieves from spying on their passcode. In situations where entering the passcode is necessary, users can hold their hands over their screen to hide passcode entry.

The report also recommends that users switch from a four-digit passcode to an alphanumeric passcode, which would be more difficult for thieves to spy on. This can be done in the Settings app under Face ID & Passcode → Change Passcode.

To protect a bank account, consider storing the password in a password manager that does not involve the device's passcode, such as 1Password.

Users can enable Screen Time parental controls to further lock down their device, the report adds.

Top Rated Comments

cgs1xx Avatar
6 weeks ago
So, Apple’s response was “aahh… sympathies” ?
Score: 27 Votes (Like | Disagree)
bunty Avatar
6 weeks ago
So we're gonna have our 989 post conversation all over again?

The point is the passcode to unlock an iPhone can also be used to access or recover anything that asks for your Apple ID password...if you forget or pretend to forget your Apple ID password. Try it. It's all covered in the other conversation thread.

The screentime passcode can be circumvented easily.
Score: 27 Votes (Like | Disagree)
brandoman Avatar
6 weeks ago
All one has to do is turn on Screen Time > Content & Privacy Restrictions > Passcode Changes > Don't Allow. Be sure to use a different passcode for Screen Time.

Oh, and Account Changes (Don't Allow). Thanks for that tip @ypl.

Score: 23 Votes (Like | Disagree)
RamGuy Avatar
6 weeks ago
Is this even the case anymore? When I try to disable Find My, I'm prompted for my Apple ID password, not my passcode. Same if I try to log out of iCloud, this requires me to disable Find My as a part of the process prompting me t verify with my password, not my passcode.

All of this is common sense. You can't expect a 4-digit passcode to be all that secure. If you feel paranoid, use an alphanumeric passcode, aka password, instead.
Score: 21 Votes (Like | Disagree)
ELman Avatar
6 weeks ago
Essentially, be responsible for the device you own. It's not our issue.
Score: 20 Votes (Like | Disagree)
zorinlynx Avatar
6 weeks ago
This would be less of an issue if iOS didn't randomly fail to FaceID and ask for a passcode, often at the least convenient time.

I wish Apple would get this resolved.
Score: 19 Votes (Like | Disagree)

Popular Stories

Google Assistant

Google I/O 2016: Assistant, Home, Allo, Duo, Android N, and More

Wednesday May 18, 2016 11:51 am PDT by
Google hosted its annual I/O developers keynote at the Shoreline Amphitheatre in Mountain View, California today, announcing multiple new products and services related to Android, search, messaging, home automation, and more. Google Assistant Google Assistant is described as a "conversational assistant" that builds upon Google Now based on two-way dialog. The tool can be used, for example,...