Apple minimizes loophole that makes it easy to change the passcode on the iPhone

A little over a year ago, following the report of one of our readers, we talked regarding a breach in the iOS which allows changing the password of the ID Apple only with the iPhone unlocking code — which, according to Apple itself, facilitates account recovery for those who have forgotten their credentials.

At the time, this one who wrote to you treated the problem as an extra concern in countries like Brazil, which has high crime rates — following all, anyone around here is easily exposed to the possibility of being coerced by force to hand over their device. and reveal the access code to criminals.

Discreet but effective performance

A report published today by Wall Street Journalhowever, shows that the gap has been causing a lot of damage in developed countries as well, as in USA — where we know we have a large number of iPhones being used by the population.

However, despite the newspaper reporting the existence of cases of people who were attacked and/or intimidated into handing over the device with the access code — as happened to our reader —, the mode of operation of criminals there seems to be more resourceful and less violent.

Reports abound of people being robbed while socializing in bars by people they’ve just met. That’s following such criminals discover the iPhone access code of their potential victims — which can happen in the most varied and “creative” ways we can imagine.

One of the most common examples of approaches is criminals (who sometimes act in pairs or even threes) making friends with victims and asking them to open the Snapchat or some other social network — which allows them to carefully observe the moment of unlocking the device to memorize the code.

As there are many smartphone owners using biometric methods (Face ID or Touch ID), another strategy used by these criminals is to borrow the device to take a picture and subtly reset it before returning it. This is a way to force the potential victim to enter the unlock code, as the system asks for it every time the iPhone restarts.

The thing seems to be so institutionalized that a gang of 12 people was captured in the state of Minnesota following robbing 40 victims and profiting almost US$ 300,000 just with the scheme of silent attacks in bars!

unprecedented damage

Once the theft is completed and the device’s Apple ID password is changed, the first steps taken by these criminals are usually actions such as removing devices from the network Buscar (Find My)remove other devices associated with the account, as well as trust numbers and even physical security keys configured by users.

They can also generate a recovery key if the user has not configured it — which prevents victims from being able to use Apple account recovery to gain access to it once more. With this feature enabled, not even the company can help victims access their contacts, photos and other data stored in iCloud if they no longer have access to the code.

But the actions aimed at preventing the account from being recovered are just the beginning, since the devices now allow criminals easy access to the victim’s bank details, the registration of new cards in Apple Pay and even the facilitated use of it if one or more cards are already registered.

Many of the criminals even requested Apple’s own credit cards (the Apple Card) in the names of the victims. For this, they only needed the four digits of the device’s owner’s identity number. In many cases, they might easily find such data in images stored in the Photos app.

A really useful feature that has been making Apple’s operating systems easier to use over the past few years, Live Text (Live Text) it can also be a good ally for criminals, who can search the entire system by typing in Spotlight a simple keyword that refers to a certain document.

Banking applications that do not have alternative passwords and that use the iPhone’s own code as authentication in cases of failure in biometrics are also easy targets. Even these alternate passwords can be easily accessed if they are saved in iCloud Keychain.

Apple minimizes cases and defends the current system

With the breach also being noticed on American soil, Apple finally commented on the matter through a spokesperson – but did not point out any solution to the problem or give any indication that it intends to solve it in the near future.

Security researchers agree that the iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all of our users from new and emerging threats. We sympathize with users who have had this experience, and we take all attacks on our users very seriously, no matter how rare.

Stating that it will continue to advance protections that aim to help keep user accounts safe, the company said it believes that crimes are unusual in that they require the theft of the device as well as the password.

According to Apple, changing the Apple ID password directly on the iPhone is covered, in a way, by two-factor authentication, since it requires both the physical device and the code to be implemented.

About that…

While Apple seems not to look at the problem, it continues to happen not only in the US but also in Brazil. In the publication where we reported the breach in the system, another reader used the comments field to report that he had his iPhone password changed shortly following the device was stolen.

According to manoelcriminals gained full control over the device — which made it possible to access applications such as Nubank, PicPay and Mercado Pago, as well as carry out several transactions that caused a lot of “loss and headache”.

I had my iPhone 13 Pro stolen. They managed to change my password and disable Buscar a few minutes following the theft — I believe using the feature reported in the post. […] This is a serious security breach that made it impossible for me to have a chance to track and/or lock and wipe my device data.

If you want to stay protected from this type of situation, in addition to the option to generate a recovery key — which is useful, but can also completely put your account at risk if you lose it — the Usage Time (Screen Time)a feature of the iPhone itself, can be effective in preventing criminals from changing the Apple ID password.

With certain specific settings, you can prevent access to system features that allow you to change your account access code following a certain time of use of the device. At the time, we made a post explaining exactly how to configure it for this purpose.

Leave a Replay