Apple vs. My Daughter’s iPad
Erica Sadun (tweet):
The other day, Apple locked her out of her iCloud account and her iPad. We don’t know why. The Apple support people don’t know why. I think it may have to do with when I modernized my AppleID to use an email address, which is what the iTunes account on the iPad is registered to.
My daughter knows her account name. She knows her password. She did not forget either one. She did not lose her device. She did not do anything to trigger the Apple ID issue. The only thing we know is that it happened at roughly the same time the ApplePay person told me to update my AppleID.
[…]
Despite the fact that she owns the iPad, has the physical iPad, knows her id, and knows her password, there is no way for her to ever use the iPad again because we do not have a receipt for the iPad, nor does the kind gentleman who gave her the iPad. The Apple Store does not provide access to records from that far back, roughly 7 years ago.
Our device was not stolen. My daughter did not enter bad passcodes or wrong passwords. There was no reason that the lockdown should have happened and no way for Apple Support to explain why it did happen. If it could happen to us, it can happen to anyone and potentially at any time.
That my daughter had forgotten her security recovery information, too, led to a much broader issue. She was young, foolish, and feels sorry for her choices. At the very least, she should have changed her email when the provider shut down its services. But having an outdated email and no memory of security questions isn’t limited to her specific situation.
Previously: iPad Erased By Too Many Failed Passcode Entries, If iPads Were Meant for Kids.
8 Comments RSS · Twitter
Does that mean, my iCloud data could be locked even if I knew my password and ID? Wait a min...... that doesn't sound right.
@Ed Yes, Sadun says that the iCloud account and its data are locked, so it’s inaccessible even though she knows the password. That’s why I applied the Datacide tag.
I hit a similar bug with my ipad. It suddenly insisted I change my
iCloud password and thus disabled any service attached to my account. The ipad itself remained usable-ish.(it didn’t lock outright.). If I hadn’t had access to my iCloud account on my Windows computer, I’m not sure what I would have done.
Mu guess is that having a short password with no two factor enabled, leads to repeated failed account access by someone using brute force password guessing against the API. Beyond a certain threshold, that might trigger a reset or lockout. But why wouldn’t you prioritize the person holding the device? So e kind of spoofing attack, where Apple’s servers are tricked to think Apple hardware is connecting?
The more I think about it, the weirder it gets. It feels like there’s a security vulnerability here somewhere.
Also, I rediscovered why I picked a short but random password. I had to re-enter my new, very very long, very high entropy password two or more times per service. (Settings, iMessage, App Store, something else, the Windows iCloud client, and I gave up when I got to my apple tv.)
Going forward, I plan on using only one iCloud account per device, (and making extensive use of family sharing) not using an iCloud email account, syncing my personal data to my laptop regularly, not using Apple’s document silos (pages, numbers, safari bookmarks), making sure I have alternative contact methods for folks I iMessage with, figuring out how to keep my photos safely synced outside of iCloud, and looking for alternatives for various Apple services.
Oh, and the calculus for fully paid vs subscription services flips, because I don’t want to buy an expensive app that I can get locked out of.
I had seen for a long time the risks of going with all-google services and accidentally getting locked out of everything due to a problem with one part. It had never occurred to me how dependent I had become on Apple not locking me out of my stuff.
@Michael Tsai I am not sure if my reading comprehension is right, assuming someone is paying their iCloud via Top Up Card, which a lot of friends do as that is what I recommend them, they have no credit card and hence no Credit card record to prove who they are, and are asked to change password for obscure reason ( Which has happen multiple times already and I told them to ignore it, because 99% of the time they will forget their newer password ),
Their iCloud account "may" get locked and their data, their Photos!, their son / daughter, child, dad, family members that may be long gone, memories, are forever locked into iCloud?
I don't care about the $300 bloody iPad working or not. But i would be furious if that happens to any of my friends. I did recommend them to use iCloud to avoid all the hassle. And now it seems the risk is far greater then imagine. On a NAS, or computer backup, we could paid to recover data if the HDD is corrupted. Money solves that problem. But paying for iCloud risk a lot more for the convenience.
Saying they can’t use the iPad again isn’t accurate, iirc. You can find the incantation to do a clean install with hardware buttons or some routine using iTunes. Can’t recall which (I think the latter), but I’ve done it to an iPhone 5.
The problem here is the iCloud account. If there’s anything in there worth keeping, it’s probably gone.
I’ve heard of google closing down access to an account after finding out a user is under 13, which includes gmail. Stinks, but welcome to cloud services. Possession is... etc.
In my experience, when an iPad gets locked due to security reasons (such as it being flagged as stolen, even if it isn't), there is NO way to reset it if you don't have the original iCloud credentials (or they have been invalidated) that the iPad is set up with and locked to. I couldn't believe it when this happened to a friend's iPad... I thought surely an erase and factory reset would do it, but part of the setup process requires the iPad to phone home to Apple, and when it does that, boom! The iPad is locked down again if you can't log in to the iCloud account that the iPad is tied to. There is no way to bypass this. The iPad will not work until it phones home to Apple and iCloud account is verified.
I wanted to be happy there's such great security, but if Apple can't prove it's stolen, then frankly it seems like they are the ones stealing from the customer. What's the alternative now? Buy another iPad? Pretty good for Apple's bottom line. I'd prefer to just buy a tablet from a different company, but I think people become wedded to brands....
welcome to the future. you don't really own your device. if you opt into icloud, then even less so. don't trust your life and data to a corporation. in my experience, even after people learn a lession like this, they jump right back in. it's like Stocholm syndrome. ;(