Friday, August 28, 2020

Can Thieves Crack 6-Digit iPhone Passcodes?

Henrique Prange:

So, how could the wrongdoers do all of that in less than 5 hours? After considering many options, the only reasonable explanation is they cracked the 6-digit passcode on the stolen iPhone using some kind of device like the GrayKey.

The passcode gave them access to the keychain. They searched for the iCloud credentials, disabled the Lost Mode, and turned off the Find My.

Via John Gruber:

I mention this in the wake of the aforelinked piece on Face ID vs. face masks because months ago, when I first started grocery shopping while wearing a mask, I switched my iPhone from an alphanumeric passphrase back to a 6-digit passcode for convenience. I did so thinking, basically, that even though a 6-digit passcode is less secure, anything truly dangerous like disabling Find My iPhone requires my iCloud password as well.

It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain.

I really hope this year’s iPhones have Touch ID.


7 Comments RSS · Twitter

Another reason to use a 3rd-party password manager like 1Password. If Face ID fails it requires you to input your password. It does not fallback to the PIN. And then you don’t have to store any passwords in iCloud Keychain.

The most reasonable explanation is that the thief observed the victim entering his PIN.

Biometrics used to eliminate that possibility. Before masks.

My sisters phone was also stolen recently. Soon later, her emergency contacts received phishing text messages claiming to be from Apple and that the iPhone has been found. The phishing sites were fake iCloud logins and fake PIN input fields.

I never considered that angle. I think Apple should allow calling the emergency contact without showing the number. Also, I have since removed a lot of dangerous information from my Medical ID.

I guess I need to check what passwords are stored in my keychain and delete anything related to my Apple accounts. (I no longer use Safari on my Mac, so that’s covered).

> Biometrics used to eliminate that possibility. Before masks.

Another reason to prefer Touch ID over Face ID. Sadly, Apple currently only offers Touch ID on the iPhone SE. Fortunately, the SE has got almost all of the capabilities as an iPhone 11, so it is a viable choice for someone who doesn't need a large screen or high-end camera.

> I switched my iPhone from an alphanumeric passphrase back to a 6-digit passcode for convenience

For grocery shopping with my Sopplinglist-App I am using "geführter Zugriff" must be something like Guided Mode/Kiosk Mode: Unlock the iPhone outside with the Mask down, open the App, press three times the Wake/Sleep Side Button and give it a simple numeric code. The frontmost App stays unlocked until the code is entered again after the shopping. The long alphanumeric iPhone Code stays in Place.

Yeah, maybe that's the method I should switch to (so far, it's a mix of having severely reduced my password's security, and still having to awkwardly type it in multiple times in the store). You can even disable Touch altogether in Guided Access, to prevent accidental taps. Or just disable any UI outside the 'done' checkmarks in the shopping list app.

Guided Access is annoying, though, because you have to stay in one app. So, for example, when grocery shopping I can access my list in OmniFocus but can’t easily iMessage my wife or look up a recipe in a different app.

Leave a Comment