Monday, February 27, 2023

Changing Apple ID Password Using Only a Device and Passcode

Joanna Stern and Nicole Nguyen (tweet, Hacker News, MacRumors):

Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.

[…]

With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the pass-code can unlock access to all the device’s stored passwords.

[…]

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.

[…]

A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a far more common target, according to law-enforcement officials.

Of course, once they have access to the Apple ID, they can just turn off Activation Lock.

Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.

[…]

Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text within images and documents. In the Journal’s tests, a search in the Apple Photos app for “SSN” (Social Security number) and “TIN” (taxpayer identification number) immediately produced a photo of a 1099 tax form with Social Security information that had been stored on the phone.

Joe Rossignol:

I’ve been reporting on Apple for over a decade and I didn’t know or long forgot that you can reset an Apple ID password on an iPhone by simply entering the four-digit passcode – no other steps required!

I’ve always seen the iPhone passcode as a weak point, but I had incorrectly assumed I could protect myself by not putting my Apple ID password into the Apple password manager. I had no idea that the device itself would be treated as verification for the purposes of resetting the password.

I’ve also considered whether it makes sense to have my Apple ID use an e-mail account that’s not configured on the iPhone, so that it wouldn’t be so easy to reset the password and then just read the verification e-mail. However, this is tricky because it seems like, if I’ve enabled iCloud Keychain, the Mac will upload my e-mail passwords to the cloud, anyway. I already exclude my key financial passwords from Apple Passwords, but I need my mail passwords to be in the keychain to be able to use Mail. Is there a way to mark certain passwords as not syncable?

Suggestions:

Previously:

Update (2023-02-27): Jeff Johnson:

I’ve heard, but not verified, that Emergency Reset can bypass Screen Time and still change your Apple ID password.

See also: Dave Mark and Adam Engst.

Update (2023-03-01): See also: The Talk Show.

Update (2023-03-02): It turns out that the ability to reset Apple ID passwords using only an iPhone and passcode was added way back in iOS 11. I blogged about it but at the time was more concerned about the related change to iTunes backups.

Gruber and Arment say that the passcode can always be used as a fallback if Face ID fails, that it’s the master key for everything. This is true for system stuff, but third-party apps have a choice. Apps with sensitive data such as banking apps and password managers can choose to only allow access via biometrics. If Face ID fails, you have to enter the app-specific password. I tested this, and it works correctly, which is great. You can reset Face ID using only the passcode, but that does not give you access to the app data formerly protected via Face ID.

But it seems like there’s a loophole. I was able to add an alternate Face ID appearance using only my passcode (while covering the sensor with my finger). So someone with your phone and your passcode could add their own face to Face ID and then use that to get into your password manager. It seems like you can prevent this by adding yourself as an alternate appearance. Then future Face ID changes would require a reset.

Gruber also notes that if someone takes over your Apple ID account in this way you can lose your data if you’re using end-to-end encryption. Even if you’ve saved the recovery keys or have a recovery contact, those can be revoked by whoever controls your account. Then neither you nor Apple can decrypt the data on their servers. Other devices signed into your Apple ID can also be kicked off, though perhaps they retain caches of some of the data.

Previously:

Update (2023-03-03): Dave:

If someone steals your iPhone’s passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app.

Bank of America handled that the same way for me, but PasswordWallet did not require my password again. Since it seems like the behavior is app-specific, I still think it’s a good idea to configure your own alternate appearance.

Update (2023-03-14): multigreg (via Accidental Tech Podcast):

I set Screen Time restrictions with a passcode, without the option to remove it using AppleID (tapping ‘Cancel’ & ‘Skip’).

When I try the ‘Forgot passcode’ link, it still guides me through the options to enter my AppleID or device password, or find a forgotten AppleID.

16 Comments RSS · Twitter · Mastodon

I have been using an alphanumeric long password on my phone for years now.

After reading the article, I set up a screen time restriction on account changes. However, users on Reddit have since pointed out the restriction is easily bypassed. Removing the screen time passcode will prompt you for the phone passcode if you do not know your AppleID password.

This isn’t new. I wrote about this back in August 2020, after that was a story about someone whose iPhone was stolen and his password was reset. I recommended using a much stronger passcode; either more than six digits, or an alpha numeric passcode.

https://www.intego.com/mac-security-blog/if-hackers-crack-a-six-digit-iphone-passcode-they-can-get-all-your-passwords/

@Kirk As far as I can tell, your article did not mention that the Apple ID password can be reset even if it isn’t stored in iCloud Keychain. That’s the part that I think was not widely known. [Update (2023-03-02): But I guess it actually dates back to iOS 11 in 2017!]

The ability to reset the Apple ID password just using an Apple device's passcode or password was introduced in iOS 13 and macOS Catalina.

This came to my attention first during a MacBreak Weekly episode if I recall correctly but I couldn't find the episode.

Here's an article published by Business Insider back in June 2020: https://www.businessinsider.com/guides/tech/how-to-change-apple-id-password

FaceID is weird too -- as a test scenario, I've noticed that in situations where it can't authenticate my face even after multiple attempts, if I then enter my passcode, lock the phone, and then try FaceID again (without moving the phone or my face or anything else) it will unlock immediately. Almost as if it's thinking "the passcode was verified within the last N minutes, so the next time FaceID tries to authenticate, use fewer face matching points" or something... whatever it is, it's definitely happening because I've tried it on at least my past 2 iPhones (11 Pro and 13 Pro) and it works every time.

Instead of looking for a way to prevent certain passwords in the Keychain not getting synched, the "proper" way is to use a separate (local) keychain that is not getting uploaded into iCloud.

I've been using this method forever, but in recent years Apple has added bugs, and never fixed original bugs, such as:

1. Trying to move several keychain items to a different keychain is a huge pain because one has to re-enter the same password for each item, on and on.
2. The keychains don't always refresh - a relaunch of the app may be necessary.
3. If the keychain contains items that are used by apps and other services that run at login, requiring you to unlock the keychain by entering its password, recent macOS versions don't perform these requests in sequence any more, which leads to the effect that you'll be asked to re-enter the keychain password multiple times.

@Thomas Yeah, multiple keychains are increasingly buggy and I think deprecated, so I’m hesitant to rely on that.

Here is another head scratcher. Since iOS 16.3 you can add a hardware security key as a second factor to your Apple ID for extra protection. In fact, you have to add two of them, otherwise Apple won't allow you to finish the setup. Now you might naively think, that your Apple ID is protected from the above scenario. Turns out that is not the case. Your stolen iPhone is treated as an already authenticated device, which means, you can easily change the Apple ID password AND remove or change all second factors, including the security keys, just with the knowledge of the device passcode! To be fair, the keys would still be required for a fresh login on a new device.

I can understand why Apple wanted to make life easier for users who are less concerned about the theft scenario. It possibly even reduced the support burden for Apple regarding forgotten Apple ID passwords. But they should at least give customers a choice to set things up in a more secure way. Requiring a security key to change the password when the user has one set up would be one way to do it.

I don't use the iCloud keychain at all right now and would only consider using it for very low value accounts. For me a separate password manager with a dedicated password is the only sensible solution.

@Ben G

I remember reading somewhere, that FaceID is constantly learning and adjusting the "face model" it uses to recognize the user.

One other thing I noticed is that some light conditions like very bright sunlight shining directly on my face are a challenge for the sensors.

Surely the issue here is Apple considering an iPhone a "trusted device"? This is fine when it comes to remote hack attempts but if a thief has the device then the trust is rendered useless. If I had an option to disable trusted devices then I'd be straight on to that.

Anyway, I recently added security keys to my account and was also honestly shocked to find they did not factor into resetting the Apple ID password.

I'm surprised to see that entering the passcode is that common. Maybe a behind the screen fingerprint sensor would help?

Nicholas Vance

Friend of a friend got mugged and threatened with a weapon to give up their passcode. Made a miserable incident much worse since they now had control of the whole AppleID. They maxed the credit cards and locked him out of his own iCloud backups and developer account. Took several days to get access to Apple Execs who had the power to help.

Apple needs to fix this loophole with time-limited lockdown and recovery features ASAP. A PIN can't be all the keys needed.

Maybe part of a solution would be not treating the device you are acting on as trusted so it requires 2FA code from another of your signed in devices.

I tested on my iPhone adding or changing my Face ID and my 1Password manager forced a password to get in. However on my IPad with Touch ID I added a finger and was still able access 1Password with Touch ID.

It turns out iOS has a protection for situation like stolen passcode.
It will not stop the theft, but will prevent crooks from changing you iCloud password, locking you out of your devices etc.
You need to use Screen Time for that.

I have described all the steps in my blog post:
https://dimka.com/blog/dd230622

Leave a Comment