iPhone Thieves Locking Users Out of Their Apple Accounts
Nicole Nguyen and Joanna Stern (MacRumors, Hacker News):
Greg Frasca has been locked out of his Apple account since October, and he’ll do just about anything to get back in.
He has offered to fly from Florida to Apple’s California headquarters to prove his identity in person, or write a check for $10,000 to reclaim the account. It holds the only copies of eight years of photos of his young daughters.
This is all because the thieves who stole Mr. Frasca’s iPhone 14 Pro at a bar in Chicago wanted to drain cash from his bank account and prevent him from remotely tracking down the stolen phone. They used his passcode to change the 46-year-old’s Apple ID password. They also enabled a hard-to-find Apple security setting known as the “recovery key.” In doing so, they placed an impenetrable lock on his account.
But this is not because Apple can’t restore access. It’s just their policy not to support other forms of recovery identification: driver’s license, backup e-mail, postal mail, physically appearing at an Apple Store, etc. The article cites an example where Apple did restore an account after the customer answered some verification questions, but this option does not seem to be available to most.
The article recommends enabling Screen Time protections, which may help against an unsophisticated thief, but as discussed before this seems to not be a true solution.
It’s better to have a backup of your photos, though I’m not sure there’s an automated way to do that if you don’t have a Mac.
IMHO, the crazy part is that it is possible to create a new Recovery Key with just the iPhone passcode (and the iPhone). So basically, the iPhone passcode is mightier than the Recovery Key. The only purpose of the Recovery Key is to protect against SIM swapping attacks. I didn’t know this.
So an attacker with the iPhone passcode can lock you out of your Apple account on all devices, even if they don’t have your Apple ID password or your Recovery Key.
Previously:
- Apple Card Savings Account Launches
- Photos Data Loss With macOS 13.3 Beta
- Changing Apple ID Password Using Only a Device and Passcode
- Apple Accounts “Permanently” Blocked
- Password Reset iCloud Account Vulnerability
- Locked Out of an Apple Account
Update (2023-04-21): Adam Engst:
Although I haven’t been able to find a detailed explanation of how the recovery key works in Apple’s Platform Security Guide, my understanding is that it essentially acts as a second copy of a user-managed encryption key that takes over from Apple’s usual account recovery option.
[…]
When the Wall Street Journal article talks about how victims attempt to prove ownership of their accounts with various forms of identification, it’s missing the point—identification is not in question; the data is simply inaccessible because it’s encrypted with a key that Apple doesn’t control.
I’m not sure that’s the case. If it were, then what was the point of Advanced Data Protection? Anyway, I think Apple needs to document this better.
The best protection right now is to use Screen Time, as I discussed in my previous article.
[…]
Unfortunately, it does that by preventing you from even entering Settings > Your Name without first going to Settings > Screen Time > Content & Privacy Restrictions > Account Changes > Screen Time Passcode > Allow, and then setting it back to Don’t Allow once you’re done. If Apple tweaked iOS 17 to prompt for the Screen Time passcode when accessing the blocked options, it would be much easier to recommend.
It used to be you could do a certain set of actions that would allow you to change the password even with the screen time passcode block (I won’t list them.) But with 16.4 Apple now requires you to confirm a trusted phone number, and then requires you to use another trusted device to actually change the password.
See also: Bruce Schneier.
Previously:
Update (2023-05-01): Doug Miller:
I have both a recovery key set and a screen time passcode and I can still go through and change the Apple ID password with the procedure you listed.
[…]
Having a screen time passcode with account changes disallowed makes it harder to find the Apple ID address on the device, but not impossible.
17 Comments RSS · Twitter · Mastodon
@Yan How does that work? Is it scraping the icloud.com Web site?
I use https://www.photoprism.app/ in combination with https://www.photosync-app.com/ to automatically backup photos from my phone to my Linux home server, and it works pretty well.
@Geoff Is that really automatic or do you have to remember to launch the app now and then so it can continue to get background time?
Years ago, I was using Microsoft's OneDrive app. It automatically uploads your photos to your OneDrive account based on a frequency you set or with every photo taken. Now I manually save photos I want to keep to an external HD.
I use Dropbox to have a cloud backup of my photos, and Synology Photos to have a local backup.
> But this is not because Apple can’t restore access. It’s just their policy not to support other forms of recovery identification: driver’s license, backup e-mail, postal mail, physically appearing at an Apple Store, etc.
That's not true, given what the article stated.
> They also enabled a hard-to-find Apple security setting known as the “recovery key.” In doing so, they placed an impenetrable lock on his account.
That is correct, at least based on Apple's documentation: https://support.apple.com/en-us/HT208072
> Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password.
> Using a recovery key is more secure, but it means that you’re responsible for maintaining access to your trusted devices and your recovery key. If you lose both of these items, you could be locked out of your account permanently.
Because the attackers set a recovery key on the victim's account, there is nothing Apple can do (at least based on what it's said publicly) to help the victim recover their account. If the attackers hadn't set a recovery key, I think it's a different story. Though I also expect they'd fall back to other published account recovery paths which, as you note, don't allow for recovery via physical ID: https://support.apple.com/en-us/HT204921
@Plume Using a Mac?
@Rando The Apple support page agrees with what you say, that there’s nothing you can do if a recovery key has been set, though I note that the “could” is not definitive. However, the article says the opposite. Near the beginning it says that there is “virtually no way back into their accounts without that recovery key.” Then it says: “those locked out of their Apple accounts by thieves using the recovery key face a bigger challenge: finding a way through Apple’s complex policies and bureaucracy to retrieve their lost photos, contacts, notes, messages and other files,” which implies that there is a way. And then there’s the example that I mentioned in the post of Terry Allen. What I take from this is that the Apple page is saying that there’s no automated way to do recovery without the key but that if you talk to a human they have the ability to disable the recovery key. It would be interesting to know whether this is still possible with Advanced Data Protection enabled (if you get the device back).
Amazon Photos is unlimited for Amazon Prime members, and the app works really well at automatically uploading all of your photos. You only get 5GB of space for videos,but $20/year for 100GB is pretty reasonable.
I then download my Amazon Photos library, giving me another backup.
Having decided not to use services available only in the Apple ecosystem in Aug 2021 (and turning off iCloud Photo Library), I have been happy with https://ente.io/ (used in my iPhone, iPad and a Linux laptop).
I have not used the Background Uploads feature, so can't speak to that. I have the app in my Linux laptop sync/export all photos and backup to the cloud (using rclone).
> Using a Mac?
Dropbox does photo uploads on Macs, afaik. Synology Photos itself doesn't automatically upload photos from Macs yet, but you can set up something yourself using tools like Hazel.
@Plume My original point was that backup is trickier with non-Mac platforms because there is no equivalent of the Photos app. You responded that you use Dropbox and Synology. So I was wondering whether you meant on a Mac or whether you had found an automatic (not having to import from the phone) way to do it with Windows.
No, I wasn't talking about the Mac, I was talking about mobile platforms. There are a lot of mobile apps that auto-backup photos. Synology Photos does backups to a DiskStation, so there isn't even any cloud involved.
@Plume That gets back to what I was saying earlier about iOS background time.
I haven't tested these apps on iOS. They claim to backup automatically; Synology sends background notification to its iOS app to wake it up, but I'm not sure how well this works. I only use it on Android, where it works perfectly.
@Plume Maybe Synology is better, but my experience is that even with background notifications you can’t really depend on an iOS app to keep getting background time over the long term unless you manually launch it now and then.
@MichaelTsai I use PhotoSync (iOS app) to upload new photos to Dropbox. It has an Auto Transfer feature if you allow Background App Refresh, with triggers for geofence and a specific time if the phone is charging.
icloud photos downloader (https://github.com/icloud-photos-downloader/icloud_photos_downloader) can be used to automatically download/backup photos on a periodic basis. Supports 2FA.