Friday, December 15, 2023

Stolen Device Protection in iOS 17.3

Joe Rossignol:

The first iOS 17.3 beta rolling out to developers today includes a new “Stolen Device Protection” feature that is designed to add an additional layer of security in the event someone has stolen your iPhone and also obtained the device’s passcode.

Joanna Stern and Nicole Nguyen:

With Stolen Device Protection: If you want to change an Apple ID password when away from a familiar location, the device will require your Face ID or Touch ID. It will then implement an hour-long delay before you can perform the action. After that hour has passed, you will have to reconfirm with another Face ID or Touch ID scan. Only then can the password be changed.


As with changing the Apple ID password, enabling or changing the recovery key or trusted phone number will require two biometric scans an hour apart. (Needless to say, thieves couldn’t use the passcode to immediately turn off Stolen Device Protection itself—that, too, will require the same biometric scans and security delay.)


The device requires your Face ID or Touch ID to access those passwords [in the keychain]. The passcode will no longer serve as a backup for failed biometrics.


A thief with your iPhone and its passcode can still unlock your phone, even when Stolen Device Protection is on. Any app that isn’t protected by an additional password or PIN is vulnerable. So are accounts that can be reset by text or email.

Adam Engst:

Requiring just one biometric authentication blocks the snatch-and-grab approach because the passcode won’t be sufficient on its own to do anything. Requiring the second scan an hour later ensures that even a forced scan during a mugging or drugging won’t be sufficient unless you’ve been held hostage for that time.

One concern is that viewing Settings > Privacy & Security > Location Services > System Services > Significant Locations must also require biometric authentication, or else the thief could go to one of those locations to complete the takeover. In iOS 17.2, viewing that screen requires Face ID or Touch ID, but failures can be overridden with the passcode.


Apple won’t turn Stolen Device Mode on for you, but iOS 17.3 will alert users to the feature when they update. That seems reasonable for the first release, and I plan to turn it on.

Michael Potuck:

  1. Make sure you’re running the iOS 17.3 beta on your iPhone.
  2. Open the Settings app.
  3. Swipe down and tap Face ID & Passcode (or Touch ID & Passcode).
  4. Now choose Stolen Device Protection.

John Gruber:

After Stern and Nguyen broke this story, a lot of people reasonably wondered why Apple allows you to reset your iCloud account password using only your device passcode. The reason is customer support: every single day, hundreds — maybe thousands? — of people are locked out of their iCloud account because they can’t remember the password. Android phones work the same way: you can reset your Google account password knowing only your device passcode. However many people are falling victim to thieves taking advantage of this, there are orders of magnitude more innocent users who do know their phone passcode, but have forgotten their iCloud/Google account password.

Stolen Device Protection addresses the problem well, with balance between security and convenience. No existing workaround is a true defense against a thief who knows your device passcode. (Locking your iPhone with Screen Time protections was suggested by many as a mitigation, but you can completely override Screen Time protections with the device passcode — it just adds a few extra steps.)


My only doubts about the feature are the “home” and “work” safe locations, where the hour-long delay is overridden. (You still need to authenticate with Face ID or Touch ID, though.) How are these locations determined?


Update (2023-12-21): John Gruber:

One aspect that struck me from Johnson’s description of his modus operandi is that it relied little on observing people surreptitiously to glean their device passcodes. Instead it was mostly pure social engineering. He’d make fast friends with a target in a bar and just talk his way into the target telling him their passcode, so he could show them his Snapchat account or whatever. He’d talk people into giving him what he needed. Never underestimate how much digital crime revolves around person-to-person social engineering.

I’m glad Apple is adding the new Stolen Device Protection feature in iOS 17.3 (currently in beta), but my main takeaway from this entire saga is that everyone, including Apple, needs to spread awareness that device passcodes need to be treated as holiest-of-holy secrets.

Update (2023-12-28): See also: Bruce Schneier.

Update (2024-05-23): Eric deRuiter:

I’ve disabled Apple Stolen Device Protection after seeing this.

The unexpected downside is that Face ID is required once SDP is activated so if Face ID no longer recognizes you then you would have to recovery mode to restore your phone.

There are many plausible scenarios for Face ID failing such as surgery, injury, shaving a beard, broken eye glasses, or even it just no longer recognizing you for no discernible reason—which happened to my wife recently.

Even if you are at a familiar location you would need another device to reset the phone.


5 Comments RSS · Twitter · Mastodon

In late 2022 my phone was snatched from my hand by a thief on a bike. The device was unlocked and soon after the snatched the thief put it into Air Plane mode. Over the course of the next few days it some how made 3 pings to Find My. They didn’t access any of my accounts. My understanding is that the phones are reset using a jail break tool that can work on unlocked devices and then shipped to other countries and broken for parts. I filed a radar suggesting that turning on Air Plane mode should require biometric authentication to prevent this situation. Apple have not responded or even acknowledged the radar.

Why not let people set an additional password for just changes to Apple ID?
Yes people can forget, but similar warnings exist for File Vault passwords.

Eric deRuiter

The Security Delay section in the support document seems to indicate that at a familiar location you can make changes with just the device password, however I see multiple comments on Reddit claiming they are are locked out. When I disabled it yesterday there was not an option to use the password even after failed Face ID scan.

Eric deRuiter

I just tested again by enabling SDP with significant locations enabled, verified my home is correct in significant locations, and then tried to disable it from home with my hand obscuring my face so Face ID would fail. It only has the options "Try Face ID Again" and "Cancel"

Has anyone else tried to disable Secure Device Protection from your home without using Face ID? Is it a matter of my home isn’t being recognized so I don’t get the option to use the device password or is using device password just not possible?

Leave a Comment