38 comments

[ 3.0 ms ] story [ 82.4 ms ] thread
Anything actually technical here? I’m always skeptical of legacy media reporting on tech
Well more of a product/security matter here. The amount of access that an unlocked device gets you is nuts. I didn't expect to be able to reset an apple id password with a device pin code.
(comment deleted)
I'm not sure it matters - it's not a technical-heavy flaw in Apple's security. He either recorded people putting in their unlock codes, or straight up asked them what it was. The reporter doesn't have to be very technically-minded to follow.
Ah well where’s the hack then? I assumed it was going to be their typical click bait and was right. Accessing someone’s data with an unlocked phone isn’t hacking at all.
I think most people wouldn’t expect it to be possible to disable iCloud and turn off remote wipe with just the device passcode.
He "broke into the phones" by using social engineering to get the PIN.
And I bet it’s super effective. Adversary goals are not generally to do something cool, they’re to do the easiest possible thing that works.
> "I was homeless, started having kids, needed money"

> "I'm here [in prison] because I got too carried away"

Arrested for getting passcodes through trickery and violence.

That said, this report makes a good point:

* Johnson would quickly replace the passcode and then replace FaceID with his face

* He could then get into PayPal, Venmo, etc via (his) FaceID

* He could make ApplePay transactions at physical stores, again using FaceID

So, device PIN = all you need to get into all finance apps (if FaceID was enabled for them)

> "Johnson made $20,000 per weekend from selling the stolen phones"

> "I wish I had not been so greedy and just got what I got and changed my life"

> "When you get out, will you forget about this trick?"

> "There's gonna be new tricks out"

but he concludes with

> "...and I don't want nothing to do with it"

(comment deleted)
Yeah this is pretty glaring.

Changing the biometrics should automatically invalidate all FaceID tokens and block falling back to device PIN. It should effectively log the device out of all services, perhaps even delete browser cookies etc. since it should mean the person holding the phone is not the one who logged on to those.

Of course, this could have other implications so a lot of care has to be taken when designing and implementing this.

Android appears to do something like this with fingerprints (or at least enable it). Whenever I add a new one, apps stop accepting fingerprints until I enter my password/passcode/whatever in each one.
That's ok but in this case it won't help since the attacker already has the phone's passcode.
If each app has its own password/passcode that you can bypass with your fingerprint, and fingerprints suddenly stop working, it absolutely does shut down the thief, unless you also use the phone's passcode for all your accounts.
Oh I see. On the iPhone though, FaceID / TouchID are the same as the passcode - at least in the sense that if the biometrics fail, they fall back to the passcode.

This means that if you enable log in with biometrics, you’re essentially enabling the fallback along even if the app has a separate PIN/passcode.

I just tried it on my iPhone with a banking app and it shows me the default login screen for the bank and then logs me in if my face is there, but without the face it just stays on the login screen waiting for me to enter the bank password, never asks for a PIN.
Huh, I just tried this with a couple of my bank apps and they do the same. I guess either I'm misremembering this, or it got fixes along the way.

Wallet is still accessible with the device passcode as a fallback though, which means quite a lot of damage can still be done.

The fallback is the service account password, not the local device PIN.
It does get invalidated if the app use the right api call: https://developer.apple.com/documentation/localauthenticatio...
Microsoft’s apps use this (although, sometimes it gets triggered even if I didn’t change my biometrics).
All banking and finance apps I use have this correctly setup.
Therein lies the problem, I guess. How is it left to the application developer to implement this properly? As a user of the device, I expect biometrics (a feature of my platform of choice) to behave consistently.
Not all threats scenarios are the same. The problem is that there's very little in the way of forcing the app developers to accept liability if they misjudge the threat scenario (a notable exception are banking apps in the US)
I have never enabled FaceID (or even TouchID) on my phone, primarily because I feel like a password should be something you know and biometric data is something you have (or something you are?)

I always wondered if I should do it for convenience every time I open one of my banking apps, which always requires me to login again.

This has convinced me never to use such a thing, and I'm glad I've stood my ground.

but how is that going to prevent it from happening?

if they can get the code from you, that is as good as having your face id and they can access everything..

Because having the code my phone still doesn't get them into my banking applications which have passwords that I have to sign into.

I also don't use Apple's password manager so they would have to know another master password to access the passwords for my apps

(comment deleted)
Banks have their own passwords and do not rely on secie PIN. If you change the auth settings the bank apps fall back to their own password.
Moral of the story buy Android when everybody else has an iPhone.
There are a few things that I wish I could change which would improve my personal security posture massively:

1. When advanced data protection is turned on, it should not be possible to change the Apple ID password without the associated hardware tokens.

2. Again when advanced data protection is on, it should require the hardware tokens to add a Face ID appearance or change the device passcode.

I mean, how Apple is letting someone change my Apple ID password just by knowing my iPhone pass code, that's insane.

What's the point of having an Apple ID password if you can change it with the phone pass code ? It just bother the regular users to have 2 passwords to remember, but adds no security whatsoever...

Did you try this to confirm it’s even true? It takes 5 seconds, just try it. Because I did. My iPhone prompted me for my password in addition to the PIN.

Maybe we shouldn’t take this article at face value.

Likely been already fixed as a result of issues like these.
In the time it took you to type out that snarky response I did in fact try it and it allows it under the following conditions:

1. you have a passcode set

2. you are logged into iCloud.

1 & 2 are true for nearly everyone so sounds like yes this is still a problem.

Apple says you are supposed to set a second PIN under screen time to prevent Account Changes.