New iPhone Security Features to Protect Stolen Devices

Apple is rolling out a new “Stolen Device Protection” feature that seems well thought out:

When Stolen Device Protection is turned on, Face ID or Touch ID authentication is required for additional actions, including viewing passwords or passkeys stored in iCloud Keychain, applying for a new Apple Card, turning off Lost Mode, erasing all content and settings, using payment methods saved in Safari, and more. No passcode fallback is available in the event that the user is unable to complete Face ID or Touch ID authentication.

For especially sensitive actions, including changing the password of the Apple ID account associated with the iPhone, the feature adds a security delay on top of biometric authentication. In these cases, the user must authenticate with Face ID or Touch ID, wait one hour, and authenticate with Face ID or Touch ID again. However, Apple said there will be no delay when the iPhone is in familiar locations, such as at home or work.

More details at the link.

Tags: , , , ,

Posted on December 27, 2023 at 7:01 AM19 Comments

Comments

Edoardo December 27, 2023 9:58 AM

Not having the phone passcode as fallback could also be potentially problematic in some edge cases.

Touch ID often fails me after doing DIY or gardening. I have often re-registered new fingerprints on the mac.
Face ID appears more repeatable (until, fingers xd, an accident or an eye infection forces an eyelid to be closed).

Trusted locations is a welcome feature, however the place most likely end up in trouble is … somewhere when travelling.

Last year, my daughter had her iphone stolen when we were abroad.
She had not brought along her other apple device (mac); because of 2FA she could not just use a spare family device to read her uni emails or login on her bank or retrieve a copy of the plane ticket …

Being abroad, getting a new SIM wasn’t an option as the replacement had been sent to our home address.
In the end we asked a friend with our home keys to DHL us her new SIM and Macbook. Friend forgot to mention that the latter was a used personal device and declared a £1000 insurance value on the item – which was then seized by customs for many days waiting for duties.

All sorted in the end …

JonKnowsNothing December 27, 2023 11:09 AM

@Morley

re: Is face/touch ID not required to use the phone?

No it is not. Neither face id or touch id is required nor are passcode numbers.

Apple will make it a bit difficult to avoid setting that up, the same way they do with iCloud and iMessages. Sometimes you have to loop around a few settings to by pass them.

There is a new setting that is a IDMe type setting that links your device to a specific contact name in you contacts list. Any name will do. This one is a trap of sorts. If you click on or are provided with the prompt you cannot back out of the selection: you MUST select a name. There are how-tos on the net how to undo this feature.

One handy thing about streaming movies is I get to watch lots of films from other countries. They are stories and dramas of course, so are not necessarily documentaries. However in many of the “detective police” dramas, by passing facing and touch id is simple for the LEAs : Have perp + Have phone == Have Face+Fingers.

To by pass the number code requires the same technique as used in the USA: stuff em in a jail cell with a lot of other nasty folks. For people crossing transit areas, the jail is a very cold room, no jacket, no toilet, no furniture, no clock, bright light, no phone, no contact, solitary.

Works pretty well if you are alive at the time.

JonKnowsNothing December 27, 2023 11:23 AM

@Edoardo

re: iphone stolen when … abroad.

You might want to reconsider your OpSec there.

A recent anecdote, tl;dr

Someone had their iPhone lost, stolen, or strayed while on vacation. They had all the autolock stuff enabled. They also kept a lot of apps and access stuff on the phone too (ala 2FA). Banking, mail, text, browser history, work stuff: all The Usual.

It maybe they lucked out with a device reset. Time will tell, as well as their bank balance.

Just too much stuff to be hauling around asking for any thief to take it.

Take a burner phone instead. A few contacts for emergency. Leave your life info at home.

Enjoy the views instead of the screen.

Ray Dillinger December 27, 2023 1:24 PM

Can ‘face ID’ or ‘touch ID’ work on these devices without contacting Apple servers over the Internet?

I suppose it may not be as much an issue for what is almost purely a communications device, but I’m somebody who sometimes uses my laptop etc while unconnected and it seems that most “security” features don’t work unless you’re trusting somebody else’s cloud and the intervening connections to it – and more to the point trusting EVERY OTHER PIECE OF SOFTWARE to not do anything insecure with that network access when booted up but not yet secured.

JonKnowsNothing December 27, 2023 2:32 PM

All

A timely MSM article on a sophisticated exploit targeting Apple Devices

  • Exploit and malware called “Triangulation”
  • Uses 4 zero day conditions
  • At least 1 condition is an undocumented HW capability not disclosed in any chip datasheet
  • Exploit active: 4+ Years
  • Target: iPhones, Macs, iPods, iPads, Apple TVs, and Apple Watches.
  • Mechanism: attackers are able to write the desired data to the desired physical address with [the] bypass of [a] hardware-based memory protection by writing the data, destination address and hash of data to unknown, not used by the firmware, hardware registers of the chip.
  • “discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker” Boris Larin

===

HAIL Warning

ht tps://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

  • 4-year campaign backdoored iPhones using possibly the most advanced exploit ever
  • “Triangulation” infected dozens of iPhones belonging to employees of Moscow-based Kaspersky. [and Diplomats and Government Officials]
  • Attribution varies; probable NSA.

JonKnowsNothing December 27, 2023 2:55 PM

@Ray Dillinger

re: Can ‘face ID’ or ‘touch ID’ work on these devices without contacting Apple servers over the Internet?

Depends on how it is implemented. You get the prompts for this even when

  • you have iCloud OFF
  • you are not using the iPhone as a Hotspot
  • you remove the included browser app / although you might have something instead but not actively using it (card page not active)
  • you are not using any internet options at all but are using mobile phone and messages (not Airplane Mode)

If the phone is in OFF Mode but not powered Off, activating the display will show the security settings enabled.

So, you do not need an active internet connection, but the phone comes with an active mobile connection. So it might be phoning home rather than using a URL/PING to the Apple Servers.

Phones that have been disconnected from the phone system (no phone number) retain the settings. They can be used for the apps but cannot make phone calls or use services that require a phone number.

These use to be donated to Violence Escape Shelters as the 911 Emergency call continued to work without an active phone number.

Older ones can be used as burner phones if you factory reset them and enter only whats needed. I don’t know how effective that is or if data can be recovered from old iCloud backups (1).

There is a Hot Political Fistfight over 3 laptops (which maybe 4 laptops) that were left at a laptop repair shop and not retrieved. The owner of the shop, or someone, poked into the information on the laptop and extracted the ID/PW to the iCloud backups for the devices. That ID/PW ended up in the hands of another person (not a LEO) who accessed the backups and download all the history, emails, texts etc.

Marcy Wheeler has a very interesting timeline analysis of what, when and from which devices both evidence and litigation charges originated.

Regardless of ones view of the topic, the methods used to extract the data from the “Secure iCloud account” are illuminating.

===

1) Topic iCloud Backups.

ht tps://www.emptywhee l. net/2023/12/17/john-paul-mac-isaacs-serial-inaccuracies-and-the-ablow-laptop/

  • John Paul Mac Isaac’s Serial Inaccuracies and the Ablow Laptop, December 17, 2023

Clive Robinson December 27, 2023 5:38 PM

@ JonKnowsNothing, Ray Dillinger, ALL,

Re : Not a competent tech or lier…

“There is a Hot Political Fistfight over 3 laptops (which maybe 4 laptops) that were left at a laptop repair shop and not retrieved. The owner of the shop, or someone, poked into the information on the laptop”

It’s very well known in not just the tech community but user community,

1, How to externally power and have more USB ports.
2, How to make a bit for bit copy of a hard drive.

The first needs a “hub” the second only needs a Linux box, a drive connector”cradle and use of the “dd” command.

The fact this alledged “repair tech” did not do this I find highly suspicious, worse the fact the FBI corrupted the chain of evidence as well is more than a bit of an eye opener.

Thus I have to ask myself why has this been done this way.

And the answer that comes to mind first is,

“To prevent forensic investigation for tampered / falsified data on the hard drive.”

I won’t go into details because they are long and can be realy boring[1], but the way the OS writes data to a hard drive can be analyzed. It’s kind of like archeology because of the way the file system uses free space from files that have been deleted or over written.

Copying files, destroys this forensic evidence, thus if done as was in this case it is effectively withholding evidence from the defendant, as well as breaking the chain of custody.

So one has to ask why the repair tech and the FBI did what they did. That is what they hope to gain, and what in fact they could loose because of it.

Hence “why take the risk?”

There is already evidence mounting that one or two members of the FBI have been “politically influenced” by William Barr and his then political master.

Rudy has just made himself bankrupt so he does not have to pay damages on the lies he has already spread far and wide about two women who from the evidence put forward are totaly innocent and did not do what Rudy claimed.

Thus the fact at least one known liar and perjurer has been very much involved in this “politically inspired” nonsense is indicative that others have in all probability lied and tampered with evidence for the same “politically inspired” reasons to feed into the narative for the liar and master to diseminate as a form of “rodent copulation” as one Republican so eloquantly put it.

[1] Whilst not the first to write about it, a couple of decades ago Brian Carrier wrote a book on the subject of bit by bit, sector by sector etc file system forensics, that is quite readable,

https://www.oreilly.com/library/view/file-system-forensic/0321268172/

Whilst well out of date in terms of the file systems covered, it gives a good grounding in what you need to know to understand what goes on. Thus catching up with modern journalling file systems where the forensics can be even stronger is easier to do.

ResearcherZero December 28, 2023 1:19 AM

@Clive Robinson

At no time did anyone stop to think about perhaps using a reputable forensics firm, as what they were essentially hoping to do is a criminal act.

ResearcherZero December 28, 2023 1:28 AM

It’s not the way I’d go about getting a promotion at work or at the FBI. And I certainly wouldn’t be taking my gear to that repair shop if that is the way they handle their customers data and devices. Did the guy who phoned in the tip have a Russian accent?

ResearcherZero December 28, 2023 3:04 AM

‘https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers

Jon (a different Jon) December 28, 2023 4:52 AM

One does wonder if the heirs of the deceased have any rights to the data upon the deceased’s phone, and if so, how can they access it?

Yes, this has become significant to me in the past couple of weeks.

J.

wiredog December 28, 2023 6:30 AM

Jon,
While you may have a legal right to the data, if you don’t have the passwords and the phone is encrypted you may be out of luck. Without the encryption key you can’t decrypt the data.

Clive Robinson December 28, 2023 6:38 AM

@ Jon (a different jon),

Re : Deceased, their estate, coptright and heirs.

“One does wonder if the heirs of the deceased have any rights to the data upon the deceased’s phone”

Simple answer is yes, via copyright law “information” as a creative endever of the now deceased was a “work” and protected by copyright law for a period of time.

In practice unless each work is asigned to another or jointly created by another then the work falls under the deceased estate to assignees and heirs.

Problems start with assignees, because most estates have liabilities against them for various reaaons even if it’s an unpaid phone bill.

If people plan ahead over and above a will they can avoid most of the issues.

However Banks and lawyers, have a very poor history when it comes to peoples estates… Many try to get legal control then asset strip the eatate in many ways. Widows for instance have seen millions disapear, and the house they part or fully own sold out underneath them at a pitance to an entity with a relationship to the bank or lawyers.

One trick is to use bankruptcy law and preferential receivers… Another is to cause disquiet between the heirs such that massive legal bills etc can be racked up.

But mobile phone, smart device and even IoT companies usually claim they have any and all rights and the deceased is the only one who can use the compabies arbitration process at some court in a dust bowl in Deleware or similar…

Oh and it looks like with Win 11 Microsoft is getting into the same rapacious game.

As I’ve mentioned not long ago a friend had after months of numpty noncence from Microsoft, had to locate MicroSoft UK’s Managing Director (~CEO equivalent) home address (I found it in KT8 very easily) and point out with appropriate legal paperwork, that if she did not perform, he was going to in effect take various of her peoperties away from her and sell them out from under her as it was her personal failings that were at issue… Apparently she finally “woke up and smelled the fuse burning” and finally did what she was required to do.

In short you have to be prepared to be totally ruthless and go pillaging just to get what you should do.

A lot of these issues can be avoided if people take precautions in advance of their demise.

Amara Sheikh January 3, 2024 5:54 AM

That is the feature that was most needed, the crime scenes are increasing day by day and the case of stolen mobiles are the most. Mobile phones are very important especially for students because the whole data and the important notes are on their phones and even save their projects. To work as an MIS Assignment Help UAE provider I must need security assurance if my phone can be stolen but after reading the news I am totally stress-free.

Veracitor January 3, 2024 9:29 PM

“Apple is rolling out a new “Stolen Device Protection” feature that seems well thought out:”

Phooey. It is ONLY “well thought out” for the police or kidnappers who want to control your phone and therefore everything linked to it. Both Touch-ID and Face-ID can be activated involuntarily (e.g., bad guy holds up phone, points camera at victim’s face, voila!).

At least with a passcode the victim can refuse to reveal it (sure, perhaps the code will be tortured out of the victim, but that is still more trouble– especially for low-level local police– than simply pointing the camera at the victim’s face).

I cannot believe that Bruce Schneier now endorses feeble biometric security schemes, when he first published on how lame they were decades ago.

Veracitor January 3, 2024 9:34 PM

Stolen-device mode should rely on something other than biometrics, like an “elevated privilege mode passphrase” which can’t be satisfied by taking a snapshot of the victim

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.