IPhone security issue. Have you set your Screen time/parental controls to prevent changes to your account?
Just like the Hyundia and Kia security issue that was spread on social media recently, there is a new one that attacks Apple iPhone users. If your phone is stolen and someone has your passcode (screen password) they can lock you out of all of your accounts and permanently lock you out of your icloud storage – pictures, contacts, passwords, location data, find my device, etc. They can get your passcode by watching you enter it or using video to record you. Then if your phone is stolen they can immediately go in and change your Apple ID, password, phone number, and even the 28 digit recovery key to prevent you from wiping your phone and finding it. They can do this in under 20 seconds.
Apple is working on a security patch now, 5/1, but you can prevent this immediately by enabling and setting a Screen time/parental controls password on your own phone to not allowing changes to Account settings without that password.
The slimebags thieves are targeting trusting individuals at bars and tourist sites and offer to take pictures for you. They watch you put in your passcode. If they see you do it, they have a big incentive to steal your phone – and everything else attached to your Apple account. They can run up charges faster than you can stop them. Your iPad, Apple watch, etc become paperweights. And Apple either will not or cannot help you get back into your account.
You can easily do a search for your specific phone to find out how to enable screen time /parental controls and lock out a thief who has stolen your phone and knows your passcode.
Did you do it yet? Have a notebook handy to record the 28 digit recovery key and the 4 digit screen time protection password you just made up to prevent account changes.
Do it now!
Observing members:
0
Composing members:
0
22 Answers
When you find good, easy, step-by-step instructions for your phone it would be helpful to list the phone and instructions here. You will be helping others!
They would have to cut off one of my fingers (not saying which one) to get into my phone, but I’m going to do this also. You can never be too careful. Thanks!
@chyna All they need to do is wait until you unlock your phone for any reason: take a picture, pay a bill, scan your boarding pass, take a selfie, etc . They can grab your phone, pass it to someone else and change the settings within 30 seconds.
Not a worry to me as I only ever hand my phone off to a family member (rarely) and we like each other.
They would have to perform a “Faceoff” and literally scrape my face off.
I only type my code in if I power it off and back on and that wouldn’t be in public. The code is not simple.
I have all my recovery set and documented in a crypt at home.
The problem is not if you are at home with someone you know – unless it’s an angry ex. The problem is with a thief who has a buddy with a security camera watching a crowd. One person in that crowd is sure to type their passcode because her facial recognition didn’t work Why? A new makeup look perhaps? Wearing a mask and hat on a snowy day? The camera is fogged? Anything. And she absolutely has to take that food shot or selfie now!
Unless you have disabled the digital passcode – and I am willing to bet you have not – you are vulnerable. Setting the Screen time/parental control to disable changes to account settings will defeat this.
A security guy told me this issue is like entering a high security government lab that requires a retina scan and a fingerprint to enter. But in case the door doesn’t open there’s a back door that will open with a secret knock.
Sadly, the method is being spread on Tiktok so we can expect a rise in thefts soon – like the dramatic increase in Kia and Hyundai thefts.
I just looked at the screen time password controls but that looks to me like it just prevents someone else reading or subverting your screen time. It doesn’t look to me like it prevents them accessing your phone. I think you can go into another Apple device and clear your phone if you know it has been stolen. Doesn’t that seem like a better solution or am I missing something?
Yes, you are missing the setting. You are so close. You want to disable making Account and security changes without the new 4 digit screentime password. (You are setting parental controls on yourself.)
As it stands now, they can get in and change your trusted phone number, apple ID and 28 digit recovery key in seconds. That bricks all the other devices you have attached to it. You cannot wipe it or use location services to find it. And worst of all… all your photos and data are inaccessible – maybe forever unless Apple agrees to do something about this mess..
I attached a 5 minute video that explains it. ^^^^^ 5 posts above.
Watch the video. Around the last 90 seconds they talk about how do it with your phone. Keep your finger on the pause button. She doesn’t waste time.
My facial recognition always works. Even with a pillow over my head in the morning.
@kevbo1 And thank you for taking care of it. Everyone should.
I don’t think most people understand how bad this vulnerability is. I predict there will be a rash of ransomeware attacks in a short while. And many of the attacks won’t be by strangers. A jealous partner? An angry ex?
If your phone is stolen while you’re looking at and you don’t make those setting changes, you can still be screwed.
I tried but it’s not reconginzing my Apple ID for some reason. I’ll work on it. Thanks.
Apple just announced Apple Banking savings account paying a little over 4% interest. Apple phones are going to be even more desirable targets now.
It bugs me that the only people who really understand the vulnerability are the criminals.
@kevbo1 How can I make it easier for honest people to understand it? I am open to suggestions.
@LuckyGuy I read an article that said that Apple just released a security update, I assume to address this issue. I don’t have the article at hand to link but it was on CNN online, I believe.
@LuckyGuy the WSJ video was clear to me.
edit: Today I tried stepping through setting up a new email account in the Mail app, and I had to turn off screen time to do it. Were I not on this thread, I probably would have forgotten to turn screen time back on. Tricky.
OK. Hopefully the update forces the user to set another password. Call it screen time, call it parental controls. Just make people do it!
As it stands now, anyone posing for a selfie is at risk for having their phone snatched and losing not just their phone but everything they have “stored safely” in the icloud, and having charges run up on their accounts. The “find my phone” app will not work and the all important 28 digit recovery key is changed and made useless.
This really worries me. It is like it was thought up by a foreign agent who wanted to cause havoc. Look how much damage has been caused by the tiktok videos showing how to steal Hyndai and Kias . It will end up costing our country billions in productivity losses.
@kevbo1 I thought the WSJ video was clear, too. But I had to hit pause a few times.
We all know that the Penguin is a smart, intelligent, literate individual and yet she is having difficulty finding the setting.
Other folks here erroneously think their biometic key is enough. (You and I now know it is not.) And I’d say a typical user here is smarter than the average bear (as Yogi used to say).
Apple needs to somehow force people to make the setting change.
^^ I had found the setting; it just wouldn’t let me get past the Apple ID which worked elsewhere.
@LuckyGuy I looked again and got it done. I just hope it doesn’t come back to bite me in the ass sometime when I try to make a change.
@janbb Congratulations! It will not bite you. I promise. The next time you want to make an account change like: change your Apple ID, or telephone number, or recovery key, or locations services, or where is my phone tracking, etc. it will ask you for the 4 digit screen time code you just created. No changes will be allowed without that code. Perfect!
In some configurations it will ask you to turn off parental controls by entering that code. Once it is off you may make changes. But, honestly, 99.9% of the time you are not making changes in that area. Only the crooks use it.
Sounds ok. So it’s really a two factor verification work around.
You are absolutely correct! It is an extra password that can be used to protect the important accounts and privacy settings that you rarely, if ever, need to change.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.