A complex but concerning method of gaining control over a user’s iPhone and permanently locking them out the device appears to be on the rise.
Some iPhone thieves are exploiting a security setting, called the recovery key, that makes it nearly impossible for owners to access their photos, messages, data and more, according to a recent Wall Street Journal report. Some victims also told the publication their bank accounts were drained after the thieves gained access to their financial apps.
It’s important to note, however, this type of takeover is hard to pull off. It requires a criminal essentially watching an iPhone user enter the device’s passcode – for example, by looking over their shoulder at a bar or sporting event – or manipulating the device’s owner so they’ll share their passcode. And that’s all before they physically steal the device.
From there, a thief could use the passcode to change the device’s Apple ID, turn off “Find my iPhone” so their location can’t be tracked, and then reset the recovery key, a complex 28-digit code intended to protect its owners from online hackers.
Apple requires this key to help reset or regain access to an Apple ID in an effort to bolster the user’s security, but if a thief changes it, the original owner will not have the new code and will be locked out of the account.
“We sympathize with people who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said in a statement to CNN. “We work tirelessly every day to protect our users’ accounts and data, and are always investigating additional protections against emerging threats like this one.”
On its website, Apple warns “you’re responsible for maintaining access to your trusted devices and your recovery key. If you lose both of these items, you could be locked out of your account permanently.”
Jeff Pollard, VP and principal analyst at Forrester Research, said the company should offer more customer support options and “ways for Apple users to authenticate so they can reset these settings.”
For now, however, there are a handful of steps users can take to potentially protect themselves from having this happen to them.
The first step is protecting the passcode.
An Apple spokesperson told CNN people can use Face ID or Touch ID when unlocking their phone in public to avoid revealing their passcode to anyone who might be watching.
Users can also set up a longer, alphanumeric passcode that’s harder for bad actors to figure out. Device owners should also change the passcode immediately if they believe someone else has seen it.
Another step someone could consider is a hack not necessarily endorsed by Apple but one that’s been circulating online. Within an iPhone’s Screen Time setting, which allows guardians to set up restrictions on how kids can use the device, there is the option to set up a secondary password that would be required from any user before they could successfully change an Apple ID.
By enabling this, a thief would be prompted for that secondary password before changing an Apple ID password.
Finally, users can protect themselves by regularly backing up an iPhone – via iCloud or iTunes – so data can be recovered in the case an iPhone is stolen. At the same time, users may want to consider storing important photos or other sensitive files and data in another cloud service, such as Google Photos, Microsoft OneDrive, Amazon Photos or Dropbox.
This won’t stop a bad actor from gaining access to the device, but it should limit some of the fallout if it ever should happen.