Last week, Apple launched iOS 17.3 with a new safety characteristic known as Stolen Device Protection, which goals to assist shield your knowledge in case a thief has stolen your iPhone and obtained the password. However, one fatal flaw has already been found…
9to5Mac Security Bite is completely delivered to you by Mosyle, the one Apple Unified Platform. Making Apple units work-ready and enterprise-safe is all we do. Our distinctive built-in method to administration and safety combines state-of-the-art Apple-specific safety options for absolutely automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and unique Privilege Management with probably the most highly effective and trendy Apple MDM in the marketplace. The result’s a completely automated Apple Unified Platform presently trusted by over 45,000 organizations to make tens of millions of Apple units work-ready with no effort and at an reasonably priced value. Request your EXTENDED TRIAL at this time and perceive why Mosyle is the whole lot you have to work with Apple.
This is Security Bite, your weekly security-focused column on 9to5Mac. Every Sunday, Arin Waichulis delivers insights on knowledge privateness, uncovers vulnerabilities, and sheds gentle on rising threats inside Apple’s huge ecosystem of over 2 billion energetic units. Stay safe, keep protected.
The Stolen Device Protection characteristic comes after the Wall Street Journal’s Joanna Stern investigated a rise in iPhone thieves in eating places and bars, with one prison making as a lot as $300,000. The assaults had been usually carried out by observing victims coming into their passcode earlier than stealing the system, altering their Apple ID password, and turning off Find My iPhone to make it unattainable to trace or wipe remotely. From right here, a thief can lock victims out of accounts (i.e., Venmo, CashApp, different banking apps, and so forth) through the use of passwords saved to the Keychain password supervisor.
Fortunately, Stolen Device Protection helps thwart this vulnerability in two key methods. When enabled, the characteristic requires Face ID or Touch ID authentication (with no passcode fallback) earlier than customers can change vital safety settings like Apple ID passwords or system passcodes. It additionally enacts a one-hour safety delay earlier than customers can change these safety settings. This is designed to provide victims time to mark an iPhone as misplaced earlier than a thief can make essential adjustments.
Fatal flaw in Stolen Device Protection
However, if a person has Significant Locations enabled and is presently positioned in a acquainted location, they received’t get these further layers of safety.
“When your iPhone is in a acquainted location, these further steps aren’t required, and you can use your system passcode like common,” states Apple within the Stolen Device Protection help paperwork. “Familiar areas usually embody your private home, work, and sure different areas the place you commonly use your iPhone.”
Apple deems a location vital based mostly on how typically and when a person visits it. This knowledge is often used for issues like Siri Suggestions and Memories within the Photos app, but as it’s additionally used for Stolen Device Protection, this can be regarding if you frequent a specific bar or cafe, notes well-liked expertise YouTuber ThioJoe in a submit on Twitter (X).
⚠️⚠️⚠️ iPhone’s new Stolen Device Protection has a FATAL FLAW (but you can fix it) ⚠️⚠️⚠️By default, the protections are nullified when at a “acquainted location”. The drawback is you have NO CONTROL over what’s “acquainted”. The characteristic apparently makes use of the “vital areas”… pic.twitter.com/NdWs7PoAdP— ThioJoe (@thiojoe) January 23, 2024
“By default, the protections are nullified when at a acquainted location. The drawback is you have NO CONTROL over what’s acquainted,” ThioJoe writes. “The most up-to-date was even a place I had visited for less than a few hours ONCE this previous weekend..” Lots of clown emojis within the tweet, and rightfully so. Being unable to view and edit your acquainted areas is a little weird for Apple, identified for its person privateness and transparency.
The drawback happens in case your iPhone marks your favourite bar, restaurant, or public hangout spot as “acquainted.” Stolen Device Protection can be toggled off with out the necessity for biometric authentication. ThioJoe was in a position to disable the characteristic at one in all his acquainted areas (house) with out Face ID. In my testing, I used to be in a position to disable Stolen Device Protection from a espresso store I admittedly work from nearly each day by additionally failing Face ID authentication and utilizing the passcode as a fallback.
It’s unclear how Apple determines a vital location as a acquainted location for Stolen Device Protection. Fortunately, you can flip off Significant Locations by going to Settings > Privacy & Security > Location Services > System Services > Significant Locations. When disabled, it would require Face ID or Touch ID, with no choice to bypass it with a passcode, even when at a acquainted location.
Notably, in Thursday’s iOS 17.4 beta 1 launch, Apple added the power to all the time require a safety delay when altering safety settings. This means a person will all the time have to attend an hour earlier than altering their Apple ID password and different safety settings. This is presently solely obtainable for beta testers and isn’t enabled by default.
I’ll proceed to check and replace this submit.
More
FTC: We use revenue incomes auto affiliate hyperlinks. More.
https://9to5mac.com/2024/01/28/security-bite-iphones-stolen-device-protection-has-a-fatal-flaw-but-you-can-fix-it/
