iPhones and iPads have excellent security, and features such as Touch ID and Face ID help ensure that your data is protected. But for most people, Touch ID and Face ID are just convenient layers on top of a six-digit passcode. While six digits may seem secure, because there are one million possibilities for such a passcode, there are ways to crack passcodes. And if someone gets access to your passcode, the damages can be severe.
Daring Fireball recently highlighted a story told by Henrique Prange on Twitter, who recounted that his friend’s iPhone was stolen, which led to the loss of $30,000 from his bank, and an additional $2,500 spent on Apple’s App Store. As John Gruber points out in his comments:
This is an interesting but alarming story. Did the thieves crack his 6-digit passcode with a GrayKey or GrayKey-like device? Impossible to say. But it’s worth thinking about it. We know GrayKey exists, and if it exists, thieves could have it. It’s also easier for a would-be thief to snoop a target entering a 6-digit passcode than an alphanumeric passphrase.
And the real issue is this:
It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain. Try it — you can.
If someone can get your passcode, none of the other advanced security features on your iPhone, or in iOS, can protect you; the dominoes that secure your life will fall very quickly. Here’s what can happen, and why you should change your passcode to something more secure (I’ll explain how below).
We don’t know how the thief broke into this stolen iPhone. Was it a brute-force attack with a GrayKey or similar device? Or did someone shoulder-surf and spot the person’s passcode before the theft? In any case, once someone has the passcode, all bets are off, as you’ll see below. It’s worth noting that the same thing can happen on a Mac, if someone gets your password, though it’s rare that people use a six-digit numeric password on a computer.
In this case, the owner of the iPhone quickly activated Lost Mode, which, according to Apple, locks the device with its passcode, and deactivates Apple Pay, but doesn’t prevent access to someone who has the passcode already.
On iOS, once you have the passcode, you can access all the passwords stored in iCloud Keychain. Go to Settings > Passwords & Accounts > Website & App Passwords. Enter the passcode, and you can now access everything. (On Mac, you can access these in the Keychain Access app, or, for website passwords, in Safari > Preferences > Passwords.)
You may not realize it, but your iCloud password – the one connected to your Apple ID – is almost certainly in your keychain. While you mostly enter that password in dialogs, you’ve almost certainly used it on the web to manage your Apple ID, create app-specific passwords, or log into iCloud.com. If you allow Safari to save the password, then it’s accessible to anyone with your passcode. (If you use a different browser, this password will be accessible in that browser.)
At this point, the game is over. While you think you’re protected with Find My iPhone, which allows you to remotely lock or erase your device, once someone has your iCloud password they can deactivate this feature. In this specific case, the fact that it happened so quickly – Find My iPhone was turned off less than two hours after the theft, before the iPhone owner could get to a computer and send the command – suggests that they didn’t have to work hard to get the phone’s passcode. From this point on, everything is compromised.
If you use an email service other than iCloud, your email password is probably stored in your keychain; you’ve almost certainly saved it in Safari when setting up your account, or when accessing webmail. After all, if you have a secure email password that you can’t remember, you have to be able to access it when you need it. Or perhaps you have stored it in a password manager… See just below, because it’s possible that these passwords are also compromised now.
When a thief has your email password, they can make a lot of changes to accounts, such as your PayPal account, or many other financial accounts.
Another domino falls, and now the thief has access to everything. If you protect yourself with a password manager, which creates and stores random, secure passwords, there’s one master password that unlocks access to all of this. Many people also use a password manager to store credit card information, bank account details, and more.
The problem is that some password managers require you to log into a website to set up and manage your account, and if you’ve done this, and if Safari auto-saved the password, then it is stored in the iCloud keychain.
If you are serious about security, you have two-factor authentication on important accounts, right? Well, the thief has your phone, so they’ll be getting the one-time codes that are sent via SMS. And if you are even more secure, and use an authenticator app to generate one-time codes, then that app is on the phone that has been stolen, so a thief can generate those codes and access your most protected accounts.
In the case discussed on Daring Fireball, it seems that the user’s bank account was just protected by a password. My banks here in the UK all require additional information to access a bank account, information that people may store in a password manager. Again, once the password manager is accessed, then nothing is protected.
There are a number of questions to consider here. As mentioned in the Twitter thread,”Why did @Apple allow a device in Lost Mode to be used to unlock itself?” According to this Apple support document, Lost Mode “remotely locks your missing iPhone, iPad, iPod touch or Mac with a passcode, keeping your information secure even if your device goes missing.” Lost Mode does not erase the device, which is what the user should have done. But, Apple also says that:
If your missing device is covered by AppleCare+ with Theft and Loss, you shouldn’t erase your device. Instead, file a claim for your lost or stolen device.
This seems problematic, because if someone has the passcode, as we have seen, they have access to everything. So if you follow Apple’s guidance, then you are at risk.
Another question is “Why didn’t @Apple raise a fraud alert for the in-app purchases?” Apple should certainly have reacted to the sudden purchases, and I don’t understand how a bank allowed so much money to be removed from an account so quickly. My bank has limits on how much money I can take each day; different limits for cash via an ATM and for transfers or payments.
You can be security conscious, using robust passwords and a password manager, but the weak link in the chain of security is your iOS device passcode. Six digits is not strong enough, but you can make a stronger passcode, and if the passcode is more than six digits, there’s no way of knowing how many characters it contains.
Go to Settings > Face ID & Passcode or Touch ID & Passcode. You’ll have to enter your current passcode to access these settings. Scroll down a bit and tap Change Passcode. Enter your passcode, and you’ll see this screen. Don’t create a new six-digit passcode; tap Passcode Options.
You’ll see that you can create a 4-digit code (don’t do this), a custom numeric code, or a custom alphanumeric code. If you create a custom numeric code, when you enter your passcode, you’re presented with a field that doesn’t indicate the passcode’s length, and this may be a good way to enhance your security. Since password cracking devices look for six-digit passcodes, even adding one digit makes it much more secure. But if you want to use digits only – because they’re a lot easier to type – then choose a longer sequence of digits.
With an alphanumeric passcode, you’re presented with a full keyboard. You can create a passcode using letters, numbers, and other characters.
This is the most secure, but perhaps the least practical. However, if you have Face ID or Touch ID, you don’t often need to enter your passcode. You do so after an update, when changing a passcode or accessing passwords, or after a certain number of days. (The Apple Platform Security guide explains when you need to enter a passcode or password.)
You may consider that you’re security-savvy, but you may not have realized how important your passcode is. (And, on Macs, the same is true for your user account password; but since it’s not a six-digit password by default, it is harder to crack.) To be really secure, consider doing the following:
1. Change your passcode
Create a more secure passcode; either with more digits, or an alphanumeric passcode. It’s a lot harder to glean someone’s passcode by shoulder surfing it it’s entered on a full keyboard, though it’s a bit more difficult to type.
2. Check passwords saved in your iCloud Keychain
Check to see if your iCloud password is saved in your keychain; it’s one of your more important passwords, so you have probably memorized it; if so, delete the entries for Apple websites in the keychain.
3. Check to see if your password manager’s master password is in your iCloud keychain
Like your iCloud password, this is probably one you have memorized, so delete it from the keychain.
4. Be careful about allowing Safari or other browsers to save every password
Be aware that if your web browser saves your iCloud password, then it could be accessible to someone who gets access to your device. The same is true for your password manager’s master password. Many people just automatically allow all passwords to be saved by their browsers; think carefully about which passwords shouldn’t be saved.
5. If you lose your iPhone, or if it’s stolen, erase it
Don’t set a lost or stolen iPhone to Lost Mode; erase it, regardless of what Apple says about AppleCare+.
We discussed this passcode issue and more in episode 150 of the Intego Mac Podcast.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: