How to Fix the FATAL FLAW in iPhone's New Security Feature
Summary
TLDRThe video discusses iPhone's new Stolen Device Protection feature and a potential flaw where protections don't apply at 'familiar locations.' The host recommends enabling the feature but disabling Significant Locations to prevent thieves from bypassing protections if they obtain your passcode. Additional tips are provided to further secure your device like using longer, alphanumeric passcodes and limiting lock screen access.
Takeaways
- 😀 iPhone's new Stolen Device Protection is important but has a flaw allowing thieves to bypass it at familiar locations
- 😮💨 Thieves can take over your entire Apple account just by getting your iPhone passcode
- 😠 They can change your Apple ID password, device passwords, Face ID, and set their own recovery key
- 😥 This locks you out of your account and encrypted cloud data even if you get it back
- 😌 The new protections require Face ID or Touch ID for many actions unless at a familiar location
- 😕 The flaw is it uses your Significant Locations to determine familiar places with no visibility
- 🤔 Turning off Significant Locations disables the familiar location exemption to be safe
- 😁 Still change passcode to alphanumeric and long, and hide it when entering in public
- 😉 Disable Allow Access When Locked options to prevent unlocked access
- 😃 Overall the protections help but disable locations and take precautions for full security
Q & A
What is the new 'Stolen Device Protection' feature in iOS 17.3?
-It is a feature that requires Face ID or Touch ID, not just the passcode, for certain critical actions like changing your Apple ID password. It adds extra protection against thieves accessing your data if they get your passcode.
What is the potential flaw with the Stolen Device Protection feature?
-The protections don't apply at 'familiar locations', which are determined automatically and you have no control over. So if your phone is stolen at a familiar place like a cafe you go to often, the thief could bypass Face ID.
How can you fix this flaw with Stolen Device Protection?
-You can turn off the 'Significant Locations' feature, which is what determines familiar locations. This will make the protections apply everywhere.
Even with Stolen Device Protection, how can a thief take over your Apple account?
-If they obtain your 6-digit passcode by watching you type it in, they can change your Apple ID password, reset Face ID, and more. The passcode overrides everything.
What should you do to better protect your passcode?
-Use a long, alphanumeric passcode that is harder to guess. Be very careful and discreet when entering your passcode in public.
If a thief gets your passcode, what is the worst thing they can do?
-They can set a recovery key, which encrypts your iCloud data. Even if you get your account back, you may not be able to access your data again.
How does the 1 hour delay security measure work?
-For very critical actions like changing your Apple ID password, it requires Face ID plus an additional step of waiting 1 hour and doing Face ID again.
What can you do if a thief gets your passcode and you catch it quickly?
-Log into Find My on another device and erase your phone remotely before they are able to bypass protections.
How would you disable Stolen Device Protection if you couldn't use Face ID?
-You would have to turn Significant Locations back on and wait for a location to become familiar again to bypass Face ID.
What other settings can you change to protect a locked phone?
-Disable Allow Access When Locked for things like Control Center. This prevents unauthorized access to key functions.
Outlines
📱 Enabling iPhone's New Stolen Device Protection Feature
The paragraph explains the new Stolen Device Protection feature in iOS 17.3, which requires Face ID or Touch ID to perform critical actions on the iPhone when locked. It provides protection even if someone obtains your passcode. However, a flaw allows thieves to bypass protections at "familiar locations." The solution is to disable the Significant Locations feature.
📍 Flaw: Thieves Can Bypass Protections at Familiar Locations
The paragraph explains how the Stolen Device protections don't apply at familiar locations determined by the Significant Locations feature. Since you can't control or even see these familiar locations, a thief could bypass protections if they steal your phone from somewhere you frequently visit.
🛡️ Tips to Further Protect Your iPhone from Theft
The paragraph provides additional tips to protect your iPhone even if a thief obtains your passcode, including: using a long alphanumeric passcode, being careful when entering passcode in public, disabling Allow Access When Locked features like Control Center, and choosing your level of paranoia.
Mindmap
Keywords
💡Stolen Device Protection
💡Passcode
💡Familiar locations
💡Significant locations
💡Recovery key
💡Erase
💡Face ID
💡Alphanumeric passcode
💡Control Center access
💡Awareness
Highlights
The new Stolen Device Protection feature requires Face ID or Touch ID, not just the passcode, for critical actions.
With just the 6-digit passcode, a thief can take over your entire Apple account and iCloud data.
Thieves can trick you into entering your passcode instead of using Face ID by pretending the phone is asking for it.
With the passcode, thieves can change your Apple ID password, Face ID, and set a recovery key to encrypt your data.
The new protections don't apply at 'familiar locations', which you can't see or control.
Disable Significant Locations to remove the 'familiar locations' weakness.
Clear your location history too, or a thief could re-enable Significant Locations.
Theoretically, a thief could wait for a location to become familiar again to bypass protections.
Use Find My to erase your device if stolen before a location becomes familiar again.
Use a long, alphanumeric passcode and enter it discreetly in public.
Disable 'Allow Access When Locked' features like Control Center to limit unlocked access.
If Face ID fails, you'd have to re-enable Significant Locations and wait for a familiar location.
Reduce the chances a thief can see your passcode to better protect yourself.
Choose your level of paranoia based on your risk tolerance.
Enable Stolen Device Protection, use a better passcode, and disable Significant Locations.
Transcripts
Even though iPhone's new "Stolen Device Protection" feature is awesome, and if you haven't
enabled it, I'll explain why you must later, I have discovered what I consider a potentially
fatal flaw that can completely nullify its protections. But you can easily fix it. So in this
video, I'll go over how and why to enable the new Stolen Device Protection feature, because it is
not enabled by default, then go over the problem with it and how to fix that. Because otherwise,
a thief can literally take over your entire Apple account in a way you cannot recover it. I'll get
into the details later, but the short of it is that the new extra protections don't apply at
"familiar locations," which you have no control over and you can't even see what they are. All you
can see is the most recent place from a feature called "Significant Locations", which it pulls
from. And for me, it apparently even included some place I had only been to once for a few hours this
past weekend, with no way to know after what threshold places become "familiar." So imagine
you're at your favorite cafe for lunch or your favorite bar where it is most likely to be stolen
anyway. Well, congratulations, all that protection could be gone and you would have no idea. Now I
don't want to be one of "those" YouTubers, so I'll tell you the solution right away now. But I highly
suggest you stick around because even after you do this and a thief gets your passcode, theoretically
they could eventually get past the protections. So I'll give some other tips on how to better protect
yourself later. Anyway, after you enable stolen device protection, what you could do is simply
disable the Significant Locations feature in iOS altogether. That's what it uses. Just be aware if
Face ID breaks for you, then you might be screwed for a while, but I'll discuss that later. And of
course, if you do use the Significant Locations feature, then you would have to consider the
trade-off of disabling it. But again, even with that, there are some things you can do I'll go
over it later. Anyway, into the bulk of the video. First of all, if you haven't already, I highly
recommend you do enable this new feature, which requires you to update to the latest iOS 17.3
update that just came out. Then in the settings, go to Face ID and Passcode, then look for Stolen
Device Protection and "Turn on Protection." What this feature basically does is it requires Face
ID or Touch ID, not your iPhone passcode, to be used for certain critical actions on your phone.
But again, it's only at familiar locations. That part is the big problem, in my opinion. Anyway,
for even more important actions, like literally changing your Apple account password, in addition
to Face ID, it requires a one hour delay before doing Face ID again. And why is this so important?
Well, maybe you didn't even realize that even if you have all the best security practices set up on
your Apple account, including having a recovery key and a super long Apple ID account password,
all of that can be nullified if a thief manages to get your flimsy 6-digit, or God forbid, 4-digit
phone passcode, which is way easier than you think. With those 6 digits on one of your devices,
they can literally take over your entire Apple account. They can do everything from changing your
Apple ID password, your device password, resetting Face ID to their own face, and the worst one is
they can even set a recovery key, which encrypts all your cloud data using that key. Then even if
you get your account back, which is not a given, you cannot access any of your photos and stuff or
anything. Oh and yes, even if you have a recovery key, they can change that too. And they can also
even access all your keychain data with all your web logins. It would be devastating. Last year,
the Wall Street Journal did a story where they interviewed a thief who got caught and convicted
for stealing a bunch of iPhones, and he talked about how the thefts work. Turns out it's pretty
easy to trick people into unlocking their phone with the passcode instead of biometrics and just
watching them enter it. You might be thinking, "Well, who types in their password anymore anyway?
You just use Face ID." But the thief explained how as one strategy, he would often ask people to use
their phone and then accidentally lock the phone where it requires the passcode, which you can do
by just holding the power and volume buttons. Then he'd say something like, "Oh, it's asking for a
passcode", and people unsuspectingly type it in while he watches. After that, he can even give the
phone back and steal it later while they aren't paying attention. And with the passcode, literally
within seconds, he can take over their entire account. They have the process memorized. And yes,
in many cases, they do go as far as to set a recovery key as part of this process. And it's
not even like you can use the Find My feature, because you can turn that off with the passcode
too. Now at this point, you're probably thinking that with the new stolen device protection,
you should be protected, right? Because even if they watch you type in your passcode, they can't
change anything important without using Face ID. And for the really important stuff, there's that
additional hour delay after which they need to do the Face ID again. So it's not even like they
can just hold the phone up to your face and run away. But here's the big flaw I see. As I've said,
by default, the stolen device protections don't apply when at a familiar location. Apple does
not say how it determines what these are, other than it uses the "Significant Locations" feature.
When you go into the settings menu for that, which is located under Privacy and Security,
Location Services, System Services, Significant Locations, it will only show you a summary of
these significant locations, but won't even show you what they are. Only the most recent one and
how many there are. For me, the most recent one was a place I had visited once for only a few
hours this weekend. I had never been there before. And I saw some people on Twitter showing how they
had hundreds of these "Significant Locations" apparently saved in there. Now to be fair,
I doubt that every single significant location counts as a familiar location, but there's no way
to be sure. And even if not, you can't know what it does consider familiar. I can totally imagine
it marking someone's favorite hangout spot as familiar, which simply by the fact that it's
a place they frequent, is one of the most likely locations they'll have their phone stolen in the
first place. So because I can't control this, I'm not taking any chances. I turned off significant
locations altogether, which does fix this weakness. Because as you can see before, when it
is at a familiar location, whatever that is, you can just bypass all the stolen protections with
a passcode. You can see here while at home, when trying to turn off stolen device protection, after
failing Face ID, it just asks for a passcode, without even the security delay. But after turning
off significant locations, now it doesn't allow the use of the passcode and does require Face
ID. And on top of that, it also has that security delay. Now, another thing to note is that if you
disable significant locations, you'll also want to be sure to clear your location history from the
same menu, because if you don't, the thief could just re-enable it using your passcode, even with
the stolen device protection. It doesn't require Face ID for that. Though in a minute, I'll go
over some additional ways to bolster your security in regards to that. Anyway, now with significant
locations disabled, you can see that even when doing one of the lesser critical actions,
like viewing an Apple Card virtual number, if you fail Face ID, you don't get an option to type in a
passcode. And for the more critical actions, like disabling stolen device protection itself, even if
you pass the Face ID, it still requires that one hour delay, after which you have to do it again.
But realize that because they can still re-enable the significant locations feature, theoretically,
that could allow them to just wait until some location becomes considered familiar, then they
can bypass all the stolen protections again. Now, hopefully it takes a long time for some location
to be considered familiar, and that Apple wouldn't consider someplace you visit once as familiar. But
again, we wouldn't know the threshold, even if not. Anyway, assuming that it does take a
while for that to happen, in that case, you should have more than enough time to log in to Find My on
another device, and mark the phone to be erased. And you probably would want to erase it, because I
think they can just disable the lost mode with the passcode too. Oh, and if you're wondering how you
might disable the stolen device protection if you yourself can't use Face ID or Touch ID for some
reason, well that's the neat part. You don't. As far as I know at least. I've never had that
happen, but I guess you too would just have to turn on the significant locations feature again,
and wait for something to become familiar. Though, in the meantime, you could still use the rest of
your phone. Okay, now with all that in mind, there are still some things you can do to most likely
fully protect yourself, even from some of the theoretical workarounds I mentioned. And for the
most part, that's just to reduce the likelihood a thief could spy on your passcode. So first of all,
get rid of that numerical passcode, and set up an alphanumeric passcode, and make it long. I've
done this for the past year, and it's not as inconvenient as you might imagine. You rarely
have to type it in anyway, like a couple times a week maybe. Then the other thing is to just be
super aware and careful if you ever have to enter your passcode in public. The thief in that other
video report said that he would literally record people entering their passcode to use later. So if
the thief watching from afar sees that you have a long alphanumeric passcode, and you hold it close
while covering it and entering it, they probably won't even bother targeting you anymore. Next,
another tip I suggest is that in the settings under "Face ID and Passcode",
turn off most of the stuff under "Allow access when locked", especially the Control Center.
This won't help if they know your passcode, but if they don't, they won't be able to just swipe down
the control center and enable airplane mode and disable Bluetooth to hide from Find My, which is
something thieves do. Here's what I have disabled, and this basically prevents anyone, thief or not,
from being able to really do anything significant on my phone while it is locked. So hopefully all
of you now have a better idea of how to better protect your iPhone, and you can basically choose
your level of paranoia. If you enjoyed this video, be sure to give it a big giant thumbs up for the
YouTube algorithm, and if you want to subscribe, I try to make videos about twice a week,
usually Wednesday and Saturday. If you want to keep watching, the next video I'd recommend is
where I talk about a lot of computer mistakes that people make, so you won't have to do that anymore.
So I'll put that link right there. Thanks so much for watching, and I'll see you in the next one.
تصفح المزيد من مقاطع الفيديو ذات الصلة
5.0 / 5 (0 votes)