How to Fix the FATAL FLAW in iPhone's New Security Feature

00:00

Even though iPhone's new "Stolen Device  Protection" feature is awesome, and if you haven't  

00:04

enabled it, I'll explain why you must later, I  have discovered what I consider a potentially  

00:10

fatal flaw that can completely nullify its  protections. But you can easily fix it. So in this  

00:16

video, I'll go over how and why to enable the new  Stolen Device Protection feature, because it is  

00:20

not enabled by default, then go over the problem  with it and how to fix that. Because otherwise,  

00:25

a thief can literally take over your entire Apple  account in a way you cannot recover it. I'll get  

00:32

into the details later, but the short of it is  that the new extra protections don't apply at  

00:37

"familiar locations," which you have no control  over and you can't even see what they are. All you  

00:43

can see is the most recent place from a feature  called "Significant Locations", which it pulls  

00:48

from. And for me, it apparently even included some  place I had only been to once for a few hours this  

00:54

past weekend, with no way to know after what  threshold places become "familiar." So imagine  

01:00

you're at your favorite cafe for lunch or your  favorite bar where it is most likely to be stolen  

01:06

anyway. Well, congratulations, all that protection  could be gone and you would have no idea. Now I  

01:11

don't want to be one of "those" YouTubers, so I'll  tell you the solution right away now. But I highly  

01:16

suggest you stick around because even after you do  this and a thief gets your passcode, theoretically  

01:22

they could eventually get past the protections. So  I'll give some other tips on how to better protect  

01:28

yourself later. Anyway, after you enable stolen  device protection, what you could do is simply  

01:32

disable the Significant Locations feature in iOS  altogether. That's what it uses. Just be aware if  

01:39

Face ID breaks for you, then you might be screwed  for a while, but I'll discuss that later. And of  

01:44

course, if you do use the Significant Locations  feature, then you would have to consider the  

01:48

trade-off of disabling it. But again, even with  that, there are some things you can do I'll go  

01:53

over it later. Anyway, into the bulk of the video.  First of all, if you haven't already, I highly  

01:57

recommend you do enable this new feature, which  requires you to update to the latest iOS 17.3  

02:03

update that just came out. Then in the settings,  go to Face ID and Passcode, then look for Stolen  

02:08

Device Protection and "Turn on Protection." What  this feature basically does is it requires Face  

02:14

ID or Touch ID, not your iPhone passcode, to be  used for certain critical actions on your phone.  

02:21

But again, it's only at familiar locations. That  part is the big problem, in my opinion. Anyway,  

02:26

for even more important actions, like literally  changing your Apple account password, in addition  

02:31

to Face ID, it requires a one hour delay before  doing Face ID again. And why is this so important?  

02:38

Well, maybe you didn't even realize that even if  you have all the best security practices set up on  

02:43

your Apple account, including having a recovery  key and a super long Apple ID account password,  

02:49

all of that can be nullified if a thief manages  to get your flimsy 6-digit, or God forbid, 4-digit  

02:57

phone passcode, which is way easier than you  think. With those 6 digits on one of your devices,  

03:03

they can literally take over your entire Apple  account. They can do everything from changing your  

03:09

Apple ID password, your device password, resetting  Face ID to their own face, and the worst one is  

03:16

they can even set a recovery key, which encrypts  all your cloud data using that key. Then even if  

03:22

you get your account back, which is not a given,  you cannot access any of your photos and stuff or  

03:28

anything. Oh and yes, even if you have a recovery  key, they can change that too. And they can also  

03:34

even access all your keychain data with all your  web logins. It would be devastating. Last year,  

03:39

the Wall Street Journal did a story where they  interviewed a thief who got caught and convicted  

03:44

for stealing a bunch of iPhones, and he talked  about how the thefts work. Turns out it's pretty  

03:49

easy to trick people into unlocking their phone  with the passcode instead of biometrics and just  

03:55

watching them enter it. You might be thinking,  "Well, who types in their password anymore anyway?  

03:59

You just use Face ID." But the thief explained how  as one strategy, he would often ask people to use  

04:05

their phone and then accidentally lock the phone  where it requires the passcode, which you can do  

04:11

by just holding the power and volume buttons. Then  he'd say something like, "Oh, it's asking for a  

04:15

passcode", and people unsuspectingly type it in  while he watches. After that, he can even give the  

04:21

phone back and steal it later while they aren't  paying attention. And with the passcode, literally  

04:27

within seconds, he can take over their entire  account. They have the process memorized. And yes,  

04:31

in many cases, they do go as far as to set a  recovery key as part of this process. And it's  

04:36

not even like you can use the Find My feature,  because you can turn that off with the passcode  

04:41

too. Now at this point, you're probably thinking  that with the new stolen device protection,  

04:46

you should be protected, right? Because even if  they watch you type in your passcode, they can't  

04:51

change anything important without using Face ID.  And for the really important stuff, there's that  

04:55

additional hour delay after which they need to  do the Face ID again. So it's not even like they  

05:00

can just hold the phone up to your face and run  away. But here's the big flaw I see. As I've said,  

05:06

by default, the stolen device protections don't  apply when at a familiar location. Apple does  

05:12

not say how it determines what these are, other  than it uses the "Significant Locations" feature.  

05:18

When you go into the settings menu for that,  which is located under Privacy and Security,  

05:23

Location Services, System Services, Significant  Locations, it will only show you a summary of  

05:29

these significant locations, but won't even show  you what they are. Only the most recent one and  

05:35

how many there are. For me, the most recent one  was a place I had visited once for only a few  

05:40

hours this weekend. I had never been there before.  And I saw some people on Twitter showing how they  

05:45

had hundreds of these "Significant Locations"  apparently saved in there. Now to be fair,  

05:51

I doubt that every single significant location  counts as a familiar location, but there's no way  

05:56

to be sure. And even if not, you can't know what  it does consider familiar. I can totally imagine  

06:03

it marking someone's favorite hangout spot as  familiar, which simply by the fact that it's  

06:08

a place they frequent, is one of the most likely  locations they'll have their phone stolen in the  

06:13

first place. So because I can't control this, I'm  not taking any chances. I turned off significant  

06:19

locations altogether, which does fix this  weakness. Because as you can see before, when it  

06:24

is at a familiar location, whatever that is, you  can just bypass all the stolen protections with  

06:30

a passcode. You can see here while at home, when  trying to turn off stolen device protection, after  

06:36

failing Face ID, it just asks for a passcode,  without even the security delay. But after turning  

06:41

off significant locations, now it doesn't allow  the use of the passcode and does require Face  

06:47

ID. And on top of that, it also has that security  delay. Now, another thing to note is that if you  

06:53

disable significant locations, you'll also want  to be sure to clear your location history from the  

06:59

same menu, because if you don't, the thief could  just re-enable it using your passcode, even with  

07:06

the stolen device protection. It doesn't require  Face ID for that. Though in a minute, I'll go  

07:10

over some additional ways to bolster your security  in regards to that. Anyway, now with significant  

07:16

locations disabled, you can see that even  when doing one of the lesser critical actions,  

07:21

like viewing an Apple Card virtual number, if you  fail Face ID, you don't get an option to type in a  

07:27

passcode. And for the more critical actions, like  disabling stolen device protection itself, even if  

07:33

you pass the Face ID, it still requires that one  hour delay, after which you have to do it again.  

07:39

But realize that because they can still re-enable  the significant locations feature, theoretically,  

07:45

that could allow them to just wait until some  location becomes considered familiar, then they  

07:52

can bypass all the stolen protections again. Now,  hopefully it takes a long time for some location  

07:57

to be considered familiar, and that Apple wouldn't  consider someplace you visit once as familiar. But  

08:04

again, we wouldn't know the threshold, even  if not. Anyway, assuming that it does take a  

08:09

while for that to happen, in that case, you should  have more than enough time to log in to Find My on  

08:15

another device, and mark the phone to be erased.  And you probably would want to erase it, because I  

08:21

think they can just disable the lost mode with the  passcode too. Oh, and if you're wondering how you  

08:25

might disable the stolen device protection if you  yourself can't use Face ID or Touch ID for some  

08:30

reason, well that's the neat part. You don't.  As far as I know at least. I've never had that  

08:35

happen, but I guess you too would just have to  turn on the significant locations feature again,  

08:41

and wait for something to become familiar. Though,  in the meantime, you could still use the rest of  

08:47

your phone. Okay, now with all that in mind, there  are still some things you can do to most likely  

08:52

fully protect yourself, even from some of the  theoretical workarounds I mentioned. And for the  

08:56

most part, that's just to reduce the likelihood a  thief could spy on your passcode. So first of all,  

09:02

get rid of that numerical passcode, and set up  an alphanumeric passcode, and make it long. I've  

09:08

done this for the past year, and it's not as  inconvenient as you might imagine. You rarely  

09:12

have to type it in anyway, like a couple times  a week maybe. Then the other thing is to just be  

09:17

super aware and careful if you ever have to enter  your passcode in public. The thief in that other  

09:22

video report said that he would literally record  people entering their passcode to use later. So if  

09:27

the thief watching from afar sees that you have a  long alphanumeric passcode, and you hold it close  

09:33

while covering it and entering it, they probably  won't even bother targeting you anymore. Next,  

09:38

another tip I suggest is that in the  settings under "Face ID and Passcode",  

09:43

turn off most of the stuff under "Allow access  when locked", especially the Control Center.  

09:49

This won't help if they know your passcode, but if  they don't, they won't be able to just swipe down  

09:54

the control center and enable airplane mode and  disable Bluetooth to hide from Find My, which is  

10:00

something thieves do. Here's what I have disabled,  and this basically prevents anyone, thief or not,  

10:05

from being able to really do anything significant  on my phone while it is locked. So hopefully all  

10:11

of you now have a better idea of how to better  protect your iPhone, and you can basically choose  

10:16

your level of paranoia. If you enjoyed this video,  be sure to give it a big giant thumbs up for the  

10:20

YouTube algorithm, and if you want to subscribe,  I try to make videos about twice a week,  

10:24

usually Wednesday and Saturday. If you want to  keep watching, the next video I'd recommend is  

10:27

where I talk about a lot of computer mistakes that  people make, so you won't have to do that anymore.  

10:32

So I'll put that link right there. Thanks so much  for watching, and I'll see you in the next one.