iOS 17.3 Developer Preview: Stolen Device Protection

December 20th, 2023 by Oleg Afonin
Category: «General»

The first developer beta of iOS 17.3 includes Stolen Device Protection, a major new security feature designed to protect the user’s sensitive information stored in the device and in iCloud account if their iPhone is stolen and the thief gets access to the phone’s passcode. This optional feature could represent a significant change in how Apple looks at security, where currently the passcode is king. At this time, no detailed documentation is available; developers are getting a prompt to test the feature when installing the new beta.

One key to rule them all

It started back in 2017 with the release of iOS 11 that made it possible to reset an unknown iTunes backup password on-device by keying in the user’s passcode. This feature made logical acquisition trivial if one had access to the original screen lock passcode; the backup password no longer mattered. Apple continued adding unrelated things that could be change, reset, or altered by simply keying in a valid passcode on a trusted device, making the passcode the infamous “one key to rule them all”. In 2019, we did a breakdown on what can be achieved with a Face ID or Touch ID and what requires a passcode. Let’s go over it since we haven’t spotted any significant changes since then:

Touch ID/Face ID Passcode
Reset/change iCloud password No Yes
Change device passcode No Yes
Unlock BFU device No Yes
Unlock AFU device Yes Yes
AFU DEVICES ONLY
Pair with new computer No Yes
Connect to trusted computer Yes Yes
Make a local backup Only on trusted PC Yes
Access media files Yes (on device) Yes
View saved passwords Yes (on device) Yes (on device)
Reset iTunes backup password No Yes (if no Screen Time password)
Disable iCloud lock No Yes
Use Apple Pay Yes Yes
Use saved payment methods in Safari Yes Yes
File system image (physical acquisition) Yes Yes
Keychain (physical acquisition) No Yes
iCloud Keychain, Health, Messages No Yes
Bypass USB restricted mode Yes Yes

As you can see, if someone has the device itself and its passcode, that person can do practically anything to the user’s device and its data, and even take over the user’s Apple ID by changing the original iCloud/Apple ID password.

What could happen if someone stole an iPhone and knows its passcode?

“The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’”, say WSJ’s Joanna Stern and Nicole Nguyen in A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life – WSJ. In that article, authors report on how thieves can steal iPhones and take over the owners’ Apple accounts, data, and money by using the passcode.

A different case was reported in Apple Community: Stolen iPhone – Thieves demanded passcode. The incident involved the theft of a person’s iPhone at gunpoint, where the thieves demanded and subsequently changed the iPhone passcode, added their Face ID, and altered the Apple ID password in front of the victim. Additionally, the Find My feature was disabled, leaving the victim locked out of accessing iCloud and granting the thieves access to sensitive information stored in the keychain and various apps. In response to the situation, the victim has initiated the Apple ID Recovery process but faces a waiting period of at least 21 hours until the next update. During that period, the thieves have full control over the victim’s Apple ID account complete with all information stored in it.

There are literally hundreds of similar cases reported every year worldwide. The point is: having one key to rule them all is an extremely unwise security practice.

It seems that Apple finally made their move to rectify this situation by lowering the ‘weight’ of the passcode in favor of biometric authentication. The early developer beta of iOS 17.3 introduced Stolen Device Protection, a new optional security layer that requires Face ID or Touch ID authentication for certain critical actions while disabling passcode fallback on these activities if biometric authentication fails. Biometric identification is required to access stored passwords, apply for an Apple Card, disable Lost Mode, erase device data, use payment methods saved in Safari, and more.

For even tighter security, certain actions, such as changing the Apple ID password associated with the iPhone or disabling Stolen Device Protection, impose a security delay post-biometric authentication. This delay mandates re-authentication after one hour unless the activity occurs in a familiar location like home or work, where this delay won’t apply. We believe Apple is using the system’s Frequent Locations to enable this feature.

Stolen Device Protection is opt-in and can be accessed in the Settings app under Face ID & Passcode – Stolen Device Protection. While the early beta of iOS 17.3 is displaying a prominent message prompting users to test the new feature, we don’t know if such prompt will remain in the official release.

What exactly does Stolen Device Protection do?

At this time, Stolen Device Protection is being tested. The final release of iOS 17.3 may or may not include some of the features available in the current beta. No official documentation is available.

Quoting MacRumors, the following actions will require Face ID or Touch ID authentication when the feature is turned on:

  • Viewing/using passwords or passkeys saved in iCloud Keychain
  • Applying for a new Apple Card
  • Viewing an Apple Card virtual card
  • Turning off Lost Mode
  • Erasing all content and settings
  • Taking certain Apple Cash and Savings actions in Wallet
  • Using payment methods saved in Safari
  • Using your iPhone to set up a new device

Actions that will require Face ID or Touch ID authentication and have a one-hour security delay when the feature is turned on:

  • Changing your Apple ID password
  • Updating select Apple ID account security settings, including adding or removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
  • Changing your iPhone passcode
  • Adding or removing Face ID or Touch ID
  • Turning off Find My
  • Turning off Stolen Device Protection

(Source: iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone – MacRumors)

Will Stolen Device Protection have forensic consequences?

Short answer: possibly, but we don’t know. Once we have installed and tested the final release of iOS 17.3, we will publish an update.

Long answer: in its current state, Stolen Device Protection requires biometric authentication (with no passcode fallback) to perform “Reset all settings”, which removes the original screen lock passcode. That same command, however, also removes the iTunes backup password, making logical acquisition difficult or even impossible if the user has a reasonably complex backup password.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »