The first developer beta of iOS 17.3 includes Stolen Device Protection, a major new security feature designed to protect the user’s sensitive information stored in the device and in iCloud account if their iPhone is stolen and the thief gets access to the phone’s passcode. This optional feature could represent a significant change in how Apple looks at security, where currently the passcode is king. At this time, no detailed documentation is available; developers are getting a prompt to test the feature when installing the new beta.
One key to rule them all
It started back in 2017 with the release of iOS 11 that made it possible to reset an unknown iTunes backup password on-device by keying in the user’s passcode. This feature made logical acquisition trivial if one had access to the original screen lock passcode; the backup password no longer mattered. Apple continued adding unrelated things that could be change, reset, or altered by simply keying in a valid passcode on a trusted device, making the passcode the infamous “one key to rule them all”. In 2019, we did a breakdown on what can be achieved with a Face ID or Touch ID and what requires a passcode. Let’s go over it since we haven’t spotted any significant changes since then:
|
Touch ID/Face ID |
Passcode |
Reset/change iCloud password |
No |
Yes |
Change device passcode |
No |
Yes |
Unlock BFU device |
No |
Yes |
Unlock AFU device |
Yes |
Yes |
AFU DEVICES ONLY |
Pair with new computer |
No |
Yes |
Connect to trusted computer |
Yes |
Yes |
Make a local backup |
Only on trusted PC |
Yes |
Access media files |
Yes (on device) |
Yes |
View saved passwords |
Yes (on device) |
Yes (on device) |
Reset iTunes backup password |
No |
Yes (if no Screen Time password) |
Disable iCloud lock |
No |
Yes |
Use Apple Pay |
Yes |
Yes |
Use saved payment methods in Safari |
Yes |
Yes |
File system image (physical acquisition) |
Yes |
Yes |
Keychain (physical acquisition) |
No |
Yes |
iCloud Keychain, Health, Messages |
No |
Yes |
Bypass USB restricted mode |
Yes |
Yes |
As you can see, if someone has the device itself and its passcode, that person can do practically anything to the user’s device and its data, and even take over the user’s Apple ID by changing the original iCloud/Apple ID password.
What could happen if someone stole an iPhone and knows its passcode?
“The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’”, say WSJ’s Joanna Stern and Nicole Nguyen in A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life – WSJ. In that article, authors report on how thieves can steal iPhones and take over the owners’ Apple accounts, data, and money by using the passcode.
A different case was reported in Apple Community: Stolen iPhone – Thieves demanded passcode. The incident involved the theft of a person’s iPhone at gunpoint, where the thieves demanded and subsequently changed the iPhone passcode, added their Face ID, and altered the Apple ID password in front of the victim. Additionally, the Find My feature was disabled, leaving the victim locked out of accessing iCloud and granting the thieves access to sensitive information stored in the keychain and various apps. In response to the situation, the victim has initiated the Apple ID Recovery process but faces a waiting period of at least 21 hours until the next update. During that period, the thieves have full control over the victim’s Apple ID account complete with all information stored in it.
There are literally hundreds of similar cases reported every year worldwide. The point is: having one key to rule them all is an extremely unwise security practice.
It seems that Apple finally made their move to rectify this situation by lowering the ‘weight’ of the passcode in favor of biometric authentication. The early developer beta of iOS 17.3 introduced Stolen Device Protection, a new optional security layer that requires Face ID or Touch ID authentication for certain critical actions while disabling passcode fallback on these activities if biometric authentication fails. Biometric identification is required to access stored passwords, apply for an Apple Card, disable Lost Mode, erase device data, use payment methods saved in Safari, and more.
For even tighter security, certain actions, such as changing the Apple ID password associated with the iPhone or disabling Stolen Device Protection, impose a security delay post-biometric authentication. This delay mandates re-authentication after one hour unless the activity occurs in a familiar location like home or work, where this delay won’t apply. We believe Apple is using the system’s Frequent Locations to enable this feature.
Stolen Device Protection is opt-in and can be accessed in the Settings app under Face ID & Passcode – Stolen Device Protection. While the early beta of iOS 17.3 is displaying a prominent message prompting users to test the new feature, we don’t know if such prompt will remain in the official release.
What exactly does Stolen Device Protection do?
At this time, Stolen Device Protection is being tested. The final release of iOS 17.3 may or may not include some of the features available in the current beta. No official documentation is available.
Quoting MacRumors, the following actions will require Face ID or Touch ID authentication when the feature is turned on:
- Viewing/using passwords or passkeys saved in iCloud Keychain
- Applying for a new Apple Card
- Viewing an Apple Card virtual card
- Turning off Lost Mode
- Erasing all content and settings
- Taking certain Apple Cash and Savings actions in Wallet
- Using payment methods saved in Safari
- Using your iPhone to set up a new device
Actions that will require Face ID or Touch ID authentication and have a one-hour security delay when the feature is turned on:
- Changing your Apple ID password
- Updating select Apple ID account security settings, including adding or removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
- Changing your iPhone passcode
- Adding or removing Face ID or Touch ID
- Turning off Find My
- Turning off Stolen Device Protection
(Source: iOS 17.3 Beta Adds New Stolen Device Protection Feature to iPhone – MacRumors)
Will Stolen Device Protection have forensic consequences?
Short answer: possibly, but we don’t know. Once we have installed and tested the final release of iOS 17.3, we will publish an update.
Long answer: in its current state, Stolen Device Protection requires biometric authentication (with no passcode fallback) to perform “Reset all settings”, which removes the original screen lock passcode. That same command, however, also removes the iTunes backup password, making logical acquisition difficult or even impossible if the user has a reasonably complex backup password.