This is a very entertaining and educational article, giving insights into the methods used by thiefs to try and get access to your phone data.
I don’t like Apple but it’s great that their security is so good when it comes to this.
the methods used by thiefs to try and get access to your phone data.
It is not about accessing the data but to disassociate the current user from the phone so that the thief can reset the phone or/and it’s components for new users.
As much as I love my android phone, I have to admit Apple takes privacy and security much more seriously.
How so? A Samsung or pixel with default settings would also behave that way, possibly even more securely because it wouldn’t show the thieves your number.
I guess just anecdotally. I have a pixel 7, I’m pretty confident I could factory reset the device without 3rd party authentication. Also, from the tech channels I follow, I think I could recover my data if I forgot the password. Android has always felt more "free"and customizable, and I love it for that. But I also think that freedom allows for more exploits. It’s a trade off that’s worth it to me, personally. But if I had illegal shit to hide on my phone, I’d probably do it on an apple device.
Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.
You can factory reset it easily. You can’t use it without the previous Google account credentials afterwards. You can’t reuse a stolen Pixel which has Google account logged into it.
Ding ding ding, I can confirm this. I thought it was for all devices, but I guess not.
If you do it the manual way - not unlocking the phone and doing it through settings - you can wipe it sure, but when you try to set it up it requires the prior Google account credentials to proceed. No creds, no passing go, just a shiny brick. It’s been like that for years.
Also might I recommend you take a gander at GrapheneOS for more intense security capabilities than stock.
The encryption on Android devices is pretty strong, as long as you use a good screen lock you should be fine. Yes they can reset you phone, but accessing your data is a whole other level.
If I had illegal shit on my phone, I wouldn’t send it to apple servers by using an iPhone. They are the first who would comply with a surpena. I’d use GrapheneOS on a Pixel and use an obvious duress pin like 1234. If entered it wipes your encryption keys and avoids restoring your data.
And if it gets stolen, it is gone and I’d get a new one. This is the cost of having proper opsec.
Edit:
But I also think that freedom allows for more exploits.
This is a common misconception called security through obscurity
As everyone is pointing out you’re just wrong about this.
Also apple is overbearing AF. I recently had several back and forths with my IT department about an old company mac laptop I used to have. Since I had signed into my apple account once, Apple permanently tied that laptop to my account and wouldn’t allow the fucking IT department to fully wipe it.
Keep in mind also that I would have preferred to not have or use an apple account (they kind of force it on you, even asking you to login to iCloud constantly even if you’ve literally never used it once), and even though I could login to the apple account in my browser and see that the laptop wasn’t listed under my devices, IT was still locked out.
Literally the only way to fix this was giving the IT dept my apple password so they could authenticate then sign out of it. There was nothing I could do remotely about it. This is a security issue in itself. Zero reason I shouldn’t be able to use my account remotely to remove or sign that device out. Zero reason I should have to give my password to another human. Except for apple being shit.
The apple security theater is widely believed but it’s still largely theater.
Edit: before you tell me I didn’t have to give up my password, understand that I fucking know that. I could’ve driven to the office, told my employer to fuck off, had them ship the laptop, etc… all of which are things that shouldn’t be necessary. I took the least shitty option at the time. Kindly fuck off if you are so dicksloppery on apple that you can’t understand the obvious point: pretending every shit decision is about security doesn’t shield you from all criticism.
Your post details how it isn’t possible for IT professionals to wipe a Mac without the consent of the owner’s account. How is that security theater?
You missed the part where I had to give my password to another human.
Also, I wasn’t the owner, they are. Also, again, it makes zero sense to not allow me to sign it out remotely.
Nothing is secure about a system designed so poorly you have to give out your password. That should never be needed.
Not to mention, I never wanted or needed to sign in. I was just nagged to do so 100 times so I relented. Nothing about that means I own the device.
my account
I wasn’t the owner
You are the owner. For Apple, your IT department is the thief.
You should finish reading the part where the company owned the device.
You couldn’t remote in to type in your password?
I don’t have the type of position where that would be needed or considered appropriate. Why should I need to anyhow? A lot of people are missing the point here. Logging into a service (especially one I didn’t want or need but was harassed into doing it) should not unexpectedly be considered proof of ownership.
The scenario wasn’t that during os setup I was asked to login. And I wasn’t prompted with a warning that this could happen. What happened was every time I opened system settings for months it wanted me to login to iCloud and no matter how many times I refused it just kept asking.
Nothing is secure about a system designed so poorly you have to give out your password. That should never be needed.
You didn’t have to give out your password, in fact you never should. If the machine remains locked, that’s not your problem. Your IT department should have created an admin account on the machine for IT before handing it over to you to avoid this scenario. The IT departments incompetence is not your problem.
If you wanted to unlock it as a courtesy, then they should have offered to send the laptop to you so you could unlock it. You never ever give anyone your password, and IT should know better than to ask for it.
If someone is holding a family member at gunpoint and threatening to kill them if you don’t give up your password; you do NOT give up your password. If an evil mastermind is about to destroy the world, and it can only be saved by you telling your password to another person. You do NOT give your password. There is no valid reason to ever give your password to anyone.
You missed the point entirely. Harassing me into signing into iCloud shouldn’t mean I ever have to do anything inconvenient at all, regardless.
I wasn’t presented with a dialogue that said “login to establish device ownership”. Instead it was “login to iCloud now” dozens and dozens of times. I have never once used iCloud nor will I ever. That part alone was indefensible. But then locking the device to that account is plain stupid and reckless. There are plenty of scenarios where this fucks people worse than having to choose from a few shitty options
I get this as being a bit of a hurdle, but wouldn’t a good option in hind sight be to create a separate work related apple account based on your work email? I’ve done that in the past with various companies for iPhones and MacBooks. Makes it cleaner to return the device and doesn’t compromise my personal account should they ultimately need my credentials on the non-owned-by-me device.
I eventually did do that, but apparently at the time that I was nagged into iCloud for the 1000th time I was quite annoyed and just used my personal account like an idiot.
The thing is, I never expect logging into a service to immediately lock my device to that account. But I’ve since learned not to trust Apple’s login systems for this reason. So yeah, I won’t buy any other apple devices and any work machines will use a work account for everything like that
Man, the last threat the author received was absolutely BEGGING for the navy seal copypasta lololol
The article does not mention reporting it to the police. I get that 99.99% of the time, nothing will come of it, but that’s something I would immediately do. Maybe I just don’t get the rich aspect of going out and buying the newest latest model right away and forgetting about the stolen phone, even if it is theoretically still in the reach of police forces.
No joke my dad found a phone while on public trans on his way home from work and 2 hours later the cops showed up knocked and asked for the phone.
Owner choose not to press charges.
I live in a major US city. Who knew!
It’s literally a waste of my time to report it to the police. Plus I ain’t speaking to the police unless I’m under arrest and even then it’s to say no comment.
Sure if I see someone get murdered or a something serious then sure I’ll speak, but generally the police can get to fuck. They’re not friends and I’ve only ever had bad interactions with them.
99.99% seems optimistic. You’re gonna have to buy a new phone regardless, if it’s stolen then it’s gone. You can either wait a few days and then buy a new one, or you can just buy it right away
What are the police going to do about your phone?
“Yup. It sure is gone now. Have a nice day.”
“it’s a civil issue”
“It’s a shame about the Credence”
Why would anyone ever interact with the police unless it was absolutely required? They’re not gonna care about your phone, and they might shoot your dog in the process.
ACAB
You should never ever ever purposefully attempt to interact with the police.
“Hello, police? I’d like to report my phone as stolen.”
“…Likely story. How are you on the phone with us right now, criminal scum?!”
criminal scum.
This is when the cops roll up and shoot your guar
this sounds like a joke but it isn’t. cops have killed people who called them for help
I also fucking hate Apple, with the same seething rage that redhats hate Windows, and I too must admit this is shockingly effective security.
Is it though? The author of this article knows what they’re doing, but a regular person would probably not be as relaxed with some of the threats. I didn’t see this in the article, how does the thief have the ability to contact the victim?
when you end up with someones iphone (or mac or ipad or whatever) and you want to wipe it, the computer needs you to enter the credentials of their icloud account. it tells you whose icloud credentials you need, just like having the username entered but asking for the password.
icloud usernames can be used to send imessages to the owner of the account, like you could call someone with their phone number or IM them with their screen name.
the idea is that a thief ought not be able to just wipe and repurpose a stolen device but a gifted or purchased device should provide a method to contact the person so the new owner can wipe it.
it works pretty good because if a local thief contacts you trying to get you to let them have your device you can call the cops and you already have a line of contact with the person who has the stolen goods so the police can’t even say “yeah whatever, we don’t care, its gone heres some tissues” and it’s very easy to track them down. it also works great if you buy a used device from someone and they won’t clear it to wipe because if you have a transaction record like on ebay or facebook marketplace or something you can also go to the authorities and say “hey, i bought this, here’s proof, and the person i bought it from won’t relinquish ownership of it”
what happens now is thieves ship a bunch of phones off to somewhere outside the juristiction of the victims governments and then they break em down to be sold for parts. now there’s nothing the authorities can do and the thieves accomplices can try to socially engineer the victims into giving them what they want with impunity.
that’s whats happening in the linked article, the victim is being harassed by whoever bought their phone from a thief.
Sure. My point was that exposing someone to scams like social engineering is really really bad and far less desirable than keeping an open line of communication for a purchase
Eh, I think the alternative is worse. If you could wipe stolen phones with impunity they’d be even more of a theft and fraud target than they already are and if they were just locked down with no way out then it’d be more wasteful than it already is.
my experience with iCloud is pretty bad. I worked in a startup at some point which was giving Macs to employees and sort of expected them to figure it out. We had a few people quit and that’s when we figured out that the macs became shiny useless things since we didn’t have access to wipe the associated account and Apple didn’t help in any way. So, from my experience, this is a horrible “feature”.
Now i find out that it’s even worse and it gives 3rd parties means to harass you… I really think that avoiding theft comes at a far to high a price
lol that sucks for the company but that’s what you get when you don’t use some kind of MDM scheme to retain control over assets. It’s especially costly to learn this lesson with Macs though.
I repair and resell scrap computers and if you’re able to prove ownership or have a business that repairs or otherwise handles Mac computers the people at the Apple Store will disable the lock for you. They take down your name and tax id and stuff though, so there’s some accountability, and it’s not easy to get to that point when you look like a greaseball and aren’t a member of apples authorized repair program. Ask me how I know lol.
Tbh it’s no different than a Chromebook or windows laptop that shows the owners email based username (in the case of windows computers with Microsoft ids it shows the users real name as well!) at the login screen, except that you can’t wipe it and resell it.