Article

Is iPhone’s Stolen Device Protection enough to be a game­changer?

Decorative
F-Secure
F-Secure
|
Mar 18, 2024
|
6 min read

If you haven’t ever lost your smart­phone or had it stolen, it’s likely you know someone who has. iPhone theft is a lucrative business for criminals when devices are unlocked.

Apple has integrated many features and functionalities to deter theft and render stolen iPhones challenging to utilize, or even unusable*. These efforts have initially reduced the incentive for stealing iPhones, until a more organized theft market emerged that involves preplanned, yet seemingly innocent, human interactions with victims with the goal of seeing them enter their pass­codes into their iPhones.

Apple recently introduced a new protection feature to fight back against this type of scenario. This reflects the ongoing dynamic of phone security market, akin to a cat-and-mouse flight between defenders and offenders.

In this article, I explore the effectiveness of iPhone’s Stolen Device Protection feature in mitigating theft in the real-world.

The main issue: knowing iPhone’s pass­code unlocks the keys to the kingdom

Once a passcode is observed being entered by a victim, by shoulder surfing for example, thieves can then steal the device, confident that they can bypass any security measures such as Activation Lock or “Find My iPhone” because they have the necessary pass­code to unlock the device.

This is a widely reported issue in the US alone. One victim in the United States had her iPhone snatched outside of a bar and was locked out of her Apple account within three minutes. Before she had the chance to mark her phone as Lost through the Find My app on her friend’s phone and notify her bank, she had lost access to her banking apps.

Since passcodes act as a backup to facial or fingerprint authentication, learning this would override any bio­metric security. At least, that was before Apple intro­duced the iPhone’s new Stolen Device Protection feature.

When the new Stolen Device Protection feature is enabled, it provides additional security requirements for selected actions when you’re away from familiar locations.

We tested the Stolen Device Protection. It can be bypassed, but Apple to the rescue!

When Stolen Device Protection feature is active, some actions such as accessing credit cards and stored passwords can only work with biometric authentication — Face ID or Touch ID — with no pass­code to fall back on. Other actions like changing your Apple ID pass­word require you to wait for an hour and then submit a second Face ID or Touch ID.

A screenshot from an iPhone with Stolen Device Protection feature enabled, while trying to change iCloud’s password.

It’s crucial to understand that a victim’s iPhone might end the security delay prematurely if it recognizes that the iPhone has returned to a familiar location.

To dig deeper into how the protection can be bypassed, I needed to test “Significant Locations” feature. Simply put, “Significant Location” is an Apple feature that keeps track of places you frequently visit, such as your home, work­place, or favorite destinations. It uses a combination of GPS, Wi-Fi networks, and possibly the barometric altimeter to determine your location and identify significant places you’ve been to.

How easy is it to trick the “Significant Location” feature

I’ve conducted initial tests on 5 iPhones, each with different home addresses belonging to real individuals. Through these tests, I’ve verified that the barrier to bypassing the Significant Location feature was quite minimal and did not need to include any technical knowledge. Merely being near the entrance of the victim’s building or beneath their balcony, even in cases where the residence was situated on an upper floor (6th or 5th floor for example), was sufficient to prompt the iPhone’s Significant Location feature to recognize the device as being at home. This recognition deactivated certain features, one of them is Stolen Device Protection.

But how “real” is this attack scenario?

Well, if we consider victims being approached in real life and pass­codes being shoulder surfed a real threat — which many articles point out to be a viable tactic in busy cities — then the likelihood of this being the next step is quite high.

Many individuals store their complete addresses and other important data in various apps. Having unlocked a stolen iPhone using its pass­code, thieves will logically focus on getting the victim’s home address. And they get it by simply opening any map, delivery, or trans­portation app, then navigating to the victim’s home address.

This assumes that the device hasn’t already been placed in Stolen Device Mode by the victim. But that is a big If — or is it? I’d say no, and here is why!

While numerous iPhone users have two-factor authentication (2FA) enabled, the majority use SMS codes as their 2FA via their SIM card, which, you guessed it, is being used in the stolen phone.

Consequently, iPhone users may find them­selves unable to log into their accounts from the place they lost their phone at, since they would require access to the SIM card for the 2FA code. Alternatively, they’d need to return home during the one-hour Device Protection time window to unlock the iPhone using another registered Apple device, if available.

Having the element of surprise and an elaborate plan on how to unlock the iPhone, thieves might reach the victim’s home address before the victim. And simply standing near the entrance of the building or under their house (could be guessed from the house number for example) renders the protection feature useless.

Apple to the rescue in iOS 17.4

At the time of writing this article, Apple introduced an update to mitigate this issue by giving users the possibility to bypass significant locations. However, this option isn’t on by default, so consider turning it on.

A new update by Apple to always require a security delay before reenabling passcode access to blocked actions.

We recommend updating to the latest iOS and turning the Stolen Device Protection feature On, then choosing the setting to require security delay to “Always” — keeping in mind that doing that will impose the 1-hour delay for changing security features if FaceID can’t scan the owner’s face.

When the “Always require security delay” was introduced, some of the test iPhones’ Significant Location list was purged. It’s unclear why this happened, and if it was intended by Apple.

Stolen Device Protection — Appendix

Tests conducted:

One of the most prominent functionalities added by Apple as anti-theft measures is the “Activation Lock” or “Find My iPhone” feature.

Activation Lock is a security feature that ties an iPhone to the Apple ID of its owner. When Find My iPhone is enabled on a device, it prevents anyone else from activating or using that device without first entering the Apple ID and pass­word of the owner, even if the device is restored to factory settings.

This means that if someone steals an iPhone and attempts to reset it or activate it with a new Apple ID, they will be prompted to enter the original owner’s credentials. With­out these credentials, the device remains locked and essentially unusable, acting as a strong deterrent against theft.

total app on different devices

Protect everything you do online with F‑Secure

Make staying safe online easy for yourself with one app that does it all. Skip online scams, download files and apps safely, protect your money online — and much more.

  • Award-winning antivirus and malware protection

  • Online browsing, banking, and shopping protection

  • 24/7 online identity and data breach monitoring

  • Unlimited VPN service to safe­guard your privacy

  • Password manager with private data protection

Read more about Total