If you’re running iOS 11 on your Apple iPhone, make sure you’ve got an alphanumeric password, or at least a six-digit PIN, protecting your lockscreen.
Why? Because that lockscreen passcode may be the only thing standing between you and complete identity theft. With iOS 11, Apple purportedly makes it possible to reset the passwords on both your Apple ID and your iPhone backup in iTunes with only your iPhone’s lockscreen PIN – which isn’t that hard for an attacker to get.
“Once an intruder gains access to the user’s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” wrote Oleg Afonin, a researcher for Russian forensics firm Elcomsoft, in a blog posting last week. “Everything (and I mean, everything) is now completely exposed.”
This means that even a casual thief could use your iPhone to hijack your Apple ID, your iCloud account and any third-party accounts — Google, Facebook, and so on — whose login credentials are stored in your Apple Keychain.
Elcomsoft makes software used by police to break into suspects’ smartphones. Conveniences added by Apple to iOS 10, the researchers say, made the new iPhone software less secure than it was in earlier versions of iOS, and iOS 11 makes things worse. Ironically, enabling two-factor authentication (2FA) on your Apple account seems to make this takeover easier.
Lockscreen PIN level-up
When iOS 10 was released last year, Afonin and his colleagues noticed something new: If you had 2FA enabled on your Apple account, you could reset the Apple ID password simply by entering the lockscreen passcode for your iPhone.
And if you had recently unlocked your iPhone with the lockscreen passcode (but not Touch ID), then you wouldn’t need to enter anything at all. You could simply go into your iPhone’s Settings to reset your Apple ID password, without authentication. (You can do the same thing in the Find My iPhone app on iOS 10 and 11, the Elcomsoft researchers say.)
Sounds reasonable? It may not be. In earlier versions of iOS, say Elcomsoft’s people, you’d have had to answer security questions to reset your Apple password, regardless of whether you knew the lockscreen passcode for your iPhone, or had recently unlocked it using your lockscreen PIN. That’s the way it should work.
But on iOS 10, that safeguard was removed, and even a casual thief who happened to see you enter your lockscreen PIN before he stole your iPhone, or snatched it out of your hand soon after you unlocked the screen, would be able to reset your Apple ID password and take over your Apple account.
However, if a thief used this method to hijack your Apple account, he wouldn’t necessarily be able to hijack non-Apple accounts as well. (He could certainly try, as he’d now receive one-time 2FA codes texted to your phone.)
Lockscreen PIN God Mode
But a change in iOS 11 makes hijacking third-party accounts possible, say the Elcomsoft researchers. Previously, when you backed up all the data on your iPhone to a PC or Mac using iTunes, and then secured that backup with a passcode, that passcode (which should be different from the lockscreen passcode AND your Apple ID passcode) would be required to access ALL backups made from your iPhone — even backups made to a new PC or Mac.
Now, with iOS 11, you don’t need to know that backup passcode to access the backup. You can simply reset the backup password — using, again, your iPhone’s lockscreen PIN.
That doesn’t sound so bad at first, right? But it is because, per the Elcomsoft researchers, poking into the iPhone backup on a PC or Mac (especially with software tools such as Elcomsoft’s own $79 Phone Breaker) reveals things that you couldn’t get on the iPhone itself.
These include the Keychain, Apple’s built-in password manager, which stores usernames and passwords for third-party accounts such as Google, Facebook and Twitter.
“This is just scary,” Afonin wrote in his blog post. “Why Apple decided to get rid of the system that used to deliver a seemingly perfect balance between security and convenience is beyond us.”
Apple did not immediately return a request for comment from Tom’s Guide.
You may have heard that brute-forcing an iPhone’s lockscreen PIN is hard. After all, didn’t the FBI have a hell of a time getting into the San Bernardino shooter’s iPhone? Apple makes it hard by increasing the amount of time between each failed guess of a PIN, finally locking the iPhone temporarily after six failed attempts.
However, there are ways to get around these safeguards and brute-force a four-digit PIN in a few days. This $300 device introduced a couple of year ago did so, but may no longer work.
How to at least make this less bad
You should really be using at least a six-digit PIN, which Apple made the default when creating a new PIN in iOS 9, although you can override that easily or continue to use a four-digit PIN on an upgraded device. A six-digit PIN has a million possible combinations; a four-digit one has only 10,000 possible combinations.
Better still is an alphanumeric lockscreen password comprising numbers, punctuation marks, lowercase letters and uppercase letters. Even a four-character password made up of the 85 or so standard U.S. keyboard characters would have something like 50 million possible combinations — not enough for an online password (such as your Apple ID), but fine for a device that drastically limits the rate of brute-force guessing.
To enable an alphanumeric password, go to Settings, then Touch ID & Passcode. Type in your existing passcode. Select Change Passcode, then type in your existing passcode again. At this stage, select Passcode Options, then select Custom Alphanumeric Code. (Thanks to Tom’s Guide colleague Andrew Freedman for showing us how to do this.)
You wouldn’t need to enter the password every time you unlocked your screen if you have Touch ID or Face ID enabled; you’d need it only when power-cycling your phone, or when you hadn’t used your phone for a few days. It would also be tougher for a “shoulder surfer” to guess your passcode if he’d seen you enter it only once.
So use that alphanumeric password for your lockscreen instead of a PIN. It’s a minor inconvenience made up for with a major improvement in security.