If you haven’t ever lost your smartphone or had it stolen, it’s likely you know someone who has. iPhone theft is a lucrative business for criminals when devices are unlocked.
Apple has integrated many features and functionalities to deter theft and render stolen iPhones challenging to utilize, or even unusable*. These efforts have initially reduced the incentive for stealing iPhones, until a more organized theft market emerged that involves preplanned, yet seemingly innocent, human interactions with victims with the goal of seeing them enter their passcodes into their iPhones.
Apple recently introduced a new protection feature to fight back against this type of scenario. This reflects the ongoing dynamic of phone security market, akin to a cat-and-mouse flight between defenders and offenders.
In this article, I explore the effectiveness of iPhone’s Stolen Device Protection feature in mitigating theft in the real-world.
The main issue – Knowing iPhone’s passcode unlocks the keys to the kingdom
Once a passcode is observed being entered by a victim, by shoulder surfing for example, thieves can then steal the device, confident that they can bypass any security measures such as Activation Lock or “Find My iPhone” because they have the necessary passcode to unlock the device.
This is a widely reported issue in the US alone. One victim in the United States had her iPhone snatched outside of a bar and was locked out of her Apple account within three minutes. Before she had the chance to mark her phone as Lost through the Find My app on her friend’s phone and notify her bank, she had lost access to her banking apps.
Since passcodes act as a backup to facial or fingerprint authentication, learning this would override any biometric security. At least, that was before Apple introduced the iPhone’s new Stolen Device Protection feature.
When the new Stolen Device Protection feature is enabled, it provides additional security requirements for selected actions when you’re away from familiar locations.
We tested the Stolen Device Protection. It can be bypassed, but Apple to the rescue!
When Stolen Device Protection feature is active, some actions such as accessing credit cards and stored passwords can only work with biometric authentication – Face ID or Touch ID – with no passcode to fall back on. Other actions like changing your Apple ID password require you to wait for an hour and then submit a second Face ID or Touch ID.
A screenshot from an iPhone with Stolen Device Protection feature enabled, while trying to change iCloud’s password.
It’s crucial to understand that a victim’s iPhone might end the security delay prematurely if it recognizes that the iPhone has returned to a familiar location.
To dig deeper into how the protection can be bypassed, I needed to test “Significant Locations” feature. Simply put, “Significant Location” is an Apple feature that keeps track of places you frequently visit, such as your home, workplace, or favorite destinations. It uses a combination of GPS, Wi-Fi networks, and possibly the barometric altimeter to determine your location and identify significant places you’ve been to.
How easy is it to trick the “Significant Location” feature:
I’ve conducted initial tests on 5 iPhones, each with different home addresses belonging to real individuals. Through these tests, I’ve verified that the barrier to bypassing the Significant Location feature was quite minimal and did not need to include any technical knowledge. Merely being near the entrance of the victim’s building or beneath their balcony, even in cases where the residence was situated on an upper floor (6th or 5th floor for example), was sufficient to prompt the iPhone’s Significant Location feature to recognize the device as being at home. This recognition deactivated certain features, one of them is Stolen Device Protection.
But how “real” is this attack scenario?
Well, if we consider victims being approached in real life and passcodes being shoulder surfed a real threat – which many articles point out to be a viable tactic in busy cities – then the likelihood of this being the next step is quite high.
Many individuals store their complete addresses and other important data in various apps. Having unlocked a stolen iPhone using its passcode, thieves will logically focus on getting the victim’s home address. And they get it by simply opening any map, delivery, or transportation app, then navigating to the victim’s home address.
This assumes that the device hasn’t already been placed in Stolen Device Mode by the victim. But that is a big If – or is it? I’d say no, and here is why!
While numerous iPhone users have two-factor authentication (2FA) enabled, the majority use SMS codes as their 2FA via their SIM card, which, you guessed it, is being used in the stolen phone.
Consequently, iPhone users may find themselves unable to log into their accounts from the place they lost their phone at, since they would require access to the SIM card for the 2FA code. Alternatively, they’d need to return home during the one-hour Device Protection time window to unlock the iPhone using another registered Apple device, if available.
Having the element of surprise and an elaborate plan on how to unlock the iPhone, thieves might reach the victim’s home address before the victim. And simply standing near the entrance of the building or under their house (could be guessed from the house number for example) renders the protection feature useless.
Apple to the rescue in iOS 17.4:
At the time of writing this article, Apple introduced an update to mitigate this issue by giving users the possibility to bypass significant locations. However, this option isn’t on by default, so consider turning it on.
A new update by Apple to always require a security delay before reenabling passcode access to blocked actions.
We recommend updating to the latest iOS and turning the Stolen Device Protection feature On, then choosing the setting to require security delay to “Always” – keeping in mind that doing that will impose the 1-hour delay for changing security features if FaceID can’t scan the owner’s face.
When the “Always require security delay” was introduced, some of the test iPhones’ Significant Location list was purged. It’s unclear why this happened, and if it was intended by Apple.
Stolen Device Protection – Appendix:
Tests conducted:
| iPhone model | Home address floor no. (ground = 1) | Device protection bypassed? |
| iPhone 13 pro | 2 | Yes |
| iPhone 13 mini | 2 | Yes |
| iPhone 13 | 2 | Yes |
| iPhone 13 | 5 | Yes |
| iPhone 13 mini | 6 | Yes |
Functionalities added by Apple as anti-theft measures:
One of the most prominent features is the “Activation Lock” or “Find My iPhone” feature.
Activation Lock is a security feature that ties an iPhone to the Apple ID of its owner. When Find My iPhone is enabled on a device, it prevents anyone else from activating or using that device without first entering the Apple ID and password of the owner, even if the device is restored to factory settings.
This means that if someone steals an iPhone and attempts to reset it or activate it with a new Apple ID, they will be prompted to enter the original owner’s credentials. Without these credentials, the device remains locked and essentially unusable, acting as a strong deterrent against theft.
Categories