User profile for user: SE001
SE001 Author
User level: Level 1
4 points

Passcode & recovery key vulnerability: How to prevent (violent) thief from creating 2nd recovery key via passcode

I'm curious how I disable future potential (violent) thieves to use my acquired passcode to enter into security settings, generate a new recovery key and lock me out of my apple ID (preventing me wiping the iphone).


It seems like once a recovery key is set, whoever has the phone can still disable it/ set a different recovery key only using the phones passcode. Right now I have account setting changes locked with my screen activity passcode, however this one could also be compromised easily.


The current only real viable alternative seems to buy a second phone for sensitive information and apps. Apart from being completely locked out from my apple ID, im also worried about a thief being able to access keychain with the passcode. Most banking apps have different login codes in place as an additional layer of security. Whatsapp is a 3rd vulnerability for me. I set up the in-app face ID requirement, however it automatically gets disabled after the 3rd attempt, prompting for the passcode 🤯.

iPhone 13 Pro, iOS 16

Posted on Jun 14, 2023 6:12 AM

Reply

Similar questions

3 replies
User profile for user: ryane77
ryane77
User level: Community Specialist

Jun 15, 2023 1:50 PM in response to SE001

Hi SE001,


Thanks for the post. It sounds like you have some concerns about Advanced Data Protection. We're happy to assist as much as possible. We'd be unable to speculate about the hypothetical scenario you described, but we have some good information to share. This link covers how Advanced Data Protection works: How to turn on Advanced Data Protection for iCloud - Apple Support


We also recommend reviewing this resource, which provides the best information about security and your data: iCloud data security overview - Apple Support


If you want to share any suggestions about how Advanced Data Protection works, we always welcome feedback and you can submit yours with the following link: Product Feedback - Apple


We hope this information is helpful. Let us know if you have follow-up questions.


Best wishes.

Reply
User profile for user: SE001
SE001 Author
User level: Level 1
4 points

Jun 17, 2023 6:53 AM in response to ryane77

Hi Ryan,


thank you for your answer. It is actually not a hypothetical scenario - I live in Brazil and have recently been robbed at gunpoint, where the thieves pressed me for my passcode. Naturally afterwards I became curious what the potential collateral damage could extend to. For reference, this is something that’s becoming more frequent down here - and, according to a WSJ journal article, also in the US (albeit with less violent tactics).


I’ve read the article you shared, thank you, however it doesn’t seem to address my concern!


I’ve been able to generate a secret key. However, it seems like even with a secret key, and my phone number (the phone number which is used with the device in question) as trusted number, this poses a threat in case both the phone and passcode are obtained by a thief. With the passcode, it is possible in the advanced settings to generate a new recovery key (apparently this is due to someone losing their previous one), and then use this new recovery key to lock the owner out of their iCloud account. There are numerous reports online that describe this problem. This way, it becomes impossible for the owner to access their Apple ID account or erase their phone, effectively handing it over to the thief.


best

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Passcode & recovery key vulnerability: How to prevent (violent) thief from creating 2nd recovery key via passcode

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up