Credit: Tommaso79

However, the popularity and value of the iPhone still makes it a desirable target, and for professional thieves, where there’s a will, there’s a way. Although the Activation Lock itself may still be secure, there are other ways that criminals can attempt to bypass a locked iPhone through “social engineering” tactics — convincing either Apple or the original user to simply switch the feature off.

We reported earlier this year on some of these techniques, which include generating fake receipts to try and convince Apple that the thief is the legitimate owner of the stolen iPhone, as well as phishing attacks directed at the original owner to attempt to get them to supply their Apple ID and password, often through a fake “Find My iPhone” page or another related method that convinces the user that their lost iPhone has been found, and that the poor victim simply needs to supply this information — or even disable Activation Lock themselves — in order to be reunited with their device.

Defeating Remote Wipe

Since users who find their iPhone missing often put it remotely into “Lost Mode” and supply a contact number in the hopes that an honest person will offer to return into them, thieves can of course use this information to contact the original owner and attempt to scam them into giving up additional information.

However, a new report from Engadget reveals that thieves and hackers may be able to get more information from a locked iPhone than they should. According to the report, the teenage son of leading security expert Marc Rogers, technical advisor for Mr. Robot and organizer of the world’s largest hacking conference, DEF CON, recently had his iPhone stolen, with the thieves resorting to some tricks that baffled even Rogers.

As one might expect from someone with Rogers’ credentials, his son’s iPhone was configured almost as securely as an iPhone can be, with all of the latest iOS updates installed and an actual strong password rather than just a four-digit code.

Since this was my kid we are talking about, the phone was up to date and had a strong password and FaceID enabled, and activation lock was turned on. As soon as the phone was found to be missing it was switched to Lost Mode and later a wipe command was sent to it.

Marc Rogers, in an email to Engadget

Rogers also added that his son noticed the phone missing less than ten minutes after its theft and immediately “began security protocols,” switching it to Lost Mode and later sending a remote wipe command.

While this should have been the end of the story, Rogers quickly realized that he was dealing with experienced iPhone thieves. Firstly, the iPhone had dropped completely off the grid, acknowledging neither the Lost Mode activation or the remote wipe. This led Rogers to believe that the iPhone had either been powered down immediately or placed in a bag that would block radio frequency signals.

Since professional criminals are well aware of Activation Lock by now, this is known to be par for the course when an iPhone is stolen by an experienced thief, and specialized bags aren’t necessarily required — even putting it inside an empty potato chip bag can be enough to block cellular signals from reaching the iPhone, thereby defeating attempts to remotely wipe it. Alternatively, simply powering down the iPhone also works just as well, and in either case, the thief takes the iPhone to a place where no signal can reach it before powering it back up to inspect it.

Switching the iPhone off or blocking its cellular signal won’t bypass Activation Lock, but it does prevent the phone from being remotely wiped, which means that all of the user’s data — and contact information — remains theoretically accessible, simply hiding behind their password. Once an iPhone is remotely wiped, thieves have almost no chance of getting any contact information that could be used to launch a phishing attack against the original owner, and ultimately the hope is that they manage to score an iPhone with an older iOS version with security vulnerabilities or a very simple passcode that make it possible to hack into it.

‘Spearphishing’

In the case of Marc Rogers, however, what happened next was more surprising. A few days after the theft, the teen began receiving “highly targeted messages using information they had apparently managed to extract” from his iPhone. Considering that the iPhone was running the latest version of iOS and used a complex password, this information should not have been accessible by thieves.

According to Rogers, the information included not only the child’s correct Apple ID and its associated email address, but also the phone number associated with it, “even though the SIM card had been killed.” Using this info, the attackers “sent a range of different messages trying to several different social engineering tactics” to try and get Rogers’ son to give up his password or disable the Activation Lock himself.

The attacks were made in the form of text messages and iMessages that were made to look like they came from Apple, although the attackers also “rotated through a range different mobile numbers” and iCloud addresses, likely to avoid detection or simply being blocked.

Rogers did some digging online and discovered how common of a problem this is becoming, with many users who have lost their iPhones being directed to click on links in phishing messages that will redirect them to fake “Find My iPhone” pages.

Apple forums are full of users asking for help after clicking on similar phishing emails. After which their phone is almost instantly deleted from their account, never to be seen again.

Marc Rogers

What was even more surprising to Rogers was how widespread these “spearphishing” attacks are and the way in which they’re being used. Normally, Rogers notes, this kind of very personalized attack is used against “high-value targets” like directors of companies and government officials. The fact that it’s now being used against “ordinary smartphone users” suggests that the tools to launch these kinds of attacks have become commonplace.

Leaking Contact Info

However, the most serious thing about Rogers’ experience is that the thieves were able to obtain his son’s contact info from an iPhone that should have been well-secured, which suggests that there’s a bad privacy or security bleed happening somewhere in the system, whether it’s from the iPhone itself or via the carrier networks.

All smartphone manufacturers and the mobile carriers need to find out how the attackers are harvesting personal information from their victims with nothing but a locked stolen phone. Clearly they have found a route they can leverage to extract key pieces of information, likely through a multi-step process. A thief should not be able to extract the victim’s contact information from a locked stolen device.

Marc Rogers

There are also valid ways that a thief could obtain contact information from a locked iPhone. For example, there may have been uncleared notifications in Notification Center that could display any number of personal details, in addition to widgets on the Today screen, or even cards in Apple’s Wallet app.

Notably, a bug found in iOS 13 a few days before its public release allowed users to bypass the iPhone lock screen to view contact info, and while the issue was reported to Apple back in July, it wasn’t patched until iOS 13.1 was released. Rogers doesn’t specify what version of iOS his son was running, other than that it was up to date, however in an article by Rogers on Dark Reading, he notes that the theft occurred on June 30, during the San Francisco Pride Parade, at which time the latest non-beta version of iOS was 12.3.1 (12.3.2 for the iPhone 8 Plus). The iOS 13 public betas available at that time, however, would likely have suffered from this particular vulnerability.

What This Means For You

While the idea that thieves can get into your stolen iPhone is concerning, it’s still unclear from Rogers’ story exactly how much information they could access, or even whether they obtained his son’s contact info from the iPhone itself as opposed to using other means. Certainly, despite Rogers’ note that the SIM card “had been killed,” it’s likely that the number was still stored on the card itself, plus if the phone remained out of data coverage, any “kill” instructions from the cellular carrier would not have reached the iPhone anyway.

Regardless, however, the same basic internet safety rules apply here when dealing with a stolen iPhone, and no matter how badly you want to be reunited with your device, it’s important to treat any communications you receive with a healthy dose of skepticism.

1. Don’t turn off Find My iPhone. Ever. Apple will never request that you do this for a lost or stolen iPhone, and there is absolutely no reason why anybody who has “found” your iPhone would need you to do this either. The minute you disable the feature, you’ve basically surrendered your iPhone to the thief.
2. Don’t click on links sent to you. No matter how you receive a link, or how trustworthy or legit the email or message looks, just don’t do it. If you need to log into Apple’s Find My iPhone portal to check on the status of your lost iPhone, make sure you open a new browser page and go directly to the page by typing in the address. Better yet, use the Find My app on another iPhone or iPad if you have one available, even if it’s from a friend or family member.
3. Set a strong alphanumeric password on your iPhone. One of the biggest hidden benefits of Face ID and Touch ID is that you don’t need to type in your password very often. This makes it much easier to use a complex alphanumeric passcode, rather than a four- or six-digit code that can more easily be compromised by hackers. Here’s how to set one up.
4. Disable Notification Previews for Sensitive Apps. Even on a secured iPhone, Notification Center can be a treasure-trove of information, so it’s a good idea to disable Notification Previews for apps that might show data that you wouldn’t want anybody else — especially a thief — to see. Plus, if you’re using a Face ID equipped iPhone, hiding your notification previews won’t get in the way of seeing them yourself, as they’ll automatically be unhidden as soon as it recognizes your face. See here for how to do this.
5. Disable Lock Screen Features. If you really want to make sure your iPhone is secure, you can lock down your lock screen even further, preventing access to the Today View, Notification Center, Control Center, Wallet, and more. Although this may make your iPhone a little less convenient to use, it significantly reduces the amount of information that would be available to a thief, and again with a Face ID equipped iPhone, it shouldn’t be too cumbersome, as you’ll only use most of these features when you’re looking at your iPhone anyway, in which case they’ll still be available once your iPhone recognizes your face. Here’s how to change these settings.
6. Act fast. If your device is lost or stolen, don’t delay — enable Lost Mode immediately and if you’re concerned about your sensitive data, set it to remote wipe. It may not work, but you’ve got nothing to lose by trying, and even if it doesn’t happen right away, Apple’s servers will queue up the request and send it out as soon as your iPhone reappears. Lost Mode also silences all alerts from appearing on the device, improving privacy and security. It also immediately invalidates all of your Apple Pay and student ID cards — even if your device isn’t online, and as secure as Apple Pay already is, this aspect alone is a very good reason to enable Lost Mode even if you think your iPhone has no chance of reappearing.