This a good example of a security feature that can sometimes harm security:
Apple introduced the optional recovery key in 2020 to protect users from online hackers. Users who turn on the recovery key, a unique 28-digit code, must provide it when they want to reset their Apple ID password.
iPhone thieves with your passcode can flip on the recovery key and lock you out. And if you already have the recovery key enabled, they can easily generate a new one, which also locks you out.
Apple’s policy gives users virtually no way back into their accounts without that recovery key. For now, a stolen iPhone could mean devastating personal losses.
It’s actually a complicated crime. The criminal first watches their victim type in their passcode and then grabsd their phone out of their hands. In the basic mode of this attack, they have a few hours to use the phone—trying to access bank accounts, etc.—before the owner figures out how to shut the attacker out. With the addition of the recovery key, the attacker can shut the owner out—for a long time.
The goal of the recovery key was to defend against SIM swapping, which is a much more common crime. But this spy-and-grab attack has become more common, and the recovery key makes it much more devastating.
Defenses are few: choose a long, complex passcode. Or set parental controls in a way that further secure the device. The obvious fix is for Apple to redesign their recovery system
There are other, less privacy-compromising methods Apple could still rely on in lieu of a recovery key.
If someone takes over your Google account, Google’s password-reset process lets you provide a recovery email, phone number or account password, and you can use them to regain access later, even if a hijacker changes them
Going through the process on a familiar Wi-Fi network or location can also help demonstrate you’re who you say you are.
Or how about an eight-hour delay before the recovery key can be changed?
This not an easy thing to design for, but we have to get this right if as phones become the single point of control for our lives.
More Stories
Friday Squid Blogging: Squid Game Season Two Teaser
The teaser for Squid Game Season Two dropped. Blog moderation policy. Read More
Clever Social Engineering Attack Using Captchas
This is really interesting. It’s a phishing attack targeting GitHub users, tricking them to solve a fake Captcha that actually...
US Cyberspace Solarium Commission Outlines Ten New Cyber Policy Priorities
In its fourth annual report, the US Cyberspace Solarium Commission highlighted the need to focus on securing critical infrastructure and...
Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable
A new report by Check Point Software highlights a significant increase in cloud security incidents, largely due to a lack...
Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions
The bank giant and Quantinuum trialed the first application of quantum-secure technology for buying and selling tokenized physical gold Read...
This Windows PowerShell Phish Has Scary Potential
Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who...