WSJ Report of iPhone Passcode Vulnerability

Dear Community

I recently saw a WSJ report that iPhone thieves could access almost everything you’ve connected to your phone.

If that happens, I’d like to logout BT from all of my devices. However, I didn’t see an option to do so, but only saw Deauthorize sessions

Does deauthorizing sessions log you out from all of your devices?

Yes, but I believe it can take up to an hour before all devices are logged out.

1 Like

Props to WSJ for highlighting the iCloud issue.

1 Like

@sl-bw Welcome to the forum!

Thanks for posting this interesting video. Since @RogerDodger already answered your question, I’ve taken the liberty of changing the title of this topic to give it better visibility (from “Log out BT from all of your devices” to “WSJ Report of iPhone Passcode Vulnerability”).

A TL;DW; of the WSJ video is that thieves have been stealing iPhones after watching the owner enter the iPhone passcode (often a 4-digit number), which then makes it possible for them to access the Keychain password manager and other sensitive information. The iPhone passcode is all that is needed to change the Apple ID password, so thieves quickly make this change after stealing the phone (and they can then further lock out the owner by disabling the “Find My iPhone” function, logging out all trusted devices, changing the trusted phone number and enable a recovery key). Next, thieves can access all passwords stored in the iCloud Keychain, because this can be unlocked using the iPhone passcode (which is known to the thieves), bypassing the Face ID. Any bank accounts that have 2FA methods that send codes to the iPhone (such as TOTP) can then be accessed. If the iPhone owner has stored pictures of their SSN card, drivers license, passport, etc. on the phone or iCloud are then vulnerable to identity theft (e.g., credit cards opened in the owner’s name).

That video is what made me to decide to use BitWarden for sensitive passwords.
Very scary video!….Brian

Thanks grb. I wonder if someone stores their BT master passcode in iPhone Keychain password manager, will thieves be able to log in or get access to their BT on their phone just through a 4-digit passcode? If that is the case, it’s better to warn BT users to not store their passcode there.

Yes, according to the information in the video, this would be possible, especially if the user has a 2FA method such as TOTP. In addition, an iPhone user will probably have the Bitwarden mobile app installed and logged in. Thus, such users should confirm that the method used for unlocking the Bitwarden vault cannot be bypassed by someone who knows the iPhone passcode (for example, if biometrics are used to unlock the Bitwarden vault, can this be bypassed using the iPhone passcode, as shown in the video?).

I find that some apps I have on my phone requires you to set up a passcode first before you can turn on “use FaceID to unlock”. In BT’s iOS app, under Settings/SECURITY, I set “Unlock with Face ID” to on, and “Unlock with PIN code” to off. In this way, it seems like I can only get access to my BT via my face or the master passcode of BT. Since my BT master passcode is not store anywhere but my brain, theoretically no one can access my BT except me. But if you set your phone as your 2FA have gmail app installed or other 2FA apps on your phone, I guess it is still possible for someone to change your BT master passcode via Web.

I tested with my iPhone.
I covered the faceID camera, the passcode unlocks the phone but I can not get into BW without the BW master password if I keep the FaceID camera covered.

I didn’t test this but if the passcode is used to change the registered face in FaceID, then the BW master password is required to get into BW (for the first time) even if the FaceID camera is uncovered. I’m pretty sure of that from the initial setup.

So I think BW is covered.

Apple definitely still need to fix how the devices passcode lets someone takeover the iCloud account so easily though.
Maybe Apples new iCloud security keys feature does this?

1 Like

I switched the few PIN-unlockable apps on my phone to biometric, after reading about this vulnerability. Can’t spy my fingerprint looking over my shoulder (though I admit biometrics have their own risks, thus I have Lockdown mode enabled on my phone).

This is what happens to me as well, so I do think BW is ok now. As for iPhone, the thing is you can just change your Apple ID via a 4/6-digit passcode in settings if you’re signed in to your iCould, so someone could disable Find My and you won’t be able to lock your iPhone and that person will have full access to all apps on your phone.

An additional layer that might mitigate such compromises is to set up a second, different passcode in the iPhone “Screen Time” setting. Within Screen Time are secondary settings with app, content and privacy restrictions. With this being activated, passcode changes can be protected by that second passcode. That might mitigate bypassing Face ID settings, as the screen time setting doesn’t allow registering new faces without that second passcode. It also allows locking apps down with that second passcode.

1 Like

This can be by-passed as described in a discussion of this topic on reddit: