There's no evidence the 6-digit passcode was the issue here. It is more likely the thieves immediately turned off the device then used an (offline) chain of vulnerabilities to pull sensitive data off the phone. That's typically how these hacks go.<p>If no vulnerabilities are available, the thieves will often just keep the phone offline until one becomes available.
Why didn’t he click to wipe the device but keep it in lost mode? I could’ve sworn that was an option, and based on the attackers movements, they would have had to put the iPhone back on the internet at least for a couple minutes to get the Apple ID reset, which would’ve been enough time for the wipe command to process.
This.<p>Use a complex password never written down just like you do with a master password for a password manager.<p>Also set it to wipe your phone after 10 tries so that thieves can never obtain your details like this.
Wait. If his phone was unlocked while it was swiped, the thief could have simply kept it unlocked through interaction throughout the entire heist. Why make it more complex than that?
Maybe the theives are on the lookout for anyone entering their passcode into the phone in public. If they manage to see the passcode or swipe pattern, then they'll steal the phone.<p>I've never seen anyone take steps to prevent others from seeing their passcode or swipe pattern in public.
Grubby wrote about this yesterday:<p>> <i>I [used a 6-digit passcode] thinking, basically, that even though a 6-digit passcode is less secure, anything truly dangerous like disabling Find My iPhone requires my iCloud password as well. It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain.</i><p>— <a href="https://daringfireball.net/linked/2020/08/24/can-thieves-crack-6-digit-iphone-passcodes" rel="nofollow">https://daringfireball.net/linked/2020/08/24/can-thieves-cra...</a><p>Btw., I'm sceptical about this part of the original Twitter thread:<p>> <i>why [is a weak passcode] an acceptable alternative to biometric verification to decrypt your keychain</i><p>This assumes that biometric verification is better for this purpose. I don't think that's the case when the attacker grabbed the device right out of your hand and then gets to work on it for several hours. What your face or fingerprints look like isn't all that secret. Fooling the device into accepting a clone as the real thing takes some expertise and special equipment and time — but so does “using some kind of device like the GrayKey”.<p>When it comes to somewhat sophisticated attacks (as opposed to keeping your shoulder-surfing kids from making in-app purchases), Touch ID and Face ID are merely improvements for people who would otherwise use <i>no</i> passcode (or ‘00000’). I hope what they'll actually be used for, eventually, is sparing you from having to re-enter the same code you just unlocked your device with ten minutes ago in cases where you had it in your hand or in front of your face that whole time.<p>This would allow for more nuanced threat models. For example, just seeing your home screen and then opening your podcast feed could have a <i>way</i> longer time-out, whereas toggling ‘Find My …’ still requires a password every single time. That sort of convenience would convince me to use these features.<p>But for now, if you want an alternative to a 6-digit code that's definitely more secure, use an alphanumeric passphrase. Quoting Gruber's post once more:<p>> <i>a 6-character alphanumeric passphrase would take on average 72 years to crack by brute force because it takes 80-milliseconds for the secure enclave to process each guess.</i>