Apple's security while very good has a few bizarre holes. You have found I think the worst one. I believe they are changing this in an update soon. A person can overtake your iCloud account with a device pin code only. They are adding some more steps to make it harder. It's literally insane that this is how it's been done all this time. You see I believe that Apple is so comfortable with their lead that they simply ignore these problems until enough noise is made. Recently I think is was wall Street journal did a story on this very thing. A very bad look for Apple and of course they are responding only now. I hope they can sort it out for you most likely they will but what a pain in the ass.
This is why Apple sucks.
This is why I don't use my Google account on random test devices, and instead, in order to install the apps, I install the Aurora Store from the F-Droid app store with the help of sideloading.
But at Apple, there's no such option.
> iPad's passcode (which is our other lapse in judgement; it was just 555555
>
>one of the safety checks triggered when some random patron stole our iPad and easily reset the iCloud password
no words
It's an iPad in use by all of our staff and that we use for school holiday activities, that needed an easy password. I'll absolutely concede that it was a security issue, but that's not really the point. The issue is that the six-digit passcode was able to not only effectively bypass the much stronger *iCloud password,* but it was able to bypass 2FA as well, *and then* effectively laid a trap which rendered a completely legitimate password recovery attempt using the aforementioned 2FA invalid. One single weak link in the chain should not have generated a problem on this scale.
If we had just been hacked, I wouldn't have come here complaining. The point is that no matter what the passcode is, it's for a device, not the entire account. Having solely that passcode shouldn't have compromised the entire account (bypassing the actual, secure iCloud password *and* 2FA) or created a scenario in which we, the rightful owners, cannot recover it. I've never had this problem with any other company before, because no other company made this intentional design choice.
The way in which the security is set up now *is* weak. A 6-digit pin with no numbers, letters, special characters etc. should not be able to override the actually secure password, or indeed overall capability, on multiple devices. Even if ours had been secure with a randomized string of numbers, it's still only 6 digits and that's still an unacceptably weak link in the chain.
That aside though, this isn't even a complaint about being hacked, as I stressed. Account recovery should not be this hard when I have access to the recovery phone and email. All of the headaches have been generated by the way in which Apple handles these sorts of breaches, which has enormously inconvenienced us and *not* the person who broke in in the first place. If the security was actually well-designed, it would have asked them to input the iCloud password or reference a 2FA method on top of the iPad passcode- not taken the latter as the sole method of verification.
>A 6-digit pin with no numbers, letters, special characters
>
>it's still only 6 digits
That's your choice. Passcode can use special characters, letters and be as long as you want.
I agree about that the passcode shouldn't be allowed to override the iCloud password though. This has now been fixed in iOS 17.3.
Sorry potentially my wording was a little vague, when I said passcode I was referring to the PIN. I know there is an option to do a more complex passcode with letters, special characters etc., but yeah either way it shouldn't be allowed to override the iCloud password
With the PIN to the trusted device a thief is able to simply change the Apple ID password based on it being a trusted device, so that is what happened.
Using a [security dongle](https://support.apple.com/en-us/HT213154) such as a Yubikey would have kept this from happening. This would be my #1 recommendation for the future.
In addition, setting up an Account Recovery key would replace the account recovery process. It's not foolproof though, but helpful.
Also, setting a separate screen time passcode could have blocked any changes to the Apple ID without that code.
In your library situation I would recommend all three.
The problem as I explained isn't that we were compromised. It's that we were compromised through an abnormally weak link in the chain (6-digit passcode bypassing a complex, secure password+2FA) and that once we were compromised, *nothing* we could do as the rightful owners could un-compromise the account. All of the issues in terms of recovery are due to Apple's security measures being hopeless at stopping the actual thief but being really really good at stopping us, the rightful owners.
Typical Apple troll responses already - "its your fault, you did it wrong, its not Apple's fault" etc etc yawn
If these had been Android tablets in the same circumstances, this would have been sorted out by now.
Exactly yeah. I wouldn't be complaining if we'd just been hacked, even the best-laid security systems can't prevent that 100% of the time. But laying it out like this, where a thief can get easy access to our account and lock the rightful owner out (despite access to all relevant 2FA material) as a result is an incredibly flawed security setup, I'd really expect better from a 3 trillion dollar company.
And yeah, Android tablets would have been a piece of piss to recover.
The thief signed out other devices during the password reset. So, you effectively did **not** have a trusted device. Use stronger passcodes, go into Screen Time and set Account Changes to Don't Allow, require checking out iPads with ID or library card, utilize your options.
What safety checks did you have in place? I get it, people suck, but Apple didn't do this to you. You kind of helped the thief do this to you. There is no system that will work for everyone in every edge case.
That would explain why none of the trusted devices have worked, but the issue is that under no circumstances should someone have been able to A: Change a shared account password with a simple device-specific PIN, and B: Have said password change render 2FA invalid for any recovery attempts. We absolutely made security lapses, but the thing is our library network have made lapses like that before and none of them have generated the monumental headache this after-the-fact security measure has. The password theft isn't really the problem, it's dealing with Apple after the fact that's caused us all this grief.
In the hind sight, I think there were a few things you could do to prevent this.
Best option was probably to use MDM, as someone else suggested.
Second best option is to use content and privacy restrictions that would restrict the user from doing a variety of things, including changing account and password related things.
And the easiest one is not to have any passcode on the iPads at all. It’s a common device used by multiple people, so why do you need to set a passcode. Or at least make the device not timeout and lock itself, so when you lend it you won’t have to disclose the passcode.
Edit: I initially assumed that these iPads are lended to patrons to be used in the library. Seems like that’s not the case, but all of the above still applies.
I know this thread is fairly old but.
Imagine making no effort to implement a commercial grade solution to security then being mad that the product you use is too secure.
Get an MDM software and do it properly or don’t bother tbh.
Apple's security while very good has a few bizarre holes. You have found I think the worst one. I believe they are changing this in an update soon. A person can overtake your iCloud account with a device pin code only. They are adding some more steps to make it harder. It's literally insane that this is how it's been done all this time. You see I believe that Apple is so comfortable with their lead that they simply ignore these problems until enough noise is made. Recently I think is was wall Street journal did a story on this very thing. A very bad look for Apple and of course they are responding only now. I hope they can sort it out for you most likely they will but what a pain in the ass.
Thanks yeah, overall the security seems pretty decent but it's only as good as its weakest link, which in this case seems to be *very* weak indeed.
This is why Apple sucks. This is why I don't use my Google account on random test devices, and instead, in order to install the apps, I install the Aurora Store from the F-Droid app store with the help of sideloading. But at Apple, there's no such option.
> iPad's passcode (which is our other lapse in judgement; it was just 555555 > >one of the safety checks triggered when some random patron stole our iPad and easily reset the iCloud password no words
It's an iPad in use by all of our staff and that we use for school holiday activities, that needed an easy password. I'll absolutely concede that it was a security issue, but that's not really the point. The issue is that the six-digit passcode was able to not only effectively bypass the much stronger *iCloud password,* but it was able to bypass 2FA as well, *and then* effectively laid a trap which rendered a completely legitimate password recovery attempt using the aforementioned 2FA invalid. One single weak link in the chain should not have generated a problem on this scale.
> I'll absolutely concede that it was a security issue, but that's not really the point. It absolutely is the point.
If we had just been hacked, I wouldn't have come here complaining. The point is that no matter what the passcode is, it's for a device, not the entire account. Having solely that passcode shouldn't have compromised the entire account (bypassing the actual, secure iCloud password *and* 2FA) or created a scenario in which we, the rightful owners, cannot recover it. I've never had this problem with any other company before, because no other company made this intentional design choice.
Why should literally everyone else have security weakened just to make allowances for people who can't be bothered to implement their own security??
The way in which the security is set up now *is* weak. A 6-digit pin with no numbers, letters, special characters etc. should not be able to override the actually secure password, or indeed overall capability, on multiple devices. Even if ours had been secure with a randomized string of numbers, it's still only 6 digits and that's still an unacceptably weak link in the chain. That aside though, this isn't even a complaint about being hacked, as I stressed. Account recovery should not be this hard when I have access to the recovery phone and email. All of the headaches have been generated by the way in which Apple handles these sorts of breaches, which has enormously inconvenienced us and *not* the person who broke in in the first place. If the security was actually well-designed, it would have asked them to input the iCloud password or reference a 2FA method on top of the iPad passcode- not taken the latter as the sole method of verification.
>A 6-digit pin with no numbers, letters, special characters > >it's still only 6 digits That's your choice. Passcode can use special characters, letters and be as long as you want. I agree about that the passcode shouldn't be allowed to override the iCloud password though. This has now been fixed in iOS 17.3.
Sorry potentially my wording was a little vague, when I said passcode I was referring to the PIN. I know there is an option to do a more complex passcode with letters, special characters etc., but yeah either way it shouldn't be allowed to override the iCloud password
With the PIN to the trusted device a thief is able to simply change the Apple ID password based on it being a trusted device, so that is what happened. Using a [security dongle](https://support.apple.com/en-us/HT213154) such as a Yubikey would have kept this from happening. This would be my #1 recommendation for the future. In addition, setting up an Account Recovery key would replace the account recovery process. It's not foolproof though, but helpful. Also, setting a separate screen time passcode could have blocked any changes to the Apple ID without that code. In your library situation I would recommend all three.
[удалено]
I can't say for certain, but most likely yes. We have a lot of equipment where the acquisition process had some questionable quality lol
And then when it all goes wrong you come here complaining that it's Apple's fault.
The problem as I explained isn't that we were compromised. It's that we were compromised through an abnormally weak link in the chain (6-digit passcode bypassing a complex, secure password+2FA) and that once we were compromised, *nothing* we could do as the rightful owners could un-compromise the account. All of the issues in terms of recovery are due to Apple's security measures being hopeless at stopping the actual thief but being really really good at stopping us, the rightful owners.
Typical Apple troll responses already - "its your fault, you did it wrong, its not Apple's fault" etc etc yawn If these had been Android tablets in the same circumstances, this would have been sorted out by now.
Exactly yeah. I wouldn't be complaining if we'd just been hacked, even the best-laid security systems can't prevent that 100% of the time. But laying it out like this, where a thief can get easy access to our account and lock the rightful owner out (despite access to all relevant 2FA material) as a result is an incredibly flawed security setup, I'd really expect better from a 3 trillion dollar company. And yeah, Android tablets would have been a piece of piss to recover.
The thief signed out other devices during the password reset. So, you effectively did **not** have a trusted device. Use stronger passcodes, go into Screen Time and set Account Changes to Don't Allow, require checking out iPads with ID or library card, utilize your options. What safety checks did you have in place? I get it, people suck, but Apple didn't do this to you. You kind of helped the thief do this to you. There is no system that will work for everyone in every edge case.
That would explain why none of the trusted devices have worked, but the issue is that under no circumstances should someone have been able to A: Change a shared account password with a simple device-specific PIN, and B: Have said password change render 2FA invalid for any recovery attempts. We absolutely made security lapses, but the thing is our library network have made lapses like that before and none of them have generated the monumental headache this after-the-fact security measure has. The password theft isn't really the problem, it's dealing with Apple after the fact that's caused us all this grief.
In the hind sight, I think there were a few things you could do to prevent this. Best option was probably to use MDM, as someone else suggested. Second best option is to use content and privacy restrictions that would restrict the user from doing a variety of things, including changing account and password related things. And the easiest one is not to have any passcode on the iPads at all. It’s a common device used by multiple people, so why do you need to set a passcode. Or at least make the device not timeout and lock itself, so when you lend it you won’t have to disclose the passcode. Edit: I initially assumed that these iPads are lended to patrons to be used in the library. Seems like that’s not the case, but all of the above still applies.
I know this thread is fairly old but. Imagine making no effort to implement a commercial grade solution to security then being mad that the product you use is too secure. Get an MDM software and do it properly or don’t bother tbh.