This is a very entertaining and educational article, giving insights into the methods used by thiefs to try and get access to your phone data.

I don’t like Apple but it’s great that their security is so good when it comes to this.

159 points

the methods used by thiefs to try and get access to your phone data.

It is not about accessing the data but to disassociate the current user from the phone so that the thief can reset the phone or/and it’s components for new users.

permalink
report
reply
143 points

As much as I love my android phone, I have to admit Apple takes privacy and security much more seriously.

permalink
report
reply
83 points

How so? A Samsung or pixel with default settings would also behave that way, possibly even more securely because it wouldn’t show the thieves your number.

permalink
report
parent
reply
45 points
*

I guess just anecdotally. I have a pixel 7, I’m pretty confident I could factory reset the device without 3rd party authentication. Also, from the tech channels I follow, I think I could recover my data if I forgot the password. Android has always felt more "free"and customizable, and I love it for that. But I also think that freedom allows for more exploits. It’s a trade off that’s worth it to me, personally. But if I had illegal shit to hide on my phone, I’d probably do it on an apple device.

Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

permalink
report
parent
reply
43 points

If you do it the manual way - not unlocking the phone and doing it through settings - you can wipe it sure, but when you try to set it up it requires the prior Google account credentials to proceed. No creds, no passing go, just a shiny brick. It’s been like that for years.

Also might I recommend you take a gander at GrapheneOS for more intense security capabilities than stock.

permalink
report
parent
reply
32 points

You can factory reset it easily. You can’t use it without the previous Google account credentials afterwards. You can’t reuse a stolen Pixel which has Google account logged into it.

permalink
report
parent
reply
14 points

For what it’s worth, they’re trying to fix that with Android 15. Not sure if this is one of the features they’ll also be back porting to older phones too like this article briefly touches on, but either way it sounds like if you factory reset the phone, it can’t be set up again unless they know your login: https://www.wired.com/story/android-15-theft-detection-lock/

Google says in a blog post, the company is adding four data protection features that can help keep your information locked down. The first stops your phone from being set up after a factory reset, unless the person knows your login details. “This renders a stolen device unsellable, reducing incentives for phone theft,” Google vice president Suzanne Frey writes.

permalink
report
parent
reply
13 points

Edit: just checked. I can completely bypass all my locked down Google Pixel settings to factory reset my phone pretty easily if I press the right keys in the right order. It would be pretty easy to steal and resell my phone.

Mind to share what “Keys in the right order” are? I mean a link, of course, because in my experience you just can’t do that with a locked bootloader.

permalink
report
parent
reply
10 points

AFAIK you can’t wipe the IMEI and if you report it stolen to providers they will block it from using their networks. (It will only be able to use wifi.)

permalink
report
parent
reply
6 points
*

The encryption on Android devices is pretty strong, as long as you use a good screen lock you should be fine. Yes they can reset you phone, but accessing your data is a whole other level.

If I had illegal shit on my phone, I wouldn’t send it to apple servers by using an iPhone. They are the first who would comply with a surpena. I’d use GrapheneOS on a Pixel and use an obvious duress pin like 1234. If entered it wipes your encryption keys and avoids restoring your data.

And if it gets stolen, it is gone and I’d get a new one. This is the cost of having proper opsec.

Edit:

But I also think that freedom allows for more exploits.

This is a common misconception called security through obscurity

permalink
report
parent
reply

Im pretty sure u cant fuck with a device that has a locked bootloader without unlocking said bootloader which requires u know the password. And u definatly cant recover data without passcode unless u can extract the hash from whatever chip holds it (shouldn’t be possible if u have a tpm) and bruteforce it. Ur data should be encrypted and u shouldn’t be able to tamper with os without unlocking bootloader which once unlocked will wipe all device data. Might be possible if u do some dodgy power injection directly into some of the chips but thats pretty advanced stuff.

permalink
report
parent
reply
6 points

Same for Samsung afaik. Pop into the bootloader and just wipe everything.

permalink
report
parent
reply
3 points
*

As everyone is pointing out you’re just wrong about this.

Also apple is overbearing AF. I recently had several back and forths with my IT department about an old company mac laptop I used to have. Since I had signed into my apple account once, Apple permanently tied that laptop to my account and wouldn’t allow the fucking IT department to fully wipe it.

Keep in mind also that I would have preferred to not have or use an apple account (they kind of force it on you, even asking you to login to iCloud constantly even if you’ve literally never used it once), and even though I could login to the apple account in my browser and see that the laptop wasn’t listed under my devices, IT was still locked out.

Literally the only way to fix this was giving the IT dept my apple password so they could authenticate then sign out of it. There was nothing I could do remotely about it. This is a security issue in itself. Zero reason I shouldn’t be able to use my account remotely to remove or sign that device out. Zero reason I should have to give my password to another human. Except for apple being shit.

The apple security theater is widely believed but it’s still largely theater.

Edit: before you tell me I didn’t have to give up my password, understand that I fucking know that. I could’ve driven to the office, told my employer to fuck off, had them ship the laptop, etc… all of which are things that shouldn’t be necessary. I took the least shitty option at the time. Kindly fuck off if you are so dicksloppery on apple that you can’t understand the obvious point: pretending every shit decision is about security doesn’t shield you from all criticism.

permalink
report
parent
reply
26 points
*

iPhones don’t do that on their own.

She said she activated lost mode, so it’s possible/likely she made her contact info available. Asking Siri who the phone belongs to will also give up contact info, but you can change that remotely from the find my phone app.

I think - being a writer - she sort of set herself up for the interaction so she would have material. No judgment, though. It was an interesting read.

permalink
report
parent
reply
2 points

As far as I know factory resetting an android phone is relatively easy without having access to the device. But it’s been a while since I’ve looked I hti that.

permalink
report
parent
reply
2 points

You can fairly easily factory reset phones from both. While you can report your phone as stolen and the IMEI will be blacklisted on US carriers, it would probably work fine abroad.

permalink
report
parent
reply
1 point

For iPhones, if you have Find My turned on, you can’t activate the device without the iCloud password, unless the owner removes the device from their iCloud account. Which is what the scammers are trying to get her to do here.

permalink
report
parent
reply
63 points

Security yes, but privacy not so much…

permalink
report
parent
reply
30 points

If you’re talking about a stock Android OS on anything other than a Pixel, iOS wins in both regards. Stock on a Pixel, I don’t know that Apple is more secure, but if you’re installing apps via Google Play that use Google Play Services, iOS is certainly more private. Vs GrapheneOS on a Pixel, iOS is less private by far.

permalink
report
parent
reply
-9 points
*

Better than bad is not good.

permalink
report
parent
reply
-17 points

Apple is more secure… iOS is certainly more private.

False, anti-libre software bans us from proving it’s claims.

permalink
report
parent
reply
25 points

Compared to any android phone the privacy is substantially better. Apple is in the business of selling overpriced phones. Google is in the data collection business.

permalink
report
parent
reply
16 points
*

The issue here is that while baseline apple is more secure than baseline android, a user with knowledge or a guide can improve the android security by a lot, whereas the apple baseline is also the ceiling. There’s stuff you can do with iPhones but if you don’t trust apple, you are kind of fucked.

Android people that mention security won’t be using a stock phone from the store, they will have disabled stuff, enables alternative stuff, or even installed a completely new android based OS, and this can’t be done with iPhone or iOS.

permalink
report
parent
reply
-1 points
*

If you aren’t using the iOS lockdown mode, it’s not really that much more private. Most stuff is still not encrypted in iCloud without that on, and apps can still track much of what you do, and Apple has their own ad networks.

Edit: has any of the downvoters actually read Apple’s (public!) security architecture documents?

permalink
report
parent
reply
-4 points
*

Anti-libre software, iOS, bans us from proving its claims. Stop paying Apple to pre-infect our devices and spy on us too.

My devices need libre software, not a business.

permalink
report
parent
reply
-9 points

Anti-libre software, iOS, bans us from removing malicous source code. Don’t let this malware infect you.

permalink
report
parent
reply
8 points

What are you talking about, it’s literally the same thing on Android. Also why the shilling out of nowhere?

permalink
report
parent
reply
7 points

they love bricked phones because it means one less for a secondhand market

permalink
report
parent
reply
0 points

Lol you’re basically gaslighting yourself

permalink
report
parent
reply
-1 points

Apple has the benefit of making everything themselves, down to the secure enclave processors and, as of some time also, the processor as a whole. They get to design their hardware, OS, software, ecosystem, all around security and it all plays together nicely.

If you control everything, you can do whatever you want with it. Android phones being more of a mixed bag of different vendors making different parts of the phone, including the software components, makes this interplay much more difficult. It usually takes android quite some time before they catch up on the latest security concepts.

permalink
report
parent
reply
2 points

It usually takes android quite some time before they catch up on the latest security concepts.

Android exploits are considered more valuable and expensive because they’re harder to find. I don’t know where you are getting this information other than thinking it sounds correct in your head.

permalink
report
parent
reply
-8 points

Don’t think Apple security is much better. I’ve read news before about insiders that will unlock stolen phones. They work closely with the criminals and it’s a more “professional” operation. Probably it’s not as easy as doing it for an android but having an iPhone and thinking that if someone steals yours it will just become a paperweight is wrong. Sadly

permalink
report
parent
reply
83 points

Man, the last threat the author received was absolutely BEGGING for the navy seal copypasta lololol

permalink
report
reply
21 points

But give them one of the more obscure versions so they don’t immediately realize what it is.

permalink
report
parent
reply
72 points

What’s this you’ve said to me, my good friend? Ill have you know I graduated top of my class in conflict resolution, and Ive been involved in numerous friendly discussions, and I have over 300 confirmed friends. I am trained in polite discussions and I’m the top mediator in the entire neighborhood. You are worth more to me than just another target. I hope we will come to have a friendship never before seen on this Earth. Don’t you think you might be hurting someone’s feelings saying that over the internet? Think about it, my friend. As we speak I am contacting my good friends across the USA and your P.O. box is being traced right now so you better prepare for the greeting cards, friend. The greeting cards that help you with your hate. You should look forward to it, friend. I can be anywhere, anytime for you, and I can calm you in over seven hundred ways, and that’s just with my chess set. Not only am I extensively trained in conflict resolution, but I have access to the entire group of my friends and I will use them to their full extent to start our new friendship. If only you could have known what kindness and love your little comment was about to bring you, maybe you would have reached out sooner. But you couldn’t, you didn’t, and now we get to start a new friendship, you unique person. I will give you gifts and you might have a hard time keeping up. You’re finally living, friend.

permalink
report
parent
reply
8 points

Hadn’t seen that one before. That’s a good one, lol

permalink
report
parent
reply
71 points

Honestly I’m scared of when these people figure out they can use llms to make their texts look like less obvious scams

permalink
report
reply
87 points

Often scammers don’t want to make it less obvious. If it’s obvious and the mark falls for it, it’s a good indicator they’re on the hook and will fall for more. It’s to filter out the less gullible so the scammer doesn’t waste their time. Probably not the case with this situation specifically, but it holds true in general with scams.

permalink
report
parent
reply
22 points

True. But also true is that a majority of scammers are simply not smart and/or English is not their native language. A phishing email/text that might look good to them, can look really bad to others.

But still, people still fall for the obvious phishing attacks. AI is going to make the phishing appear more legit.

permalink
report
parent
reply
11 points

Probably not the case with this situation specifically

Yeah :( High-value item already in hand, never a need to guide somebody which store to buy the giftcard at or what to say to the bank teller…

permalink
report
parent
reply
2 points

On a similar note, a reason why you shouldn’t respond to spam/scam texts because it basically verifies you as an active phone number. Why waste man/bot power texting numbers that may or may not exist when a majority of your texts will at least be seen by a human which will probably boost their chance

It’s why I tell my friends not to respond even tho some of their responses are really funny

Some smarter ones I see usually range between 2-7 lines of text usually written as a time sensitive question that will affect the totally real persons social or work like

One of my favorite ones was about 5 lines of text that was posed as a date

It was like “Hey Kayla it’s Mike, some short sob story about dating life, hope our first date goes well, then nonsense about dating with an address thrown in

However after the 5 lines it was in Arabic or some similar flowy characters and when I translated it continued “mikes” story about where he was from and how oh so sad his life was

Tldr totally fishing for a pity “sorry wrong number” to see if my phone number would be seen by human

permalink
report
parent
reply
55 points

I’m confused, in the article he said it was a brick to whoever has his stolen phone. How did they get his phone number to send him text messages? Did they crack the passcode and needed the iCloud password?

permalink
report
reply
60 points

I think when you remotely wipe the phone you can make it show a message with your phone number, in case you’re actually a honest person that found the phone instead of a thief.

permalink
report
parent
reply
23 points
*

In the response posts to the article someone said they got the icloud address via reset request which you can use in iMessage.

Not an i phone person so i can’t verify but thought id pass that along.

permalink
report
parent
reply
12 points

That’s interesting, never thought of that as an attack vector.

permalink
report
parent
reply
28 points

The phone itself (by IMEI) is a brick. The sim and same phone number were assigned to a new phone and they texted that number

permalink
report
parent
reply
20 points

Issue here is the iPhone 14 USA models are all e-Sim. They don’t have sim cards to remove. The article says it was a iPhone 14 Pro.

permalink
report
parent
reply
20 points
*

Typically if you report the phone stolen to your provider they blacklist the IMEI which gets shared with other providers so the phone can no longer be used. I was unclear on this part but a new e-sim can be provided for the new phone, and the old sim banned or the old one transferred. Regardless, the old phone will still show the IMEI/sim/phone number, which is how they got that to text them

permalink
report
parent
reply
5 points

So they took the SIM card out and got the phone number from that? I guess I didn’t realize you could do that.

permalink
report
parent
reply
8 points

Yes, it’s the SIM card that carries your number and may also carry data on your contacts if you save it there.

permalink
report
parent
reply
14 points

*her

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 17K

    Monthly active users

  • 12K

    Posts

  • 543K

    Comments