Mobile phone theft

iPhone 17.3 – Stolen Phone Mode

What the update means for Nuke (and you!)

James O’Sullivan, CEO & Founder, Nuke From Orbit

Date: 18th January 2024

If you’ve read anything about us, you’ll know Nuke From Orbit was conceived after my phone was stolen on a night out. I would later realise the thief stole tens of thousands of pounds from the cards in my Apple wallet. And as reported this week, it’s an all-too-common problem.

It could have been a lot worse had the thieves thought to access other apps that would have been accessible using the same credentials. Against this backdrop, the emergency response mechanisms powering Nuke came into existence.

So you’d think it would be a significant blow when one of the biggest tech companies in the world adds a feature explicitly targeting the same problem. But it’s not; it’s actually really, really good news. And here’s why.

What is Stolen Phone Mode?

Currently, you can access the functionality of your iPhone via a biometric (face/fingerprint) or a PIN code (4-digit, 6-digit or complex). This works well because sometimes the biometric doesn’t work. In short, the camera might be damaged, you’ve got a cut on your finger, or you’ve tried your biometric too many times. Such redundancy, ensuring you’re always able to access your phone, is also the gateway to someone else accessing your device as a passcode is much easier to duplicate than a biometric.

Mobile Phone

When a thief steals your device and knows or cracks the passcode, the whole contents of your phone are at risk, and Stolen Phone Mode addresses some of these risks. The update won’t hit phones until late Jan/early Feb 2024, so we don’t know the exact specifics, but this is what we know so far.

When activated, certain functions requiring re-authorisation will only accept that re-authorisation in biometric form and/or come with an hour delay. In theory, a criminal who steals your phone with the passcode can’t use that passcode to reset your Apple ID password immediately (the first thing they currently do to lock you out). You can access the sensitive areas of your phone with a passcode, but only when the phone is physically located in one of your pre-selected ‘safe zones’, places like your home and work.

Stolen Phone Mode is an excellent innovation from Apple as it offers some additional protection to their users with minimal setup and loss of day-to-day functionality. They get the double thumbs up from me and the Nuke team.

But like many things these days, the devil is in the details.

What does Stolen Phone Mode cover?

Apple has to tread a fine line balancing security for stolen devices and everyday usage. For instance, if Apple made it so ApplePay payments only worked with a biometric, then any damage to the front-facing camera would render the user unable to pay. There are many situations like this, and I believe that if the feature debuts along the lines the pre-release notes discuss, they’ve got the balance about as good as they can. To summarise, these are the main actions that require a biometric:

• Turning off Lost Mode.
• Viewing/editing account details.
• Applying for an Apple Card.
• Erasing all content & settings.
• Using stored payment methods in Safari.

Meanwhile, these other features come with a time delay:

• Changing Apple ID password.
• Updating Apple ID security settings like trusted devices, phone numbers and recovery keys.
• Add/Remove Face ID or Touch ID.
• Turning off Find My Phone.
• Turning off Stolen Phone Mode.

Why is this good news for Nuke?

You’re probably wondering why this is good news for Nuke if Apple has added a very good feature within iOS that addresses some of the problems Nuke solves. The truth is that they don’t (and can’t) go far enough to give you the protection you need. And it tells us we’re on to something good!

To show this, let’s assess what you need to do with Apple-supplied tools to replicate the functionality of Nuke.

1. Activate Stolen Phone Mode when released.
2. Notice your phone is stolen.
3. Remember that iCloud offers you the option to remote-wipe a phone.
4. Find another device and attempt to log in to your iCloud account on it (this is something you can now do as Stolen Phone Mode prevents the criminal from changing your password).
5. Verify your new login with either a text message or on another iOS device linked to your account (something you can’t access/are unlikely to have with you when you notice the phone is stolen).
6. Log in to your iCloud, likely hours after the theft occurred.
7. Activate the remote wipe feature.
8. Hope the phone isn’t in Airplane mode, which it almost certainly will be, so it receives the instruction to wipe.
9. Assess the damage.

Believe it or not, this is better than the current experience. Now, you can be reasonably sure Stolen Phone Mode will eventually purge your data from a stolen device. The problem is that it will take you hours or days when you need to react in seconds or minutes. But manually going through your accounts individually to reset passwords, security questions, etc., takes too long. After all, the attacker might have exported your username/password combinations to sell on.

The Nuke effect

We’re not saying there is anything wrong with what Apple is doing. They’re just not able to combat the threat effectively with the tools they have. Let’s compare the above to the Nuke scenario:

1. Create your Nuke profile, add your cards and accounts and create your trusted network.
2. Notice your phone is stolen.
3. Remember you have Nuke.
4. Find a member of your security matrix and log in to your account via their account (or call the automated helpline).
5. Nuke your cards, online accounts, and SIMs simultaneously and immediately.
6. Rest easy, knowing that your digital life is secure.

As you can see, there is a world of difference in the levels of protection. Once activated, Nuke neuters all the valuable information on your phone, massively reducing the window of opportunity criminals have to steal from you.

In conclusion, Apple has made a commendable attempt at mitigating the incredible power of its devices. But as we always say, “Nuke From Orbit. It’s the only way to be sure.”

It's the only way to be sure