News & Stories

Stolen Device Protection added to iOS — but there’s a security flaw

Ray Fernandez

Feb 1, 20244 min read

Stolen Device Protection added to iOS — but there's a security flaw: Header image

The much-anticipated new iPhone feature, Stolen Device Protection, is finally here. With it, Apple makes it extra difficult for thieves to access your stolen iPhone. 

As good news as this may sound, tech experts have already found what they call a “fatal problem” with this new Apple technology. Fortunately, it can be fixed easily. Let’s dive in. 

Thieves can steal your iPhone as long as they do it in a “familiar location”

On January 23, via X (former Twitter), the popular technology YouTuber ThioJoe explained why the new stolen iPhone iOS feature is probably useless when set in default mode. As ThioJoe explains, the big problem with the feature is with what Apple calls “familiar locations.” 

Apple explains that when Stolen Device Protection is enabled, it triggers additional security requirements. But these requirements only come into effect if your phone is “away from familiar locations such as home or work.” 

Unfortunately, it appears that you, the user, have no control over what Apple decides is a “familiar location” for your iPhone. 

“I looked at mine,” ThioJoe said on X. “It showed THIRTY-FIVE significant locations. The most recent was even a place I had visited for only a few hours ONCE this past weekend.”

Basically, as ThioJoe explains, you will get zero protection from Apple if your iPhone is stolen at a place you have been recently or visit regularly. 

Want protection? Enable it before your iPhone gets lost or stolen

Another important issue affecting the Stolen Device Protection feature — available on iOS 17.3 — is that it only works if users turn it on before their iPhone is lost or stolen. There is no way to enable the feature remotely using other devices or the cloud. 

All in all, this limitation is rather counterproductive, as users usually remember security features after something bad happens, not before. 

The reason that Apple designed Stolen Device Protection 

Many tech experts agree that the new Stolen Device Protection feature was inspired by, and is a response to, the investigative reporting of Joanna Stern, Senior Personal Technology Columnist at The Wall Street Journal. In early 2022, Stern uncovered how criminals were leveraging the iOS system to steal hundreds of thousands of dollars. 

The technique used in these crimes had nothing to do with complex hacking. Thieves picked out their victims in restaurants and bars and played a “look over your shoulder” con. They simply watched as their victims typed in their passcodes on their iPhones. Once they had the passcode memorized, they simply did a “snatch-grab-and-run.” 

It is common practice for users to simply type in their iPhone passcodes in public spaces. After the story broke, many cybersecurity experts recommended that users treat phone passcodes like ATM pin codes. The use of biometrics, FaceID, or fingerprints was also encouraged for public spaces. But the question lingered. Shouldn’t a state-of-the-art smartphone have security protections for this type of crime?

The idea that a criminal can take control of your devices and your cloud, empty your bank accounts and digital wallets, and control everything that is linked to your phone just because he knows your passcode is a tough pill to swallow. 

Responding to this, Apple developed the new Stolen Device Protection feature. And yes, it took them about a year to roll it onto the market. 

The easy fix for Stolen Device Protection 

If you are looking for a step-by-step guide on how to enable and use Stolen Device Protection, we are not going to get into that here, but you can check out the official Apple guide to Stolen Device Protection

Today, we’ll be looking at how to fix the “familiar location” glitch. We assume you want full protection even if your iPhone is stolen in a familiar place — which is more than likely to happen. Fortunately, according to ThioJoe, all you have to do is disable the Significant Locations option.

To disable Significant Locations on iPhone: 

  1. Navigate to Settings > Privacy & Security 
  2. Go to Location Services > System Services. 
  3. Disable Significant Locations.

When Significant Locations is disabled, your iPhone will require a mandatory FaceID to be unlocked. It will not give the option to bypass this security guardrail with a passcode. 

Additionally, the recent Apple iOS 17.4 beta 1 release sets a delay of one hour for any significant security setting changes. Therefore, when this version becomes the norm, if a thief were to disable Significant Locations or try to change the passcode to lock you out, they would have to wait one full hour before the change impacts the system. This should give users a short but valuable window of time. During this time, the victim can log in to their accounts and systems to take necessary action. 

The new Stolen Device Protection feature from Apple is an excellent addition to iPhone, but it’s not nearly perfect. We do expect Apple to continue working on it and update this feature in the future.

It’s always nice to learn that users have additional security tools in their hands. And it’s a relief to know that if your iPhone and passcode are stolen, a failsafe is in place to prevent the thief from accessing your entire digital life. 

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. iPhone and iOS are trademarks of Apple Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.