iSnatch: Unmasking iPhone Data Thieves

7 min read

Ever wondered how thieves can silently snatch the secrets right off your iPhone? Brace yourself for an eye-opening journey into the underworld of digital theft. We'll unveil the cunning tactics and unseen dangers that could compromise your most personal information.

Welcome to That's Life, I Swear. This podcast is about life's happenings in this world that conjure up such words as intriguing, frightening, life-changing, inspiring, and more. I'm Rick Barron your host. 

That said, here's the rest of this story  

All of us from time to time have seen it on the tv news shows. Store fronts facing a spree of ‘smash-and-grab’ crimes. Groups of people, all dressed in their assigned uniforms of either grey or black sweat pants and hoody tops, along with their facemask, quickly breaking counter tops with hammers, swarming all over counters, gathering as much merchandise as possible in their planned allotted time so as to make their getaway. For a while the ‘smash-and-grab’ focal point were clothing stores but now happening at other stores such as mobile phones.

For some, the gang-like robbery is not for them. They like better to work alone or in a very tight small group. 

Such a person is 26-year-old Aaron Johnson, who is not serving time. "I'm already serving time. I just feel like I should try to be on the other end of things and try to help people."

Aaron Johnson. Courtesy of: Daily Mail

Over the past year, thieves have observed iPhone users entering their passcodes, subsequently walking away with their phones and disrupting their financial and digital lives.

Johnson, was part of a collective tight knit group, operated within Minneapolis throughout 2021 and 2022. Amidst nightfall in and around local bars, he would amicably engage with young individuals, covertly acquiring their passcodes and seizing their phones. Utilizing these codes, he'd lock victims out of their Apple accounts, plundering thousands from their bank applications before selling the phones themselves.

This intricate, opportunistic ploy exploited the Apple ecosystem, targeting unsuspecting iPhone owners who viewed a stolen phone as merely that—stolen.

Apple recently unveiled Stolen Device Protection; a feature aimed at thwarting passcode-assisted crimes. However, even with the forthcoming software in iOS 17.3, vulnerabilities persist. 

The most significant gap? Us. 

Understanding Johnson's methods allows us to enhance the security of the devices holding substantial portions of our lives.

That said, let’s get back to Aaron and learn how he fell into this line of work that in the end, took him to the unemployment line, or in this case prison. 

One look at Aaron Johnson, and your initial reaction is that he lacks the sophistication of a cybercriminal. His roots trace in crime date back to pickpocketing on Minneapolis streets. "I was homeless," he admitted. "Started having kids and needed money. I couldn't really find a job. So that's just what I did."

As Aaron polished his craft in becoming a thief, he soon learned that the pilfered phones could yield more value for him. The porch light went on. Being a self-taught type of individual, Johnson, one night, experimented with a phone until he deciphered the passcode's utility in unlocking a trove of protected services. 

What quickly came to light was that the passcode is the devil.  He remarked. "It could be God sometimes—or it could be the devil."

According to the Minneapolis Police Department's arrest warrant, Johnson and his 11 associates allegedly amassed nearly $300,000, though he contends the figure was likely higher. In March, with previous robbery and theft convictions, Johnson pleaded guilty to racketeering and received a 94-month sentence, two months shy of eight years. At his hearing he expressed remorse to the judge, but that apology was way too late to save him.

So how did Aaron go about learning and pulling off his skill as a phone thief? What was the process to ring in his victims?

Step 1-Find a willing sucker Initiating the scheme typically involved Johnson cultivating a connection with his target, as he disclosed to the WSJ. His preferred demographic for this endeavor consisted of inebriated, college-aged males in bustling bars. Once Johnson engaged them in conversation, the unsuspecting individuals would willingly pass their phones to him under the assumption that he intended to share his contact details. 

Step 2-Getting the passcode is priority one! Subsequently, Johnson would say 'Hey, your phone is locked. What's the passcode?'. Having a good memory, he would remember later to use it. Another option Johnson used, was to discreetly record the victims as they entered the passcodes themselves. Why not, his victims for the most part were drunk and distracted from the bar noise.

Step 3-Lock the door quickly After leaving his victim, Johnson either took possession of the phone or handed it over to a colleague in his team. Subsequently, he would lock the victim out of their account, alter their Apple ID password, and deactivate the Find My iPhone feature. With the individual's details in hand, Johnson then had all the necessary information to gain access to their savings accounts, checking accounts, Apple Pay, and even their cryptocurrency applications.

Step 4 Enrolling his face in Face ID provided rapid access to passwords in iCloud Keychain.

Step 5 The subsequent goal involved transferring significant sums from victims' accounts, followed by purchases using Apple Pay. Stolen Apple devices, particularly $1,200 iPad Pro models, were acquired to sell for cash. Finally, he erased and sold the phones to Zhongshuang "Brandon" Su, who, as per his arrest warrant, sold them overseas.

While Johnson pilfered some Android phones, iPhones were preferred due to their higher resale value. He targeted iPhone Pro models, often with a terabyte of storage, for substantial returns. Su, who pleaded guilty to receiving stolen property, received a 120-day sentence in an adult corrections facility.

On successful weekends, Johnson claimed to sell up to 30 iPhones and iPads to Su, generating around $20,000, excluding funds seized from victims' bank apps and Apple Pay.

So, what’s a person to do?

Preventing such incidents A week post my Minnesota visit, Apple unveiled Stolen Device Protection. Although this security feature is likely to stop most of Johnson's tactics, it necessitates manual activation.

Stolen Device Protection. Courtesy of: CNN

Failing to enable it renders one as susceptible as before. Activation serves as an additional defense layer when away from familiar locations. Changing the Apple ID password requires Face ID or Touch ID biometric scans; the passcode alone won't suffice. The process entails a built-in hourlong delay, followed by another biometric scan. Similar processes apply to adding a new Face ID and disabling Find My iPhone.

Certain functions, like accessing saved passwords in iCloud Keychain or erasing the iPhone, are available without the delay but still require Face ID or Touch ID.

As mentioned, Apple will be coming out with Stolen Device Protection can prevent criminals from using your passcode to change your Apple account. It’s slated to be in iOS 17.3.

So how exactly with this software update help prevent people from losing key information to a thief? 

The access code, a concise sequence of digits granting entry to an iPhone, wields considerable influence. This numerical key, typically comprising four or six digits, empowers thieves to infiltrate your data repository and effect sweeping modifications to your accounts. In instances where Face ID or Touch ID falters, the access code steps in as a contingency.

Upon activation of the novel Stolen Device Protection feature, your iPhone assumes a proactive stance by imposing restrictions on specific settings when operating outside familiar locales tied to the device, such as your residence or workplace. Here's the breakdown:

Modifying Apple ID Password

• Inaction Scenario: A malefactor can deploy the access code to alter your Apple account password, effectively locking you out. This strategic maneuver serves as the linchpin for thieves disabling Find My and purging phones for resale. Given that you, the iPhone's proprietor, lack knowledge of the altered Apple ID password, prompt location tracking or remote data erasure becomes unattainable.
• Stolen Device Protection Protocol: To affect an Apple ID password change in an unfamiliar locale, the device mandates Face ID or Touch ID authentication. Subsequently, a one-hour delay ensues before the action can be executed. Once the hour elapses, validation requires another round of Face ID or Touch ID scans, paving the way for password modification.

Updating Apple Security Configurations

• Inaction Scenario: A thief can employ the access code to activate a recovery key, a security setting designed to shield users from online breaches. However, if a thief inserts a recovery key, avenues for resetting your Apple ID password using your phone number or email are foreclosed. This translates to permanent loss of access to your photos, files, and iCloud-stored data.
• Stolen Device Protection Measure: Similar to altering the Apple ID password, initiating or altering the recovery key or trusted phone number demands two biometric scans spaced an hour apart. It's noteworthy that the access code proves ineffective in immediately disabling Stolen Device Protection, as this, too, necessitates biometric scans and a security delay.

Accessing Passwords in Keychain

• Inaction Scenario: Employing Apple's iCloud Keychain as a password manager for banking, cash, and cryptocurrency apps exposes a vulnerability. A thief could leverage the iPhone passcode to breach the Keychain, gaining access to all stored passwords. Instances abound where victims reported significant monetary losses due to unauthorized transfers.
• Stolen Device Protection Safeguard: Accessing these passwords now mandates Face ID or Touch ID authentication, rendering the access code obsolete as a failsafe for biometric authentication failures.

While potential exists for a determined criminal to gradually breach these security layers, such protections are likely to deter opportunistic thieves. Nonetheless, vulnerabilities persist, such as a thief with the passcode making purchases with Apple Pay and accessing unprotected apps.

To further safeguard against such threats:

• Introduce unique passcodes for money apps like Venmo and Cash App.
• Eliminate notes or photos containing personal information, storing such data securely in third-party password managers like Dashlane or 1Password.
• Strengthen iPhone passcodes with alphanumeric combinations, such as letters and numbers

As Johnson advises, remain vigilant in your surroundings and refrain from divulging your passcode. This crime underscores the reality that a single device now encompasses access to our entire lives—our memories, our money, and beyond. The onus lies on us to protect them. 

When asked of Aaron, what did he think was a sure way not to have one’s mobile phone broken into. His reply…don’t get drunk at the bar and don’t give your passcode out. 

What can we learn from this story? What's the takeaway?

If this crime has taught us anything, it’s that a single device now contains access to our entire lives—our memories, our money and more. It’s on us to protect them. 

Well, there you go, my friends; that's life, I swear

For further information regarding the material covered in this episode, I invite you to visit my website, which you can find on either Apple Podcasts/iTunes or Google Podcasts, for show notes calling out key pieces of content mentioned and the episode transcript.

As always, I thank you for listening and your interest. 

Be sure to subscribe here or wherever you get your podcast so you don't miss an episode. See you soon.