He stole iPhones and cleaned out bank accounts. Apple has just patched the vulnerability he was exploiting

Sentenced to 94 months (almost 8 years), American thief Johnson was not an ordinary thief. The man obtained access passwords and stole iPhones, and then stole his victims’ life savings. All because of a loophole that allowed him to instantly change the PIN of an Apple phone. The thief – already in prison – explained his methods of operation in detail in a publication he has just published

30 iPhones in one weekend. The American thief had one goal

The thief – as he himself explains – most often hunted his victims in bars on Friday, Saturday and Sunday evenings. He chose mainly young men, owners of relatively new iPhones Pro or Pro Max, because they are worth much more than the basic versions. He would engage in conversation with his victims, encourage them to take drugs, try to make friends or ask them to find their way on social media. He hoped that the victim would pull out his phone, but would not be able to unlock it using Face ID in the dark.

In such cases, the man would peek at and remember the six-digit lock code, and then – taking advantage of the inattention of mostly drunk victims – he would steal the phone and immediately go into the settings to turn off the function of locating the stolen phone and change the iCloud password. He claims in an interview that he needed a maximum of 10 seconds to change these settings, and a moment later he handed the device over to one of the group members he worked with. During one night, the American stole approximately 10 iPhones in this way, from which he then tried to steal as much money as possible.

After changing the face registered in the Face ID service, he could use the stolen iPhone as if it were his own. Using a compromised Apple account, he tried to log in to all possible banking and financial applications on the smartphone and withdrew virtual coins from cryptocurrency wallets. If the owner of the phone did not use the password saving function, the thief often found them written down in a notebook.

According to him, usually by At 5 a.m. he withdrew funds from all possible accounts belonging to people robbed that same night. At the same time, he was withdrawing money from credit cards. He bought expensive clothes, shoes and electronics (mostly from Apple) for thousands of dollars, and paid for it all with a stolen iPhone using Apple Pay. He usually sold purchased smartphones, tablets or computers together with a stolen iPhone. In this way, he not only stole his victims’ life savings, but often put them in huge debts.

He stole iPhones and made a fortune from it. Tens of thousands of dollars over the weekend

In the indictment against Johnson, investigators estimated that between 2021 and 2022 he stole thousands of iPhones in Minneapolis and surrounding towns, causing more than $300,000 in damage. dollars. However, “WSJ” believes that this amount is greatly underestimated. The thief himself says that from Friday to Sunday he was able to steal about 30 phones, which – after clearing the data – he sold them for about PLN 20,000. dollars. For a used, relatively new iPhone Pro Max with 1 TB memory, he received – as he says – about $900.

To this must be added thousands or even tens of thousands of dollars from cleared bank accounts or from the sale of devices purchased with the victims’ cards. The criminal himself does not know how much he stole exactly, but he admits in an interview that the amount is probably between one million and two million dollars.

Apple patched the vulnerability in the iPhone. It will be more difficult to withdraw money from your iPhone

“WSJ” notes that Apple fortunately introduced an appropriate update last week that prevents the use of iPhone thieves’ methods. In the iOS 17.3 update, Apple added the Stolen Device Protection feature. As long as we turn it on in advance, because by default the function is turned off, which is worth remembering.

The feature prevents you from changing your Apple account password or face saved in Face ID when your iPhone is away from home or work. In such a situation, you must use Face ID to change the password and then – after waiting an hour – confirm the entire procedure again with biometric security. The function also blocks the possibility of viewing saved passwords using only the phone’s PIN code. However, a thief can still use your iPhone to make purchases using Apple Pay.