This is horrifying. I thought for sure you can’t change the iCloud password with just the phone passcode but I tried it myself and it worked. You can even turn off ADP and remove security keys.
Yikes
I had been testing driving iCloud+ and Advanced Data Protection the last couple weeks as the promise of seem less end to end encrypted backups sounded like the holy grail of security, privacy, and convenience. I was uncomfortable but willing to compromise on some of its short comings (convergent encryption, meta data, etc) but this is too big of an issue.
It shows Apple has not thought at all about defense in depth. I understand the convenience argument but there should be options for people who want better security.
I will be keeping Cryptomator and Google Drive as my cloud backup solution.
Apple can be so frustrating, they make very secure hardware that is also easy to use. Yet their cloud offerings just seem like they come from a different company.
Here is a follow up,
TL;DR
Apple introduced a recovery key in 2020 to protect users from hackers, but thieves with access to an iPhone passcode can easily activate and generate a new recovery key, potentially locking out the user.
Techlore made an great video on how to defend yourself against this kind of attack.
One note tho, Techlore mentioned creating a recovery key to protect your Apple ID. However any attacker with access to your passcode can generate a new recovery key and lock you out your Apple ID (even if you already generated recovery key) 
One more thing to consider is doing a local backup of your iPhone’s data to ensure that you don’t lose access to your valuable photos. You can make a backup with either a Mac or Windows PC.
Super exciting news. The latest beta that came out today iOS 17.3 beta 1 has come out with a great way to prevent account takeovers if your passcode has been recorded and device stole in a snatch attack.
The feature is called “ Stolen Device Protection”
https://www.wsj.com/tech/personal-tech/apple-iphone-ios-update-stolen-device-protection-698d760e
Update: the feature should come out next week!
Because no one has mentioned it yet, Stolen Device Protection requires Find My to be active (Which for someone who has disabled Find My and Location Services as a whole is quite annoying). However, you can disable Find My again after enabling Stolen Device Protection and after waiting for the 1-hour security delay and it will work fine. For some reason it’s only needed when turning the feature on. The only negative (or positive, depending on how you look at it) is that your iPhone won’t know when it’s at home or at work so you’ll always have those added protections.
One part of the video interview that I haven’t seen discussed is that he was targeting iPhone Pro models based on the camera module setup.
I could argue a camera cover case could mitigate that, but also maybe consider that getting that SE or Android phone over the newest Pro when given the option.
Why did he target that model specifically? I think it’s easy to identify an iPhone even without looking at the cameras. Was his plan to sell it afterwards?
Yes, he quickly sold them to a friend who could resell them to the China market. He mentions how much he gets for Pros versus other phones, and that he specifically looks at the camera module.
I think I would be hard pressed to tell the difference between a 15 and a 15 Pro with a case on without seeing the cameras. They are the same size display, same shape, same Dynamic Island, etc. They both have unique colors, so it’s easier without a case.
Update: iOS 17.3 has been released. The update delivers the new Stolen Device Protection feature, and also includes several security fixes, one of which is described as an issue that may have been actively exploited.
Heads up: it appears to require Find My on. That might be a dealbreaker for a lot of people.
It only seems to require Find My enabled when enabling Stolen Device Protection. Apple does also say that it requires Significant Locations enabled in Location Services but I have that disabled and Location Services disabled as a whole when enabling Stolen Device Protection. It did prompt me to enable Find My before I was able to enable it, but I was able to disable Find My again after the security delay.
Steps:
- Enable Find My
- Enable Stolen Device Protection
- Disable Find My after the 1-hour security delay
Stolen Device Protection works as normal. However, you will always have those restrictions even when at home or work as your iPhone won’t know it is in a safe place (though I’d argue work isn’t a safe place).
Good to know, ty!