Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com)

← Back to Stories (view on slashdot.org)

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com)

Posted by BeauHD on Friday September 22, 2017 @02:05PM from the remote-control dept.

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.

61 comments

Min score:

Reason:

Sort:

Terror in coffeeshops across the land! by elrous0 · 2017-09-22 14:10 · Score: 1, Funny

As if thousands of smug douchebags cried out in terror, and were suddenly silenced.

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:Terror in coffeeshops across the land! by Anonymous Coward · 2017-09-22 19:08 · Score: 0
  
  Kudos to you guys!
  You have finally realized that it was dumb to link to creimer's site just to show his picture.
  Never, ever post any links to anything related to creimer's site. Upload it to some free image hosting site as you did.
  -The chief representative AC.
  Let's make slashdot great again!
2. Re:Terror in coffeeshops across the land! by Anonymous Coward · 2017-09-22 20:05 · Score: 0
  
  Ha ha creimer!
  You see what happens when you talk against the King, his horses and his men.
  They, and all the 3 letter agencies your little mind might be able to imagine will let you down.
  That's exactly the story in this video that I just uploaded to my Isuck:
  https://www.youtube.com/watch?...
  All you care about is yourself:
  https://school.discoveryeducat...
  And your chair, of course:
  http://www.keynamics.com/image...
3. Re:Terror in coffeeshops across the land! by Hognoxious · 2017-09-23 02:22 · Score: 4, Funny
  
  Us, at Special Education for the Santa Clara County Office of Education, couldn't agree more with you!
  
  I guess that explains it.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Glad by Anonymous Coward · 2017-09-22 14:14 · Score: 0

Glad I have an email address that is ONLY used for Apple. A hack into anyone elseâ(TM)s systems isnâ(TM)t going to give them that account.
1. Re:Glad by Anonymous Coward · 2017-09-22 14:16 · Score: 0
  
  Plus you don't have to worry about losing anything else, like your virginity.
2. Re:Glad by omnichad · 2017-09-22 17:06 · Score: 2
  
  Most of the attacks are based on password re-use, not password resets via email. A password reset could also be thwarted with two-factor authentication, but not this attack.
3. Re: Glad by Anonymous Coward · 2017-09-22 19:28 · Score: 0
  
  So you didn't read the part where 2FA was used?
  How does a simple password reuse cause this?
4. Re: Glad by omnichad · 2017-09-23 03:01 · Score: 2
  
  2FA is NOT used. You can lock a device with a passcode with only the iCloud password and it doesn't use 2FA to confirm it - because Apple assumes you probably have lost the device that provides that second authentication factor and that's why you're locking it.
5. Re:Glad by Brockmire · 2017-09-23 10:23 · Score: 1
  
  My mom fell for an Apple phishing attack. Fucking Yahoo didn't flag a non-Apple email as spam and hid the email address from display so you didn't see the obvious fake domain. She entered all her details, birthday, credit card, maiden name, etc. She thought it was strange Apple would ask all this info, but did it anyway. I got the call when their ipad said it was remotely locked and she couldn't get into it. After figuring out the scam, we did password resets on both parents accounts and got control back of the ipad. It still took several minutes of convincing her to immediately cancel her credit card as it was 100% scam. She still didn't believe me until I said the website she put her details into is on a porn site. She got a call the next day her credit card was used twice within a few hours.
hahahaha by Anonymous Coward · 2017-09-22 14:24 · Score: 0

i wonder if they have iregret using the same email and passwords on multiple sites.
Explains a lot by burtosis · 2017-09-22 14:33 · Score: 3, Funny

So that's how my email and bank account was drained at the same time as my luggage was broken into.
1. Re:Explains a lot by lucm · 2017-09-22 15:00 · Score: 1
  
  So that's how my email and bank account was drained at the same time as my luggage was broken into.
  TSA; stealing your iPods since 2001.
  
  --
  lucm, indeed.
2. Re:Explains a lot by Anonymous Coward · 2017-09-22 23:55 · Score: 0
  
  Sounds like someone uses the same combination for email and bank accounts as their luggage: 1-2-3-4-5
3. Re: Explains a lot by Anonymous Coward · 2017-09-25 03:51 · Score: 0
  
  Wow, luggage with five number codes. Impressive.
old story by UnderAttack · 2017-09-22 14:34 · Score: 3, Informative

This has been happening at least since 2016.

--
---- join dshield.org Distributed Intrusion Detec
1. Re:old story by Anonymous Coward · 2017-09-22 15:06 · Score: 3, Informative
  
  Try 2012. http://www.zdnet.com/article/lessons-learned-from-the-recent-find-my-mac-remote-wipe-attack/
  People who enable the "remote wipe" "feature" on their macs (or the iCloud "feature" in general) are fucking stupid. If your data are valuable, encrypt your disk. If your computer is valuable, insure it. Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
2. Re:old story by Anonymous Coward · 2017-09-22 15:36 · Score: 1
  
  If your data are valuable, encrypt your disk.
  I do, because there's no reason not to.
  
  If your computer is valuable, insure it.
  I have, because I insure anything that I can't replace cheaply.
  
  Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
  No, it isn't. Because if my data is valuable to others I want to be able to delete it remotely to stop anyone else accessing it. Because my data is valuable to me I backed it up, so wiping one copy doesn't hurt me.
  But let's be honest, if my data were valuable enough that I need to be concerned about my laptop being stolen I wouldn't give a shit about paying for a mere laptop, even if it was a MacBook. As it is I just want to reduce the risk of identity theft, and to frustrate the cunts who stole my property as much as I possibly can.
3. Re: old story by Anonymous Coward · 2017-09-22 16:06 · Score: 1
  
  And use timemachine to backup your computer to a portable drive in your house. It isn't perfect, but it will save most data loss.
4. Re:old story by ctilsie242 · 2017-09-22 16:51 · Score: 2
  
  I've been using a self-destruct button since I was using Exchange on my phone back in 2006, where I could remote wipe it should the need arise.
  The key is maintaining access/control of your account. Apple has done some changes, but they do have 2FA available (although it would be nice if they offered a standard Google Authenticator QR code method as well.)
  Then there are backups. This is what Time Machine and services like CrashPlan or Backblaze are for. If you like packing your own parachute, buy/use Arq and Amazon S3 to stash your data securely.
5. Re:old story by AHuxley · 2017-09-22 17:25 · Score: 1
  
  +1 for " If your data are valuable, encrypt your disk. If your computer is valuable, insure it." AC.
  Install some theft recovery software to get a webcam image and new ip.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:old story by AmiMoJo · 2017-09-22 20:55 · Score: 1
  
  TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:old story by Anonymous Coward · 2017-09-22 21:25 · Score: 0
  
  Steve Gibson explains exactly why text 2FA is so flawed, and why QR 3FA is better. Start at around 1:04:30
  https://twit.tv/shows/security-now/episodes/629?autostart=false
8. Re:old story by tlhIngan · 2017-09-25 05:07 · Score: 1
  
  TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.
  Well, given you just lost your "2nd factor" for a lot of users, how do you envision implementing 2FA?
  You just lost your phone. You can't have 2FA use an SMS, an app, or any other thing that relies on the phone you just lost.
  And you can't rely on the user having more than one Apple device. Or a replacement phone (which would require the original phone in order to register another trusted device, for obvious reasons).
  What would you have the user do - try to remember some long ago obscure password they set as an override? Try to find some piece of paper they wrote the 2FA bypass code on?
9. Re:old story by AmiMoJo · 2017-09-25 05:15 · Score: 1
  
  The problem is that they can set any pass code they like. If the option was "lock with my pre-set passcode" the hijack wouldn't work, because it would be a code that the user set themselves and obviously knew.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
HOWZITGO? by Anonymous Coward · 2017-09-22 14:39 · Score: 0

Oh yea, Muhahahahah!
Ransom? No mention of that... by Anonymous Coward · 2017-09-22 14:49 · Score: 0

While asking for a ransom isn't a bad business model, there is nothing in the summary or article to suggest that is going on.
1. Re:Ransom? No mention of that... by lucm · 2017-09-22 15:01 · Score: 2
  
  While asking for a ransom isn't a bad business model, there is nothing in the summary or article to suggest that is going on.
  What about "Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device."
  
  --
  lucm, indeed.
2. Re:Ransom? No mention of that... by Anonymous Coward · 2017-09-22 15:06 · Score: 1
  
  one would have to understand what they read to get that info. most people don't even read the freaking article so why is it surprising that they didn't see the phrase " demanding money for the passcode to unlock a locked Mac device" and understood that as a ransom demand?
3. Re:Ransom? No mention of that... by Khyber · 2017-09-22 15:20 · Score: 2
  
  It's called sensationalism. Slashdot is well known for it now since the real Slashdot died years ago.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
4. Re:Ransom? No mention of that... by Anonymous Coward · 2017-09-22 15:42 · Score: 1
  
  Not only is "demanding ransom" in the summary, it's in the title.
  But this is Slashdot. People posting without even reading the title? Sure, why not?
5. Re:Ransom? No mention of that... by 93+Escort+Wagon · 2017-09-22 16:03 · Score: 2
  
  Reading the what?
  
  --
  #DeleteChrome
6. Re:Ransom? No mention of that... by Jeremi · 2017-09-22 16:22 · Score: 2
  
  the real Slashdot died years ago.
  Did Netcraft confirm it?
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
7. Re:Ransom? No mention of that... by lucm · 2017-09-22 16:30 · Score: 2
  
  I personally approve of people who post without reading the title - they're doing the equivalent of going commando. I'm pretty sure that BeauHD himself doesn't read the clickbait titles that he copy-pastes from macrumors and Apple press releases, and as we can all witness that doesn't stop him from publishing interesting and awe-inspiring content.
  It's a bit rich though when people who don't read the summary or article complain that "nothing in the summary or article suggest..." something. That's pushing the envelope a bit too far.
  
  --
  lucm, indeed.
8. Re:Ransom? No mention of that... by Hognoxious · 2017-09-23 09:29 · Score: 1
  
  In Soviet Russia, Netcraft only reads old people!
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Of course by lucm · 2017-09-22 15:03 · Score: 2

The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Citation needed (excluding Apple marketing)

--
lucm, indeed.
Wow by Anonymous Coward · 2017-09-22 15:04 · Score: 0

Apple can lock your mac anytime they want. What sort of imbecile signs up for that crap?
1. Re:Wow by hcs_$reboot · 2017-09-22 15:11 · Score: 1
  
  Apple can lock your mac anytime they want.
  Apple doesn't do that and the feature can be useful (especially for an iPhone that you forgot somewhere)
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Wow by Spacelord · 2017-09-22 22:44 · Score: 1
  
  > Apple doesn't do that
  But the point is that they can because you have basically given them the key to your computer.
3. Re:Wow by hcs_$reboot · 2017-09-22 23:00 · Score: 1
  
  > Apple doesn't do that
  But the point is that they can because you have basically given them the key to your computer.
  Well, all OS implementations might include such hidden feature too (and most software), if the code is injected into an update. Do they do that? No.
  Apple could do that, but doing so would be a huge mistake, and they'd lose many consumers.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
4. Re:Wow by TheFakeTimCook · 2017-09-23 01:43 · Score: 1
  
  > Apple doesn't do that
  But the point is that they can because you have basically given them the key to your computer.
  Do you really think Apple retains your actual Password?
  I suppose they could use brute force with the their internal authorization routines; but they do not retain your actual Password, and thus cannot easily lock your Mac.
  And why oh why would they want to?
  Time for another layer of tinfoil on that hat, laddy!
Security concerns by hcs_$reboot · 2017-09-22 15:15 · Score: 1

> Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on

iCloud is nice and all but suffers from security concerns. Such a powerful tool needs a stronger security implementation, and has to offer users the way to see when and where connections do come from. Gmail has been doing that for a long time, and Apple is still lagging behind.

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Security concerns by tk77 · 2017-09-22 15:24 · Score: 2
  
  I believe it sends you and email whenever someone logs into Find My iPhone. Also 2 Factor Authentication is available (and should be used at this point).
  This really shouldn't be an issue anymore.
2. Re:Security concerns by tk77 · 2017-09-22 15:55 · Score: 1
  
  Guess I should have paid more attention to the summary and main article.. I had thought 2FA was required even with Find My iPhone but I guess its not. That sucks.
3. Re:Security concerns by 93+Escort+Wagon · 2017-09-22 16:06 · Score: 4, Insightful
  
  The problem is that, for many people, their iPhone is their only "trusted" device. Nowadays a lot of people don't own computers; and, of those who do, only some will be Macs. As far as I know, a Windows box can't be registered with Apple as a trusted device.
  
  --
  #DeleteChrome
4. Re:Security concerns by Anonymous Coward · 2017-09-22 16:11 · Score: 1
  
  Logging into iCloud sent an authentication code to my iPhone that I then had to enter back into iCloud. So I don't get how the hackers would have been able to log into iCloud to remotely lock unless the authentication code feature was only recently implemented.
5. Re:Security concerns by Anonymous Coward · 2017-09-22 17:52 · Score: 0
  
  windows is identified malware.
6. Re:Security concerns by Anonymous Coward · 2017-09-22 21:43 · Score: 0
  
  SMS has never been secure and are basically backdoors into your account. Time based tokens + QR codes are secure. Reposting my comment above...
  Steve Gibson explains exactly why text 2FA is so flawed, and why QR 3FA is better. Start at around 1:04:30.
  https://twit.tv/shows/security-now/episodes/629?autostart=false
7. Re:Security concerns by Anonymous Coward · 2017-09-23 00:19 · Score: 0
  
  authentication was not sent by SMS
8. Re:Security concerns by Anonymous Coward · 2017-09-23 00:42 · Score: 0
  
  Steve Gibson knows security, way more that A.C. me.
  /. Nerds here should understand why Steve keeps a sheaf of printed out QR codes always on hand far better than I.
had a pc for over 20 years and still good2go by Anonymous Coward · 2017-09-22 16:48 · Score: 0

Lol, probably because MAC user will pay. PC user would just say...need a reason to upgrade...lol RIP iCloud user.
A bad idea by Anonymous Coward · 2017-09-22 18:57 · Score: 0

... used the same email addresses, account names, and passwords ...

With the number of parties surveilling the internet, someone knows your Facebook/ twitter/ Hotmail password (or its hash). Re-use of passwords has been a bad idea for several years because: 1) The attacker has to guess correctly just once to access your many online identities; 2) It's been revealed several web-site start-ups have stored passwords in plain-text format. Likewise, one leak will expose your many online identities.
Suggestions for next /. poll by Anonymous Coward · 2017-09-22 20:36 · Score: 0

Suggestions for next /. poll:
We need to gather answers for our next multiple choices /. poll.
The question would be:
What is the best way to combine creimer's name into the legendary Humpty-Dumpty name?
Example answers could look like:
Creamy-Dumpty
Humpty-Dumpcream
etc...
We are currently stuck on this and need to resort on /. crowd brain storming for this.
Thanks everybody.
1. Re:Suggestions for next /. poll by Anonymous Coward · 2017-09-25 01:46 · Score: 0
  
  This creimer-related shit is getting *very* boring.
Its the false sense of security by Anonymous Coward · 2017-09-22 22:06 · Score: 0

Apple has been stroking its Apple fans for decades on a false sense of security. Our products are perfectly secure, you don't need to worry. Let us handle the security, don't buy security software, don't question our commitment to your security. All complete BS marketing to get you to buy into Apple's ecosystem. In fact they do not even allow security apps on their App Store. Just read where Safari had the most vulnerabilities in web browsers. I use Apple products a lot, but never bought into the whole premise that they are impenetrable, that's just BS.
1. Re: Its the false sense of security by Anonymous Coward · 2017-09-23 09:07 · Score: 0
  
  they could just allow people the option of choosing to require two factor authentication for lost mode, but they don't because the real truth is: most people only have one apple device , and so can't use two factor authentication anyway
Why just Macs? by CaptainDork · 2017-09-23 03:26 · Score: 1

iPhones use the same technique, right?

--
It little behooves the best of us to comment on the rest of us.
Well! by nnull · 2017-09-23 08:04 · Score: 1

Who didn't see this coming? Surprised it didn't start happening when this feature was released in the first place.
Easy solution? by Anonymous Coward · 2017-09-23 09:46 · Score: 0

Isn't the easy solution to just walk that shit into your local Apple Store and drop it on the counter for the "Genius" to fix it?
Tell me that Apple can reset the password on your account, log you in, help you set a new password, and unlock the device... This is a simple help-desk function.