Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com)

← Back to Stories (view on slashdot.org)

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com)

Posted by BeauHD on Friday September 22, 2017 @02:05PM from the remote-control dept.

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.

36 of 61 comments (clear)

Min score:

Reason:

Sort:

Terror in coffeeshops across the land! by elrous0 · 2017-09-22 14:10 · Score: 1, Funny

As if thousands of smug douchebags cried out in terror, and were suddenly silenced.

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:Terror in coffeeshops across the land! by Hognoxious · 2017-09-23 02:22 · Score: 4, Funny
  
  Us, at Special Education for the Santa Clara County Office of Education, couldn't agree more with you!
  
  I guess that explains it.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Explains a lot by burtosis · 2017-09-22 14:33 · Score: 3, Funny

So that's how my email and bank account was drained at the same time as my luggage was broken into.
1. Re:Explains a lot by lucm · 2017-09-22 15:00 · Score: 1
  
  So that's how my email and bank account was drained at the same time as my luggage was broken into.
  TSA; stealing your iPods since 2001.
  
  --
  lucm, indeed.
old story by UnderAttack · 2017-09-22 14:34 · Score: 3, Informative

This has been happening at least since 2016.

--
---- join dshield.org Distributed Intrusion Detec
1. Re:old story by Anonymous Coward · 2017-09-22 15:06 · Score: 3, Informative
  
  Try 2012. http://www.zdnet.com/article/lessons-learned-from-the-recent-find-my-mac-remote-wipe-attack/
  People who enable the "remote wipe" "feature" on their macs (or the iCloud "feature" in general) are fucking stupid. If your data are valuable, encrypt your disk. If your computer is valuable, insure it. Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
2. Re:old story by Anonymous Coward · 2017-09-22 15:36 · Score: 1
  
  If your data are valuable, encrypt your disk.
  I do, because there's no reason not to.
  
  If your computer is valuable, insure it.
  I have, because I insure anything that I can't replace cheaply.
  
  Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
  No, it isn't. Because if my data is valuable to others I want to be able to delete it remotely to stop anyone else accessing it. Because my data is valuable to me I backed it up, so wiping one copy doesn't hurt me.
  But let's be honest, if my data were valuable enough that I need to be concerned about my laptop being stolen I wouldn't give a shit about paying for a mere laptop, even if it was a MacBook. As it is I just want to reduce the risk of identity theft, and to frustrate the cunts who stole my property as much as I possibly can.
3. Re: old story by Anonymous Coward · 2017-09-22 16:06 · Score: 1
  
  And use timemachine to backup your computer to a portable drive in your house. It isn't perfect, but it will save most data loss.
4. Re:old story by ctilsie242 · 2017-09-22 16:51 · Score: 2
  
  I've been using a self-destruct button since I was using Exchange on my phone back in 2006, where I could remote wipe it should the need arise.
  The key is maintaining access/control of your account. Apple has done some changes, but they do have 2FA available (although it would be nice if they offered a standard Google Authenticator QR code method as well.)
  Then there are backups. This is what Time Machine and services like CrashPlan or Backblaze are for. If you like packing your own parachute, buy/use Arq and Amazon S3 to stash your data securely.
5. Re:old story by AHuxley · 2017-09-22 17:25 · Score: 1
  
  +1 for " If your data are valuable, encrypt your disk. If your computer is valuable, insure it." AC.
  Install some theft recovery software to get a webcam image and new ip.
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:old story by AmiMoJo · 2017-09-22 20:55 · Score: 1
  
  TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:old story by tlhIngan · 2017-09-25 05:07 · Score: 1
  
  TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.
  Well, given you just lost your "2nd factor" for a lot of users, how do you envision implementing 2FA?
  You just lost your phone. You can't have 2FA use an SMS, an app, or any other thing that relies on the phone you just lost.
  And you can't rely on the user having more than one Apple device. Or a replacement phone (which would require the original phone in order to register another trusted device, for obvious reasons).
  What would you have the user do - try to remember some long ago obscure password they set as an override? Try to find some piece of paper they wrote the 2FA bypass code on?
8. Re:old story by AmiMoJo · 2017-09-25 05:15 · Score: 1
  
  The problem is that they can set any pass code they like. If the option was "lock with my pre-set passcode" the hijack wouldn't work, because it would be a code that the user set themselves and obviously knew.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Ransom? No mention of that... by lucm · 2017-09-22 15:01 · Score: 2

While asking for a ransom isn't a bad business model, there is nothing in the summary or article to suggest that is going on.
What about "Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device."

--
lucm, indeed.
Of course by lucm · 2017-09-22 15:03 · Score: 2

The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Citation needed (excluding Apple marketing)

--
lucm, indeed.
Re:Ransom? No mention of that... by Anonymous Coward · 2017-09-22 15:06 · Score: 1

one would have to understand what they read to get that info. most people don't even read the freaking article so why is it surprising that they didn't see the phrase " demanding money for the passcode to unlock a locked Mac device" and understood that as a ransom demand?
Re:Wow by hcs_$reboot · 2017-09-22 15:11 · Score: 1

Apple can lock your mac anytime they want.
Apple doesn't do that and the feature can be useful (especially for an iPhone that you forgot somewhere)

--
Slashdot, fix the reply notifications... You won't get away with it...
Security concerns by hcs_$reboot · 2017-09-22 15:15 · Score: 1

> Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on

iCloud is nice and all but suffers from security concerns. Such a powerful tool needs a stronger security implementation, and has to offer users the way to see when and where connections do come from. Gmail has been doing that for a long time, and Apple is still lagging behind.

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Security concerns by tk77 · 2017-09-22 15:24 · Score: 2
  
  I believe it sends you and email whenever someone logs into Find My iPhone. Also 2 Factor Authentication is available (and should be used at this point).
  This really shouldn't be an issue anymore.
2. Re:Security concerns by tk77 · 2017-09-22 15:55 · Score: 1
  
  Guess I should have paid more attention to the summary and main article.. I had thought 2FA was required even with Find My iPhone but I guess its not. That sucks.
3. Re:Security concerns by 93+Escort+Wagon · 2017-09-22 16:06 · Score: 4, Insightful
  
  The problem is that, for many people, their iPhone is their only "trusted" device. Nowadays a lot of people don't own computers; and, of those who do, only some will be Macs. As far as I know, a Windows box can't be registered with Apple as a trusted device.
  
  --
  #DeleteChrome
4. Re:Security concerns by Anonymous Coward · 2017-09-22 16:11 · Score: 1
  
  Logging into iCloud sent an authentication code to my iPhone that I then had to enter back into iCloud. So I don't get how the hackers would have been able to log into iCloud to remotely lock unless the authentication code feature was only recently implemented.
Re:Ransom? No mention of that... by Khyber · 2017-09-22 15:20 · Score: 2

It's called sensationalism. Slashdot is well known for it now since the real Slashdot died years ago.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Re:Ransom? No mention of that... by Anonymous Coward · 2017-09-22 15:42 · Score: 1

Not only is "demanding ransom" in the summary, it's in the title.
But this is Slashdot. People posting without even reading the title? Sure, why not?
Re:Ransom? No mention of that... by 93+Escort+Wagon · 2017-09-22 16:03 · Score: 2

Reading the what?

--
#DeleteChrome
Re:Ransom? No mention of that... by Jeremi · 2017-09-22 16:22 · Score: 2

the real Slashdot died years ago.
Did Netcraft confirm it?

--

I don't care if it's 90,000 hectares. That lake was not my doing.
Re:Ransom? No mention of that... by lucm · 2017-09-22 16:30 · Score: 2

I personally approve of people who post without reading the title - they're doing the equivalent of going commando. I'm pretty sure that BeauHD himself doesn't read the clickbait titles that he copy-pastes from macrumors and Apple press releases, and as we can all witness that doesn't stop him from publishing interesting and awe-inspiring content.
It's a bit rich though when people who don't read the summary or article complain that "nothing in the summary or article suggest..." something. That's pushing the envelope a bit too far.

--
lucm, indeed.
Re:Glad by omnichad · 2017-09-22 17:06 · Score: 2

Most of the attacks are based on password re-use, not password resets via email. A password reset could also be thwarted with two-factor authentication, but not this attack.
Re:Wow by Spacelord · 2017-09-22 22:44 · Score: 1

> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Re:Wow by hcs_$reboot · 2017-09-22 23:00 · Score: 1

> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Well, all OS implementations might include such hidden feature too (and most software), if the code is injected into an update. Do they do that? No.
Apple could do that, but doing so would be a huge mistake, and they'd lose many consumers.

--
Slashdot, fix the reply notifications... You won't get away with it...
Re:Wow by TheFakeTimCook · 2017-09-23 01:43 · Score: 1

> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Do you really think Apple retains your actual Password?
I suppose they could use brute force with the their internal authorization routines; but they do not retain your actual Password, and thus cannot easily lock your Mac.
And why oh why would they want to?
Time for another layer of tinfoil on that hat, laddy!
Re: Glad by omnichad · 2017-09-23 03:01 · Score: 2

2FA is NOT used. You can lock a device with a passcode with only the iCloud password and it doesn't use 2FA to confirm it - because Apple assumes you probably have lost the device that provides that second authentication factor and that's why you're locking it.
Why just Macs? by CaptainDork · 2017-09-23 03:26 · Score: 1

iPhones use the same technique, right?

--
It little behooves the best of us to comment on the rest of us.
Well! by nnull · 2017-09-23 08:04 · Score: 1

Who didn't see this coming? Surprised it didn't start happening when this feature was released in the first place.
Re:Ransom? No mention of that... by Hognoxious · 2017-09-23 09:29 · Score: 1

In Soviet Russia, Netcraft only reads old people!

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Re:Glad by Brockmire · 2017-09-23 10:23 · Score: 1

My mom fell for an Apple phishing attack. Fucking Yahoo didn't flag a non-Apple email as spam and hid the email address from display so you didn't see the obvious fake domain. She entered all her details, birthday, credit card, maiden name, etc. She thought it was strange Apple would ask all this info, but did it anyway. I got the call when their ipad said it was remotely locked and she couldn't get into it. After figuring out the scam, we did password resets on both parents accounts and got control back of the ipad. It still took several minutes of convincing her to immediately cancel her credit card as it was 100% scam. She still didn't believe me until I said the website she put her details into is on a porn site. She got a call the next day her credit card was used twice within a few hours.