Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

[Marshall73]

Glad I don’t use a simple password for my iCloud account and that I never use that password for anything else. They have to change that iCloud access though, or, at the very least have an option to enable find iphone without needing 2fa and block it by default.

 

[I Need a Drink]

Nice job MR. I only emailed them about this 4 weeks ago and asked that they run a story to inform people that this was going on.

I also emailed Apple about the issue with a simple suggestion. What they need to do is to require the device password when you try to lock a device from Find My iPhone on the web. When you go to remote lock a device you enter a lock passcode and the device's password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn't match, it won't lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can't lock the device without the Mac's login.

 

[MH01]

And always use 2Factor. I don’t buy the second tweet about someone getting hacked with having 2FA enabled. Even if they could guess your password and the security code, your trusted device would still get a notification and you could block access.

Edit: Apparently FMI is immuned to 2FA. My bad.

How do you set your trusted device ? It damn random for me and it's annoyingly, I keep having to send SMS

 

[Marshall73]

Nice job MR. I only emailed them about this 4 weeks ago and asked that they run a story to inform people that this was going on.

I also emailed Apple about the issue with a simple suggestion. What they need to do is to require the device password when you try to lock a device from Find My iPhone on the web. When you go to remote lock a device you enter a lock passcode and the device's password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn't match, it won't lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can't lock the device without the Mac's login.

Forward it to the bbc etc, once it’s all over news sites Apple will have to do something about it.

 

[Bahamut Eos]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

Your data is safe, but until you broke that firmware lock you would have to buy another device to use it with. You can't just wipe a device with a EFI or firmware (not sure if those are two diffrent things, or interchangeable terms) by design.

Source: This hack happened to me. I did not have two step authentication set up at the time, I do now, not that it helps in this case. I think I was the first to make an forum post about this more than a month ago.

Afterwards I went though and changed all of my passwords I could find, I found my hacked iCloud password used in one other account, although my e-mail address what not connected to it. Not sure how they got ahold of mine. I'm also very vigilant about fishing e-mails. I'm not a computer science major major or anything but I'm really tech savvy and been fixing Macs professionally for about 10 years, and as an amateur for about 20. I think they may have some other pathway to getting these passwords besides from other security leaks.

The other thing that is weird to me, is if someone get's into your iCloud account, can't they use that as a jumping off point to do a lot more harm and make a lot more money than simply locking down the computer? Send out letters as you to banks, spoof your iMessages so they can get past other two step authenticaciton accounts, maybe get into your iCloud password vault and get everything? I don't think that's happening. I swapped out the credit card attached to my iCloud account, but wouldn't they have access to Apple Pay if that's set up? I think they may have figured out a way to do this without actually logging into your iCloud or they would be doing all of that.

 

[C DM]

Apple inspires low trust anyways. its how you hold it.

Reality seems to disagree.

 

[DoctorDoctor]

How is it the hackers got past two-factor?

Your question was answered in the article. Please read it before posting.

 

[Scottsoapbox]

You certainly can't do that on a PC!

 

[dohspc]

Scary.. Reset apple password to one I've never used and turned off find my Mac for now. They should update the story to tell users to turn off find my mac!!

 

[Ynot]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

Not that easy. This installs a firmware password and FileVault2 its activated. No external BOOT and since you can't remove Ram or the Harddrive you have a Large Brick. On Old Systems you could remove the Firmware Password by removing ram. If you had no Backup you lost your data.
Apple requires that you bring in your computer to an Apple Store or a ASSP, have Proof of Purchase and ID to make sure that it isn't really the stolen Computer. There is a Built in Delay in the Authenication to give the Real Owner a chance to claim this way stops a quick one by the thief. After a lengthy Process apple send a File that is made into a Boot USB Stick and a connection to Apples Service Sight and the Password can be reset and you have access to your Data.

 

[adamjackson]

Holy Hell.

I decided to go to AppleID.Apple.com and reset my password. That triggered half an hour of work and now when I try to sign into iMessages on my iPhone, it logs in to my iCloud as messages account and not my other AppleID I use for messages.

I just had to completely sign out of iCloud on my iPad Pro, iPad mini and iPhone and will now have to reset up ApplePay from scratch.

I have 6 Apple devices. This is going to take me an hour + of work to get everything setup again. Please make this easier Apple....I know why it's challenging but c'mon.

 

[nylon]

Has anybody called Hillary and John Podesta about this?

I called but they were out having pizza.

 

[RobinInOR]

You have that backwards. Two step verification is the older version. 2FA brings up the pop up with a map, gives you the button to trust, then gives you the 6-digit code.

2 Factor is the newer standard.

When I’ve been working on my Mac and 2FA was activated for Safari (right after I had first set it up), the pop up to trust actually popped up on the Mac! As well as another iPad and my phone. What good is that? I had to trust, then write down the code and click OK so I could get to the place where I could enter the code. It’s happened 2ce to me while working on my Mac - another time when I brought it to Work for the first time.

 

[Mlrollin91]

How do you set your trusted device ? It damn random for me and it's annoyingly, I keep having to send SMS

You can view it on your iPhone in iCloud settings.

 

[Ynot]

You certainly can't do that on a PC!

Im sure that if you want I can get you a link which will happily encrypt you hard drive throw away the Root sectors of your Harddrive and warn you not to switch of your PC till you payed the Ransom and it dose not just go for your Boot drive but all your attached storage and for good measure your NAS as well. There are a number of MMFer out there on the PC side we are still in a walled garden on the Mac but if you Give the Thief the Haus key.

We had one customer come in two locked devices which he got locked out on returning home from a 2 week Business trip we came to the conclusion that the hacker used his wife's PC as the attack vector to access iCloud and then Find my iPhone. The hacker used a email account that almost looked like it could have been Apple and wanted that the Customer buy a iTunes Card valued at 50€ per Locked Device, which we assume he would have used to buy a expensive Fraudulent App which indicated that he was willing to share 30% with Apple.

 

[Apple_Robert]

Your question was answered in the article. Please read it before posting.

I did read it. I just happened to miss this part the first time (Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing) underneath one of the pictures.

 

[vpndev]

How is it the hackers got past two-factor?

You only need the password to perform the "lock". That's because you might not have a second device available when your Mac is stolen.

The point here is that it's one-factor to lock, 2FA for other stuff.

 

[MrSkoTA]

"Users who have had their Macs locked will need to get in contact with Apple Support for assistance with removing the Find My iPhone lock."

They don't 'have' to call Apple Support. What they 'have' to do is first, make sure they have secured their iCloud account and then get a copy of their receipt from the purchase of the Mac and take it to an Apple Store or possibly an authorized service provider. No other way around it.

 

[burgman]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

Yeah except the unlock part. Can you wipe a locked device and reinstall on Apple? you can’t on a Google Pixel.

 

[ersan191]

You can have more than one trusted device. It is shame that Apple didn’t disable this hole for people with multiple registered devices, or, let them disable this feature. There are also other ways to get codes.
https://support.apple.com/en-us/HT204915

"iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan and later" are the only devices which can receive verification codes (as well as phone numbers via SMS) - if your only Apple device is an iPhone you have no other way of locking or locating it if it is stolen, when time is often a factor.

Even if you have multiple devices it's entirely possible that they could all be in the same bag that was lost/stolen. It seems like Apple has it set up this way on purpose.

 

[ambientdaw]

That's what you get for using iCloud. I hate that technology and will never use it until it is on a blockchain.

 

[Apple_Robert]

That's what you get for using iCloud. I hate that technology and will never use it until it is on a blockchain.

Seems to me that the problem is the hackers knowing the email address and password, not iCloud itself.

 

[keithdoc]

You only need the password to perform the "lock". That's because you might not have a second device available when your Mac is stolen.

The point here is that it's one-factor to lock, 2FA for other stuff.

2FA isn't perfectly easy ALL the time, but it is works perfectly MOST of the time.
The rest are left for Darwin.

 

[hbt15]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

Exactly. No biggie. Nightly backup to my NAS. I'd lose 24 hours of 'data' at best. Even then the real important stuff i transfer to NAS immediately without waiting for backup. Can't beat it.

Stuff like this is only a problem if you make it a problem.

 

[smoking monkey]

This is why I have absolutely no sympathy for those affected. If you use the same password for multiple sites and do not understand even the basics of security then you deserve to get hacked. This is also why I do not put my Apple ID anywhere on any website and the only people other than myself who know what it is is Apple.

I don't think anybody deserves to be hacked. Even if they have been rather stupid in using the same password for multiple sites or slight variations of it.

I do feel for the people involved. They need others around them to force them into changing their passwords otherwise this will happen more and more often.