Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

[IG88]

I've used the built-in OS X password manager (Keychain Access) on occasion, but never a third-party password manager. Can you recommend one?

I really like 1Password. I use it in parallel with iCloud Keychain. It's what iCloud Keychain should have been. You can search for anything, like say an old password you used multiple times, and start heading to websites to change them. Much better user interface than iCloud Keychain. It's also compatible with Windows.
[doublepost=1505955214][/doublepost]

Sure give me the link where a PC is remote locked and wiped with a cracked website password.

... What's that? Oh I see you can't find one.

You haven't heard of cryptolockers? They go after your mounted network drives too. As soon as I first heard about them, I made sure my USB backup drive connected to the NAS was no longer a shared network drive. They can't get that bad boy thankfully.

 

[redheeler]

Lastpass.. If you don't wanna store in the cloud as well, 1Password

Would prefer to stay away from storing passwords in the cloud (although if I do opt for the cloud, it'll be iCloud Keychain) and subscription-based pricing. Perhaps the stock MacOS password manager is my only option then.

 

[inkswamp]

This article makes a hell of a lot of ASSumptions about HOW these hackers got their iCloud credentials. I also have to laugh at how a feature designed to save your computer is being used to RANSOM it! So much for the fracking BS "CLOUD" (who the hell didn't see this one coming? IMagine that; put your data on someone else's server somewhere on the Internet and it can be hacked??? Who would have THUNK? Frack the CLOUD. It's asking to be hacked sooner or later.

Then comes the BEST part of the article. It tells you the remedy is to set a new password and use two-step authentication even though it just said earlier in the article is didn't do ONE DAMN BIT OF GOOD to have two-step authentication in this case!!! Yeeehaaw! Stupid advice galore! Get the frack off the Cloud would be the better advice and most of all keep a backup of your computer so you can restore it if something does happen!

No offense, but you don't seem to understand the issue given that half of what you're ranting about is irrelevant to what actually happened. This wasn't a failure of 2-factor authentication. It's a screw-up on Apple's part in that they apparently allow you to bypass 2-factor authentication to use the Find My Device feature. It's like me leaving my house unlocked, getting robbed and then you coming along and saying how useless door locks are because I got robbed. Try searching this thread for "backups" and "firmware" to see how useless keeping local backups would have been in this situation.

 

[MrSkoTA]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

This is actually incorrect. Were this to happen to you on your Mac, you'd have to take the original receipt (or copy of original) to an Apple Store or or Authorized Service Provider With your Mac and they would have to remove the Firmware lock on it. In fact, you wouldn't even be able to erase your Mac due to it having a firmware lock on it.

 

[inkswamp]

So hackers got your username and password and disabled your Mac using find my iPhone on the login screen of iCloud.com. I know it sucks yes, but if users had 2FA enabled that would have been all the hackers could do. The next step for users with 2FA enabled who were locked out of their computers to do, is to change their password! 2FA is key here.

The user had 2FA enabled. The problem is that Apple apparently allows you to bypass 2FA when invoking Find My Device which makes sense given that you may need the device to use 2FA. It's a bit of a Catch-22. I like the suggestion earlier in this thread. For Find My Device, Apple should require your phone's passcode/password. That would put up a second barrier that would be almost as effective as 2FA without requiring it.

 

[Luke MacWalker]

Yup, this happened to me back in June when I installed beta 1 of MacOS High Sierra. Frustrating and embarrassing when your an IT engineer and your own device gets hacked! Had to bring it to Apple and provide proof of ownership before they would remove the lock.

I had 2 factor enabled, saw that someone was trying to access my account, denied them, and still had my account locked.

Two weeks ago 2 factor authentication kicked in when I connected to appleid.apple.com on my iMac: I got a confirmation code to enter on the iMac sent to my iPhone, iPad and… the very iMac I was connecting from! A little funny if you ask me.

 

[Luke MacWalker]

Nice job MR. I only emailed them about this 4 weeks ago and asked that they run a story to inform people that this was going on.

I also emailed Apple about the issue with a simple suggestion. What they need to do is to require the device password when you try to lock a device from Find My iPhone on the web. When you go to remote lock a device you enter a lock passcode and the device's password or passcode. When that is sent to the Mac, iPhone, whatever, if the device password doesn't match, it won't lock the device. That way, even if a hacker guesses your Apple ID and password using hacked credentials, they still can't lock the device without the Mac's login.

Excellent suggestion.
Let's hope Apple will implement it…

 

[ke-iron]

The user had 2FA enabled. The problem is that Apple apparently allows you to bypass 2FA when invoking Find My Device which makes sense given that you may need the device to use 2FA. It's a bit of a Catch-22. I like the suggestion earlier in this thread. For Find My Device, Apple should require your phone's passcode/password. That would put up a second barrier that would be almost as effective as 2FA without requiring it.

If iCloud.com was to require your phone passcode then I’m not sure how secure that will be if your phone passcode must be stored somewhere on Apple servers as well. There is probably a security reason why Apple or blizzard or any other company who uses extra authentication never done this method before. The point I made is if users had 2FA enabled they have nothing to worry about since they can log in and change their password, where the hacker could not log in and only use find my iPhone.

I think Apple should leave the current system in place and add additional security measures on the devices connected to that Apple ID. For example:

If someone, a hacker for instance log in and invoke find my iPhone and either attempt to lock or wipe your device. That particular device and others linked to the account will receive a message and rapid audio alarm to alert the owner it’s about to be wiped in t- 20 seconds unless the user authenticate with the passcode overriding it. If you don’t override it, it will be wiped when the count down has reached 0. The hacker can not invoke find my iPhone again if the original request was authenticated and cancelled by an authorized device. Your device will then show a prompt from Apple that states if this was not initiated by you, we suggest you sign into iCloud now and change your password for your account safety. Proceed or Cancel buttons. If you cancel, find my iPhone will become available after 5 minutes. If you proceed, the account will enter lockdown and the password must be changed in order to continue using the account.

Something along these lines could probably work in addition to what is already in place.

 

[Interesting_Way_924]

The user had 2FA enabled. The problem is that Apple apparently allows you to bypass 2FA when invoking Find My Device which makes sense given that you may need the device to use 2FA. It's a bit of a Catch-22. I like the suggestion earlier in this thread. For Find My Device, Apple should require your phone's passcode/password. That would put up a second barrier that would be almost as effective as 2FA without requiring it.

They allow you to do that because if you only have one iDevice, like an iPhone, and you lose it, then you'll NEVER have access to Find my iPhone.

With that said they should add an option if you have 2+ devices, to always require 2FA. I've also said this many times, but 2FA in its current stage is just too hard for anyone to master, which is almost why every 2FA system has a disable option which is essentially a backdoor.

Also requiring your phone's passcode defeats phone security--that passcode is only stored on your device to begin with. I get everyone wants to jump in to say what Apple is doing wrong, but these suggestions are just worse off for security overall.

 

[jsmith189]

Just updated my password, thanks for the reminder. It's been a few months.

Just annoying to have to log into, and two-factor into, all devices again lol.

 

[Luke MacWalker]

If iCloud.com was to require your phone passcode then I’m not sure how secure that will be if your phone passcode must be stored somewhere on Apple servers as well. There is probably a security reason why Apple or blizzard or any other company who uses extra authentication never done this method before. The point I made is if users had 2FA enabled they have nothing to worry about since they can log in and change their password, where the hacker could not log in and only use find my iPhone.

The device's password does not need to be stored on Apple's servers, a hash of it would be enough. Or the passcode verification could be done on device, when the lock request is sent to the device maybe?

The point in this case is that the hacker can lock a device protected with 2FA just with login and password.

I think Apple should leave the current system in place and add additional security measures on the devices connected to that Apple ID. For example:

If someone, a hacker for instance log in and invoke find my iPhone and either attempt to lock or wipe your device. That particular device and others linked to the account will receive a message and rapid audio alarm to alert the owner it’s about to be wiped in t- 20 seconds unless the user authenticate with the passcode overriding it. If you don’t override it, it will be wiped when the count down has reached 0. The hacker can not invoke find my iPhone again if the original request was authenticated and cancelled by an authorized device. Your device will then show a prompt from Apple that states if this was not initiated by you, we suggest you sign into iCloud now and change your password for your account safety. Proceed or Cancel buttons. If you cancel, find my iPhone will become available after 5 minutes. If you proceed, the account will enter lockdown and the password must be changed in order to continue using the account.

Something along these lines could probably work in addition to what is already in place.

Yes, this also sounds like a good idea as long as you always have one of your trusted device with you and that it can receive the alert from Apple (not in a plane, or not in a theatre, or not abroad with data-roaming disabled…). But I agree that it would already greatly reduce the chances of getting locked out compared to the current situation.

 

[lkrupp]

“Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.”

And this is Apple’s fault because...? I mean I know it’s Apple’s fault. It’s always Apple’s fault no matter what with some people. So how is Apple supposed to protect people who continue to act stupidly when it comes to passwords and user ids? 2FA? How do you force these same stupid people to use it if they can’t figure out why they were hacked in the first place.

 

[Luke MacWalker]

(…)
Also requiring your phone's passcode defeats phone security--that passcode is only stored on your device to begin with. I get everyone wants to jump in to say what Apple is doing wrong, but these suggestions are just worse off for security overall.

I wonder how this would defeat phone's security or would be worse for security overall. Genuine question.
The password is indeed only on the device, but Apple does not need it to check if the passcode entered is the same: a hash with a modern method would be enough. They probably also could send the passcode to the device and let the device check it.
Maybe I missing something and I'd be happy to be explained what.

 

[lkrupp]

Just updated my password, thanks for the reminder. It's been a few months.

Just annoying to have to log into, and two-factor into, all devices again lol.

A hacker could only have gotten your password if you use the same one on other sites. So far Apple itself has not suffered a dat breach. It’s been all about the reuse of user ids and passwords for multiple sites.

 

[jsmith189]

A hacker could only have gotten your password if you use the same one on other sites. So far Apple itself has not suffered a dat breach. It’s been all about the reuse of user ids and passwords for multiple sites.

Oh for sure, I just change it semi-regularly to be extra careful. I don't want to be the next person that MacRumors writes a post about, and all the comments saying it's my own fault!

 

[bigpoppamac31]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

That works? If someone locked my Mac I could boot up from my external backup and wipe my main drive and re-install?

 

[dtemp]

Meh, this is why things live on external drives. If I lost or had my laptop stolen, I'd wipe it and be back up and running in 25 minutes without the hassle.

When someone has their Mac firmware locked like this, requiring the password, you don't just wipe it and restore from backup. Not even if you replaced the SSD (on Macs with non-soldered SSDs). It's locked at the firmware level. You definitely aren't going to get back in unless you can convince someone at the Genius Bar to help you, and it's not even clear they have a mechanism to get around this.

 

[Val-kyrie]

Lastpass.. If you don't wanna store in the cloud as well, 1Password

I thought Password was storing user PWs in the cloud!?

 

[EdT]

I thought Password was storing user PWs in the cloud!?

I think it does now. Originally you could store it locally.

 

[patjem]

And how do you bring proof of ownership when alle of your documents are digitally stored in your Mac...?

 

[jsmith189]

I wonder, would Apple replace your MacBook if this happened and they couldn't get around it, from a warranty perspective?

 

[Tiger8]

Windows + frequent external drive and cloud backups. Someone locks my pc? Boot from USB, wipe, and reinstall windows.

Copy data for external drive. Back in business

 

[jlseattle]

Has Apple stepped in front of this yet? We need them to release some guidance on what to do. I updated my password but am not feeling confident that my multiple products are safe.

 

[iMacC2D]

Removed.

 

[BurgDog]

Even so, at the moment Apple is advising customers to contact AppleCare and deal with them directly. There is no current resolution to this issue short of escalating up the chain of command at Apple and waiting for an outcome.

Or pay the ransom. They picked an amount less than the hassle cost of getting Apple to undo the lock. Chalk it up to an education expense and change all your passwords when you get back control. Think of it like getting mugged, take the loss and move on.