Do you think someone would be able to get your new password and use it to access your account? Given that’s basically the primary way of this type of thing happening.Has Apple stepped in front of this yet? We need them to release some guidance on what to do. I updated my password but am not feeling confident that my multiple products are safe.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
- Thread starter MacRumors
- Start date
- Sort by reaction score
I use 1Password for most of my passwords, aside from the handful I need to remember just in case:
1. My laptop's password. (I do not allow iCloud unlocks.)
2. My phone's passcode.
3. My watch's passcode.
4. My iCloud account.
5. My Gmail account.
6. 1Password's master password.
Moreover, all of these passwords are different so that one breach doesn't involve everything and getting to 1Password involves having both that password and breaking another device.
The key here, if nothing else, is to make sure your iCloud password isn't used elsewhere. Way too many people use the same username/password for dozens of things. Own one and you can guess a bunch. Judging from the messages these "hackers" are little more than annoying script kiddies.
1. My laptop's password. (I do not allow iCloud unlocks.)
2. My phone's passcode.
3. My watch's passcode.
4. My iCloud account.
5. My Gmail account.
6. 1Password's master password.
Moreover, all of these passwords are different so that one breach doesn't involve everything and getting to 1Password involves having both that password and breaking another device.
The key here, if nothing else, is to make sure your iCloud password isn't used elsewhere. Way too many people use the same username/password for dozens of things. Own one and you can guess a bunch. Judging from the messages these "hackers" are little more than annoying script kiddies.
Or disable iCloud completely, which would protect you not only from this kind of issues, but also from the annoying two-factor security, and from Apple having your personal data on their servers. Not an easy step because, obviously, Apple wants your data, as most of the companies do today. You give them your life for free, they get money from it.
And you also don’t get iMessage or FaceTime or Find My Phone and all those other useful things.
So, if the hackers are using Find My Mac to lock the computers... They have not breached the 2FA. The hackers can't change the iCloud password without 2FA, right? So why not have an option to login to iCloud and show the lock passcode entered after verifying with 2FA?
Or just get rid of the option to leave a note on the computer after it has been locked. If the hacker can't leave instructions to get their money, all the motivation for this goes away.
[doublepost=1505972074][/doublepost]
Is this happening in all cases? If so, could someone have figured out how to match logic board serial numbers to system serial numbers and flash both on certain Macs? Basically, they clone random computers, activate Find My Mac using their bogus iCloud account and then go and lock it remotely, which locks both systems...
In that case it has nothing to do with individual account security as any Mac is susceptible.
Or just get rid of the option to leave a note on the computer after it has been locked. If the hacker can't leave instructions to get their money, all the motivation for this goes away.
[doublepost=1505972074][/doublepost]
Is this happening in all cases? If so, could someone have figured out how to match logic board serial numbers to system serial numbers and flash both on certain Macs? Basically, they clone random computers, activate Find My Mac using their bogus iCloud account and then go and lock it remotely, which locks both systems...
In that case it has nothing to do with individual account security as any Mac is susceptible.
Last edited:
[doublepost=1505973975][/doublepost]
Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.
With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.
Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing.
2-factor authentication not required to access Find My iPhone and a user's list of devices.
Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device.
The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.
It's easy to lock a Mac with a passcode in Find My iPhone if you have someone's Apple ID and password.
Users who have had their Macs locked will need to get in contact with Apple Support for assistance with removing the Find My iPhone lock.
(Thanks, Eli!)
Article Link: Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments
More than a few have paid the ransom but have not had their devices unlocked.
[doublepost=1505974053][/doublepost]
It's a loophole but unclear as to whether it is a common one.
it is however a warning as to keeping a strong password on your iCloud account and changing it regularly.
I use a password manager that has no cloud connectivity: KeePassX (mac), KeePass (windows) and minikeepass (iOS). I create the password vault on my Mac and copy the file to iOS via iTunes (the file, ending in .kdbx, is compatible across all 3 apps) . Some might consider it a hassle to manually copy it, but better than trusting any site/provider with all your passwords--that's just insane IMO.
I have an iCloud account and have it enabled on my iOS devices, but all options are turned off under settings as are all automatic downloads. On my MBP, I don't have it logged in to iCloud at all. I use FileVault 2, but don't share the key with Apple. I don't trust any vendor or institution--not Apple, not Google, not Equifax, not the government (OBM, etc.)--with the security of my systems or data (I use 2 encrypted external HDs for backup, and don't keep them connected unless I am backing up).
Centralizing security is always, ALWAYS dangerous--better to deal with silos than to lose everything for the sake of convenience over security...
I have an iCloud account and have it enabled on my iOS devices, but all options are turned off under settings as are all automatic downloads. On my MBP, I don't have it logged in to iCloud at all. I use FileVault 2, but don't share the key with Apple. I don't trust any vendor or institution--not Apple, not Google, not Equifax, not the government (OBM, etc.)--with the security of my systems or data (I use 2 encrypted external HDs for backup, and don't keep them connected unless I am backing up).
Centralizing security is always, ALWAYS dangerous--better to deal with silos than to lose everything for the sake of convenience over security...
That's why I said that disabling iCloud is not an easy step. Apple gets money (or data, which translates into money at the end, as we're living in the "big data" world) from you being in iCloud, so of course they try to get you there. When you disable it, you get all kind of warnings: "hey!! don't do this or you won't find you phone if somebody robs you!!", and stuff like that.
Paraphrasing Apple, "it takes courage" to disable iCloud. But, man, they used courage to remove standard ports and going dongleland, so why shouldn't I be courageous too and remove iCloud from my life?
That would be incredibly stupid move. You want to create POC for them. Blackmailing works so we just keep doing it? If the hacker gets zero benefit but have risk of getting caught they stop doing it. Never ever play their game! Instead give Apple every possible info and so they can work a long term solution. Idea of paying is irresponsible at best.
I think I know why. I never bothered with an @icloud.com email address until a couple of years ago. In my mind that was an "alias" for my Apple ID but now I realise it's not. I can log into icloud.com and appleid.apple.com with either my Apple ID (which is an email address) or my icloud email address. I haven't actually created any aliases. What I *should* have done is created an icloud.com email address that I never use, and an alias to the one I actually want. Ah well.
Maybe I'm getting confused but I'm pretty sure you get a security email when someone signs into icloud on. new computer? Well I seem to think I do, I certainly get them from Apple for a lot of things.
OK, so the hackers have probably already hacked your email and will get the message so you don't see it I get that.
But in the Apple security settings you have to specify which email address they send security messages to so I have them sent to a different email address from my Apple account and it's only used for that purpose.
It's proved useful to identify fishing. I have had messages seemingly coming from Apple but because I know it's not my security account, then I can easily identify them.
You need layers of security these days.
OK, so the hackers have probably already hacked your email and will get the message so you don't see it I get that.
But in the Apple security settings you have to specify which email address they send security messages to so I have them sent to a different email address from my Apple account and it's only used for that purpose.
It's proved useful to identify fishing. I have had messages seemingly coming from Apple but because I know it's not my security account, then I can easily identify them.
You need layers of security these days.
If I get my iPhone stolen whilst on the go, or even worse out of town there is NO device I can use to receive the 2FA code... so I am supposed to give the thief hours, maybe days to try and get data off my device?
Err... no thank you!
I'd rather have FMI be a little too trigger happy than a toothless tiger when it's needed.
Glassed Silver:win
Apple probably should do a lot of things about scenarios like this one, but security isn't easy and there will always be ways to bypass it. Reality has caught up with the "Macs are safer than PCs" marketing lies and very obviously the scumbags of the world have finally identified Apple users as a lucrative target. I feel for the affected people, though -- nobody should ever become a victim of a crime.
Assuming you have a backup, which you should, erase the Mac and restore it from your backup.
However, if the ransom is affordable, say the cost of a beer or two, then pay it and save yourself the hassle and promptly change your passwords.
What worries me though, if they have your Apple ID password, they can effectively lock you out of your Apple ID and prevent you from resetting your password. That's worse than locking a device.
However, if the ransom is affordable, say the cost of a beer or two, then pay it and save yourself the hassle and promptly change your passwords.
What worries me though, if they have your Apple ID password, they can effectively lock you out of your Apple ID and prevent you from resetting your password. That's worse than locking a device.
That won't work.
The hackers are locking the Macs using the "Find My Mac" lost Mac feature, which sets an EFI firmware password that cannot be bypassed in most cases without the use of special proprietary Apple tools.
The only easy way to recover your device is to take the device,along with proof of purchase, to an Apple Store, who can then remove the firmware password using the aforementioned tools.
But yes, the first task should always be to change your iCloud password, and hope they haven't deleted or made a copy of all your stored in iCloud data.
Oh setting the EFI firmware lock! That's bad. If that's the case, taking it to Apple seems like the only choice. However, I'm still more concerned about the Apple ID being hijacked. That's a major headache because *all* of your devices can be detached from your iCloud account and once they change the password, they can even change the trusted device(s), security questions and the alternate email to make it impossible to reset the password. That's one scary scenario and I don't even know if Apple can help to reset the password.
If it makes you feel any better, the other operations you describe do require a 2FA code if you have 2FA enabled.
If you don't have 2FA enabled then yes, it's the same as anyone can do with any other stolen login/password - complete control of the account's features.
Do you know why ransomeware works? Because people like you who even consider paying the criminals. If profit margin is low the hackers will move on and try something else. Due to fact that in this case there is good chance you won’t be loosing data and Apple can release the device I see no reason even to consider paying the criminals.