Hackers Using iCloud's Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

[ericdlr]

To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.

There is 2 major flaws in the way the iCloud system is designed:

First the easy access to the 'Find My Phone'. It's logical to have access to this function without the 2-factor authentication, because if the thief is able to access it before you do, he/she could be able to block you from locking the device. But there should be an additional step before allowing the device to be locked, e.g. an additional personal question or entering the device password.

Two, and this one is a huge flaw: There is no 2-factor authentication when you are setting up an iCloud account on a Mac with iCloud panel in the System Preferences. Even if it's activated in your iCloud account. Just after a few simple steps, you're Mac is entitled to receive the 2-factor authentication notifications without further process.

 

[mangonights]

MacRumors, why are you recommending two-factor authentication if you then go onto say you can access Find My iPhone without needing 2FA??

Here's a better recommendation: turn off Find My Mac until Apple correct course and Find My iPhone requires 2FA.

Because having 2FA is better than not having it. About a 1-2 month ago my account was attacked. The only thing that saved my bacon was the 2FA. It happened over night so it took the better part of a day before I was up and saw it to change my password.. I clearly got lucky that this FMI exploit was not known to them at that time.

 

[moz5835]

So Apple can bypass the lock? It makes sense for situations such as this or when a lost or stolen device is recovered.

They can and they do. We had to provide proof of ownership of the MBP, but once they had that the Genius Bar guy said that this can only be done in the evening as they have to be on the phone for a while to do it.

 

[Saturn007]

Read through a bunch of the comments.

Hope Mac Rumors does a follow-up with clear step-by-step directions of what the average user should do to prevent this from happening. Several of their current suggestions seem odd or have been readily refuted by commenters!

It made no sense reading MR's advice to set up two-factor authorization when the security breach is because iCloud has no 2FA ability!

So, what gives here?! Frankly, I have a headache from reading all the conflicting and technically intricate solutions provided!

 

[bingeciren]

Do you know why ransomeware works? Because people like you who even consider paying the criminals. If profit margin is low the hackers will move on and try something else. Due to fact that in this case there is good chance you won’t be loosing data and Apple can release the device I see no reason even to consider paying the criminals.

It all depends on the circumstances. I don't condone yielding to extortionists any more than you do but if you need your data asap and your time is more valuable than the price of a beer, I would reluctantly consider to pay and resolve the issue.

Let's say you are on an important business trip and the project you are about to present to an audience on a board meeting is locked in your machine. You just discovered that when you woke up that morning and you only have a limited time to unlock your device. Tell your audience that your machine is hijacked and in principle you refuse to pay a few cents to the hijackers. Therefore suggest to postpone the meeting until you visit An Apple Store to get your machine unlocked.

On the other hand if you are at home, and you have your backups within reach and there is no mission critical stuff that you need it immediately, just take your time to get it unlocked at an Apple Store and stick it to the hijackers.

 

[Lioness~]

Thanks for heads up on this.

Haven’t changes my Apple-id passwoed in a while, so just did.
Should do it annually, but we are lazy and want to keep old patterns.
I’m getting better at it though. Nothing good with old patterns OR passwords.

And wow, this is not good for 
They should really upgrade their security systems if this even CAN happen with 2FA

 

[bkaus]

My family members have received so many phishing attempts that they keep asking me about. They are getting better and better.

The last one was an iTunes receipt for some $399 purchase. Everything looked legit except an obfuscated sender and the link to "cancel this iTunes order" went someplace else... but looked like a standard apple web page.

 

[C DM]

That's why I said that disabling iCloud is not an easy step. Apple gets money (or data, which translates into money at the end, as we're living in the "big data" world) from you being in iCloud, so of course they try to get you there. When you disable it, you get all kind of warnings: "hey!! don't do this or you won't find you phone if somebody robs you!!", and stuff like that.

Paraphrasing Apple, "it takes courage" to disable iCloud. But, man, they used courage to remove standard ports and going dongleland, so why shouldn't I be courageous too and remove iCloud from my life?

They provide services and you can choose to make use of those services. Not much of a conspiracy there.

 

[Fishrrman]

I have no iCloud presence.
I've never once signed in there, ever. And never will.

In that case, can the hack still be used against my MacBook?

 

[BurgDog]

I have no iCloud presence.
I've never once signed in there, ever. And never will.

In that case, can the hack still be used against my MacBook?

If Find My Mac is disabled Apple can't send a lock message to that Mac even if someone clones your unique identifiers and enables it on the clone. I have, of course, just disabled Find My Mac on both my Macs. Don't even need 2FA to disable it, just the iCloud login credentials.

 

[Weaselboy]

It made no sense reading MR's advice to set up two-factor authorization when the security breach is because iCloud has no 2FA ability!

Having two factor on will not stop the hacker from locking your device, but it will stop them from changing your iCloud password and hijacking your iCloud account. So if this happens to you and your Mac/iPhone is locked, you would want to access your AppleID from another trusted device and change your password. This won't unlock your other device since you don't know the six digit PIN, but at least it would allow you to reclaim control of your iCloud account.

 

[charlituna]

So Apple can bypass the lock? It makes sense for situations such as this or when a lost or stolen device is recovered.

under limited circumstances yes. But if you have an iPhone or iPad that is in lost mode, you're screwed. no one can bypass that remotely. I don't know if the mac has a similar lost mode but if it does I imagine its the same. or if the lock can be removed it would require totally erasing the computer. and I wonder what the statistics are on folks that get phished etc also having an up to date backup.

 

[IPadNParadise]

I am thoroughly confused. As an older user, I have enjoyed all my Apple products since 2012 and used them with ease. But I don’t know exactly what to do now as a security measure other than change my password for my Apple ID since I have never done that since my first Apple product (2012). So yeah, I know! But do I sign out of everything first or just log back in once it’s changed? Everything being...iPhone, iPad, MBP and Apple TV.
Also I have turned off Find my Phone, MAC and iPad, is that right?
I have had 2 Factor Authentification on for a few months now.

 

[Mac Tyson]

Apple should allow you to cancel any locks once you login to your iCloud account and passing 2FA.

 

[redboxcar]

I didn't read every comment, so apologize if this has been said before, but Apple's 2FA is a bit of a joke.

When I try to log in to iCloud in a private browser on my Mac, it prompts me for the verification code, which is sent to—get this—my Mac! I'll be literally looking at the pop up with the verification code on the window in front of the browser that's asking me for that code. This also happens on my iPhone.

What Apple isn't doing is they aren't sending the verification code to a device different than the device you're on... they're sending it to every device on your account, including the one you're trying to access. Useless.

 

[Weaselboy]

When I try to log in to iCloud in a private browser on my Mac, it prompts me for the verification code, which is sent to—get this—my Mac!

That is by design because your Mac was used before and is a trusted device.

 

[redboxcar]

That is by design because your Mac was used before and is a trusted device.

I understand, but if it was a trusted device, why would they be prompting for verification code in the first place? It's a flaw. If I'm on a device that you feel warrants me putting in a verification code, then don't send that code to the device I'm trying to log into.

And the login attempt doesn't even have to be done in a private browser. Try signing in to the public beta page, for example.

EDITED TO ADD: I understand there's a difference between signing into a website and signing into a device, and that's probably where the disconnect is... but it's a flaw nonetheless. My Apple ID is very easily accessed even with 2FA because my verification code gets sent to the device I'm using to try to sign in.

 

[NY Guitarist]

Is 'Find My Mac' per device or for all devices associated with a specific iCloud account?
[doublepost=1506023347][/doublepost]

My Apple ID is very easily accessed even with 2FA because my verification code gets sent to the device I'm using to try to sign in.

I noticed this too. I'm getting burned out on having to be hyper-vigilant with 'cloud' stuff and think I'll take a step back and stick to local backups in addition to turning off 'Find My ...' on all my devices.

 

[Weaselboy]

Is 'Find My Mac' per device or for all devices associated with a specific iCloud account?

It is configurable by device. So you could have a iPhone and an iMac on the same iCloud account, but only turn on the Find my Mac service on one of them for example.

 

[SteveW928]

And, when you call Apple Support... they'll presumably ask you the name of your first dog?

 

[busyscott]

Because having 2FA is better than not having it. About a 1-2 month ago my account was attacked. The only thing that saved my bacon was the 2FA. It happened over night so it took the better part of a day before I was up and saw it to change my password.. I clearly got lucky that this FMI exploit was not known to them at that time.

I'm not saying to get rid of 2FA, I'm saying it's not a solution to the problem presented in the article, disabling Find My Mac is.

 

[ignatius345]

This is why I have absolutely no sympathy for those affected. If you use the same password for multiple sites and do not understand even the basics of security then you deserve to get hacked.

Hear that, aging people who don't understand technology very well? You deserve to get hacked.
[doublepost=1506035623][/doublepost]

You have that backwards. Two step verification is the older version. 2FA brings up the pop up with a map, gives you the button to trust, then gives you the 6-digit code.

2 Factor is the newer standard.

It's insane that Apple hasn't managed to come up with more distinct names for these two different security tools. Is anybody surprised that people confuse "two-step verification" and "two-factor authentication"? Hell, I'm reasonably diligent about this stuff and was on the older and less secure one (two-step verification) up until this year because they sound like the same thing.

 

[Bahamut Eos]

This is why I have absolutely no sympathy for those affected. If you use the same password for multiple sites and do not understand even the basics of security then you deserve to get hacked.

At this point I have absolutely no sympathy for those who got knifed. If you don't were your chainmail 24/7, you deserve to get stabbed.

 

[MagnusVonMagnum]

No offense, but you don't seem to understand the issue given that half of what you're ranting about is irrelevant to what actually happened. This wasn't a failure of 2-factor authentication. It's a screw-up on Apple's part in that they apparently allow you to bypass 2-factor authentication to use the Find My Device feature. It's like me leaving my house unlocked, getting robbed and then you coming along and saying how useless door locks are because I got robbed. Try searching this thread for "backups" and "firmware" to see how useless keeping local backups would have been in this situation.

I think I got the point just fine, which is why I questioned the STUPID logic in telling people to FIX IT to use 2-factor authentication, etc. That's all fine and dandy, but has NOTHING to do with how these people got hacked (i.e. worthless towards the topic in hand and hence why I find the article so obtuse).

 

[sirozha]

You can access Find my iPhone without needing 2FA authorization. Try it, go to iCloud.com, deny the 2FA request after entering username/password, then click on Find my iPhone at the bottom. This is what happened to these folks.

An easy solution would be if your account has multiple trusted devices, to require 2FA even when accessing FMI, since it would be highly unlikely you would lose access to all of your trusted devices at once.

To edit, you can actually access a good bit of things even without the 2FA authorization. You can remove Apple Pay cards and other devices from your iCloud account. I really think Apple needs to reconsider this ability.

I've just tried it, and you are absolutely correct. You can totally dismiss the two-factor authentication request when you log in from another computer or another browser that has not been authenticated with a 2FA. Once you dismiss the authentication request popup, there's an icon at the bottom of the screen of the login page to launch the Find My iPhone page. From there, you can lock the Mac with a lock code, and the Mac will reboot into EFI and present a prompt for the unlock code.

So, you can lock anyone's Mac if you can log in to iCloud.com without having to be authenticated with 2FA.

APPLE. WTF? How did you miss this attack vector? I can understand the reasoning behind it. You've been robbed. Both your Mac and your iPhone have been stolen. You run into an Internet cafe, log in to a computer there, and try to lock your Mac remotely. However, how did you not think about the fact that a hacker can do this completely bypassing 2FA? WTF?

-------------
Navigate to  > System Preferences > iCloud and deselect the check box next to "Find My Mac".