Hackers are using Apple’s “Find My” service to remotely hold devices for ransom, reports MacRumors. Multiple people have tweeted about stolen accounts in the past week. Two-factor authentication does not prevent the hack.
The “Find My” service is meant to help you recover your phone or computer if it’s lost or stolen. It also lets you remotely lock your device. This is supposed to deter theft, since it makes the stolen phone useless. It also lets you send a custom message to your lost device, like “$US50 ($63) reward if found” or “Please return to 55 Pine St.”
But because it’s activated remotely, “Find My Device” is also a great way for someone to lock your device, from anywhere, while you still have it. All they need is your username and password. (Two-factor authentication doesn’t prevent this; Apple doesn’t require two-factor for “Find My Device” because the whole point is that you don’t have your device handy.)
But how did hackers get these people’s passwords? As MacRumors reports, it’s likely that the hacked users had been using the same password for their Mac and for other sites. So when some third-party site was breached and passwords were exposed, hackers pored through the list, trying the same login info on iCloud accounts. And they found the poor suckers who re-use passwords.
Here, according to one Twitter user, is how a ransom note looks on a hacked Mac. The hacker asks for Bitcoin, the ransom currency of choice, as it’s hard to trace:
Y’all my MacBook been locked and hacked. Someone help me @apple @AppleSupport pic.twitter.com/BE110TMgSv
— Jovan (@bunandsomesauce) September 16, 2017
I tested the technique on my own device, which previously had “Find My iPhone” enabled. I went to iCloud.com and signed in with my username and password. When the site asked for my two-factor authentication, I clicked “Find My iPhone” and enabled “Lost Mode.” I entered a message and sent it to my now-locked phone:
Easy peasy!
So how do you prevent this happening to you? As MacRumors suggests, if you’ve ever re-used your iCloud password for some other service, change your password immediately.
But the “Find My” service is also inherently insecure thanks to Apple’s weak point: customer service representatives. Journalist Mat Honan was famously hacked in 2012; the hacker called up Apple customer service posing as Honan, used his billing address and the last four digits of his credit card number to “verify” his identity, and got his password changed.
So (unless Apple has resolved this issue and its customer service staff strictly follows this policy change) if you have “Find My Device” enabled, a stranger can remotely lock your device with just a few pieces of information: your name and account name (often public), the last four digits of your credit card number (often printed on a receipt) and your billing address. So anyone with a store receipt or a restaurant check could lock your physical devices without any specialised knowledge or software.
For this reason, we (as Slate did after Honan’s hack) recommend that all Apple users disable “Find My Device” unless absolutely necessary. And if you’ve ever used your iCloud password for a different service, change it now.
To disable “Find My iPhone”, go to the Settings app on your phone, tap the row at the top with your name and avatar, and scroll down to your list of devices. Tap the device you’re on. Tap “Find My iPhone” and toggle to Off. (You’ll be prompted to enter your iCloud password.)
To disable “Find My Mac” from your computer, go to System Preferences, click iCloud, and deselect “Find My Mac.” (You’ll be prompted for your password.)
You can only disable the “Find My” service for the device you’re currently using, so go do this on each device.
Instead of “Find My Device,” use a passcode or password on all your devices. For extra security you can encrypt your hard drive with FileVault, but be sure to back up your data elsewhere.
Create a secure, unique iCloud password and store it in a third-party password management app like 1Password. We don’t recommend using iCloud Keychain, since Apple customer service hands out your iCloud password so easily. Nor do we recommend your browser’s password-saving feature.
Remember, this hack is why you don’t reuse passwords. Your password is only as strong as the weakest site you use it on. Don’t let a hack of BullshitSocialMediaSite.biz give people access to your bank account.
If you get hacked, do not pay the ransom, as there’s no way to guarantee the hacker will return your device. Call Apple customer service immediately.
Update #1 We continued testing “Find My Device”. We found that “Find My iPhone” couldn’t lock an iPhone that already had passcode protection. But it could enable a new passcode on a phone that previously had none.
We successfully used “Find My Mac” to remotely lock a password-protected Mac with a new passcode.
Update #2 In the absence of strong evidence that Apple has reformed its customer service security, “Find My Device” still poses a potential back door for remote attacks on any Mac, and on any iPhone without a passcode. Still, many readers will prefer the risk of remote attacks to the risk of never recovering a stolen device.
Comments
3 responses to “How To Stop Hackers From Ransoming Your Mac Or iPhone”
I’m surprised 2FA isn’t required to access this service. The other main player in mobile devices offers a range of 2FA options for their equivalent. Including one for when the authenticator device itself has been lost/stolen.
The issue lies in the fact that Apple offers two different methods for verification with Two Factor.
One is a code generated by the trusted device, or a number the owner has elected to use in the case that they can’t access their device.
Most Apple customers set their trusted number to the same number they have on their iPhone, thus if they lose it, they lose the only way to verify themselves and locate their device.
That’s the only reason the Find My Device service doesn’t require a verification code and I wouldn’t be surprised if Apple hates it so.
” recommend that all Apple users disable “Find My Device” unless absolutely necessary.”
The whole point of these is that you don’t know when it will be necessary.
Call me stupid but is it not smarter to login to your email from another device(assuming you’re using an independent email service) and then do a password reset on your iCloud account and just re-lost mode your device with a new pin??
Just thinking outside the box?
You can cancel the Lost Mode flag, but it still requires a PIN to unlock the device without restoring it and losing all the data.
we recommend that all Apple users disable “Find My Device” unless absolutely necessary
A pretty stupid recommendation.
Just use a unique password. The solution was even in the article, had the author bothered to read it.
There is so much wrong in this article.
1. Do not disable Find My iPhone. Not only does it help you locate your device if you lose it, if it’s stolen it also protects anyone else from using your device unless they have your Apple ID, password, and another trusted device or number (if using Two-Factor Authentication).
2. The author is correct, Two Factor Authentication won’t protect your device from someone enabling Lost Mode, as Apple allows access to the feature through iCloud.com without a verification code in order to allow customers who’ve lost their device, along with their trusted number to locate their device.
3. Keeping your original proof of purchase is a sure-fire way to ensure even with this ‘loophole’ you can regain access to your device. The only downside is that it generally requires a wipe of the iOS/macOS device. As such, keep a backup, keep your receipt and worse case scenario, you have to put aside a few hours to get it removed.
4. If you think that Apple hasn’t upgraded their security in the last few years, you’re an idiot. I can’t reveal anything internal, but the method used back in 2012 would not work in the slightest anymore.