Hackers are using Apple's "Find My" service to remotely hold devices for ransom, reports MacRumors. Multiple people have tweeted about stolen accounts in the past week. Two-factor authentication does not prevent the hack.
The "Find My" service is meant to help you recover your phone or computer if it's lost or stolen. It also lets you remotely lock your device. This is supposed to deter theft, since it makes the stolen phone useless. It also lets you send a custom message to your lost device, like "$US50 ($63) reward if found" or "Please return to 55 Pine St."
But because it's activated remotely, "Find My Device" is also a great way for someone to lock your device, from anywhere, while you still have it. All they need is your username and password. (Two-factor authentication doesn't prevent this; Apple doesn't require two-factor for "Find My Device" because the whole point is that you don't have your device handy.)
But how did hackers get these people's passwords? As MacRumors reports, it's likely that the hacked users had been using the same password for their Mac and for other sites. So when some third-party site was breached and passwords were exposed, hackers pored through the list, trying the same login info on iCloud accounts. And they found the poor suckers who re-use passwords.
Here, according to one Twitter user, is how a ransom note looks on a hacked Mac. The hacker asks for Bitcoin, the ransom currency of choice, as it's hard to trace:
— Jovan (@bunandsomesauce) September 16, 2017
I tested the technique on my own device, which previously had "Find My iPhone" enabled. I went to iCloud.com and signed in with my username and password. When the site asked for my two-factor authentication, I clicked "Find My iPhone" and enabled "Lost Mode." I entered a message and sent it to my now-locked phone:
So how do you prevent this happening to you? As MacRumors suggests, if you've ever re-used your iCloud password for some other service, change your password immediately.
But the "Find My" service is also inherently insecure thanks to Apple's weak point: customer service representatives. Journalist Mat Honan was famously hacked in 2012; the hacker called up Apple customer service posing as Honan, used his billing address and the last four digits of his credit card number to "verify" his identity, and got his password changed.
So (unless Apple has resolved this issue and its customer service staff strictly follows this policy change) if you have "Find My Device" enabled, a stranger can remotely lock your device with just a few pieces of information: your name and account name (often public), the last four digits of your credit card number (often printed on a receipt) and your billing address. So anyone with a store receipt or a restaurant check could lock your physical devices without any specialised knowledge or software.
For this reason, we (as Slate did after Honan's hack) recommend that all Apple users disable "Find My Device" unless absolutely necessary. And if you've ever used your iCloud password for a different service, change it now.
To disable "Find My iPhone", go to the Settings app on your phone, tap the row at the top with your name and avatar, and scroll down to your list of devices. Tap the device you're on. Tap "Find My iPhone" and toggle to Off. (You'll be prompted to enter your iCloud password.)
To disable "Find My Mac" from your computer, go to System Preferences, click iCloud, and deselect "Find My Mac." (You'll be prompted for your password.)
You can only disable the "Find My" service for the device you're currently using, so go do this on each device.
Instead of "Find My Device," use a passcode or password on all your devices. For extra security you can encrypt your hard drive with FileVault, but be sure to back up your data elsewhere.
Create a secure, unique iCloud password and store it in a third-party password management app like 1Password. We don't recommend using iCloud Keychain, since Apple customer service hands out your iCloud password so easily. Nor do we recommend your browser's password-saving feature.
Remember, this hack is why you don't reuse passwords. Your password is only as strong as the weakest site you use it on. Don't let a hack of BullshitSocialMediaSite.biz give people access to your bank account.
If you get hacked, do not pay the ransom, as there's no way to guarantee the hacker will return your device. Call Apple customer service immediately.
Update #1 We continued testing "Find My Device". We found that "Find My iPhone" couldn't lock an iPhone that already had passcode protection. But it could enable a new passcode on a phone that previously had none.
We successfully used "Find My Mac" to remotely lock a password-protected Mac with a new passcode.
Update #2 In the absence of strong evidence that Apple has reformed its customer service security, "Find My Device" still poses a potential back door for remote attacks on any Mac, and on any iPhone without a passcode. Still, many readers will prefer the risk of remote attacks to the risk of never recovering a stolen device.