Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com) 61
AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
Terror in coffeeshops across the land! (Score:1, Funny)
As if thousands of smug douchebags cried out in terror, and were suddenly silenced.
Re:Terror in coffeeshops across the land! (Score:5, Funny)
I guess that explains it.
Re: (Score:3)
Most of the attacks are based on password re-use, not password resets via email. A password reset could also be thwarted with two-factor authentication, but not this attack.
Re: (Score:3)
2FA is NOT used. You can lock a device with a passcode with only the iCloud password and it doesn't use 2FA to confirm it - because Apple assumes you probably have lost the device that provides that second authentication factor and that's why you're locking it.
Re: (Score:2)
Explains a lot (Score:4, Funny)
Re: (Score:2)
So that's how my email and bank account was drained at the same time as my luggage was broken into.
TSA; stealing your iPods since 2001.
old story (Score:4, Informative)
This has been happening at least since 2016.
Re: (Score:3, Informative)
Try 2012. http://www.zdnet.com/article/lessons-learned-from-the-recent-find-my-mac-remote-wipe-attack/
People who enable the "remote wipe" "feature" on their macs (or the iCloud "feature" in general) are fucking stupid. If your data are valuable, encrypt your disk. If your computer is valuable, insure it. Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
Re: (Score:1)
If your data are valuable, encrypt your disk.
I do, because there's no reason not to.
If your computer is valuable, insure it.
I have, because I insure anything that I can't replace cheaply.
Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.
No, it isn't. Because if my data is valuable to others I want to be able to delete it remotely to stop anyone else accessing it. Because my data is valuable to me I backed it up, so wiping one copy doesn't hurt me.
But let's be honest, if my data were valuable enough that I need to be concerned about my laptop being stolen I wouldn't give a shit about paying for a mere laptop, even if it was a MacBook. As it
Re: old story (Score:1)
And use timemachine to backup your computer to a portable drive in your house. It isn't perfect, but it will save most data loss.
Re: (Score:3)
I've been using a self-destruct button since I was using Exchange on my phone back in 2006, where I could remote wipe it should the need arise.
The key is maintaining access/control of your account. Apple has done some changes, but they do have 2FA available (although it would be nice if they offered a standard Google Authenticator QR code method as well.)
Then there are backups. This is what Time Machine and services like CrashPlan or Backblaze are for. If you like packing your own parachute, buy/use Arq
Re: (Score:2)
TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.
Re: (Score:2)
Well, given you just lost your "2nd factor" for a lot of users, how do you envision implementing 2FA?
You just lost your phone. You can't have 2FA use an SMS, an app, or any other thing that relies on the phone you just lost.
And you can't rely on the user having more than one A
Re: (Score:2)
The problem is that they can set any pass code they like. If the option was "lock with my pre-set passcode" the hijack wouldn't work, because it would be a code that the user set themselves and obviously knew.
Re: (Score:2)
Install some theft recovery software to get a webcam image and new ip.
Re: (Score:3)
While asking for a ransom isn't a bad business model, there is nothing in the summary or article to suggest that is going on.
What about "Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device."
Re: (Score:1)
one would have to understand what they read to get that info. most people don't even read the freaking article so why is it surprising that they didn't see the phrase " demanding money for the passcode to unlock a locked Mac device" and understood that as a ransom demand?
Re: (Score:1)
Not only is "demanding ransom" in the summary, it's in the title.
But this is Slashdot. People posting without even reading the title? Sure, why not?
Re: (Score:3)
Reading the what?
Re: (Score:3)
I personally approve of people who post without reading the title - they're doing the equivalent of going commando. I'm pretty sure that BeauHD himself doesn't read the clickbait titles that he copy-pastes from macrumors and Apple press releases, and as we can all witness that doesn't stop him from publishing interesting and awe-inspiring content.
It's a bit rich though when people who don't read the summary or article complain that "nothing in the summary or article suggest..." something. That's pushing the
Re: (Score:3)
It's called sensationalism. Slashdot is well known for it now since the real Slashdot died years ago.
Re: (Score:3)
the real Slashdot died years ago.
Did Netcraft confirm it?
Re: (Score:2)
In Soviet Russia, Netcraft only reads old people!
Of course (Score:3)
The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.
Citation needed (excluding Apple marketing)
Re: (Score:2)
Apple can lock your mac anytime they want.
Apple doesn't do that and the feature can be useful (especially for an iPhone that you forgot somewhere)
Re: (Score:2)
> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Re: (Score:2)
> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Well, all OS implementations might include such hidden feature too (and most software), if the code is injected into an update. Do they do that? No.
Apple could do that, but doing so would be a huge mistake, and they'd lose many consumers.
Re: (Score:2)
> Apple doesn't do that
But the point is that they can because you have basically given them the key to your computer.
Do you really think Apple retains your actual Password?
I suppose they could use brute force with the their internal authorization routines; but they do not retain your actual Password, and thus cannot easily lock your Mac.
And why oh why would they want to?
Time for another layer of tinfoil on that hat, laddy!
Security concerns (Score:2)
iCloud is nice and all but suffers from security concerns. Such a powerful tool needs a stronger security implementation, and has to offer users the way to see when and where connections do come from. Gmail has been doing that for a long time, and Apple is still lagging behind.
Re: (Score:3)
I believe it sends you and email whenever someone logs into Find My iPhone. Also 2 Factor Authentication is available (and should be used at this point).
This really shouldn't be an issue anymore.
Re: (Score:2)
Guess I should have paid more attention to the summary and main article.. I had thought 2FA was required even with Find My iPhone but I guess its not. That sucks.
Re:Security concerns (Score:5, Insightful)
The problem is that, for many people, their iPhone is their only "trusted" device. Nowadays a lot of people don't own computers; and, of those who do, only some will be Macs. As far as I know, a Windows box can't be registered with Apple as a trusted device.
Re: (Score:1)
Logging into iCloud sent an authentication code to my iPhone that I then had to enter back into iCloud. So I don't get how the hackers would have been able to log into iCloud to remotely lock unless the authentication code feature was only recently implemented.
Why just Macs? (Score:2)
iPhones use the same technique, right?
Well! (Score:2)