Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Iphone Security Privacy The Almighty Buck

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments (macrumors.com) 61

AmiMoJo shares a report from Mac Rumors: Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone. With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here. Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device. The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers. Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.
This discussion has been archived. No new comments can be posted.

Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments

Comments Filter:
  • As if thousands of smug douchebags cried out in terror, and were suddenly silenced.

  • by burtosis ( 1124179 ) on Friday September 22, 2017 @09:33PM (#55248535)
    So that's how my email and bank account was drained at the same time as my luggage was broken into.
    • by lucm ( 889690 )

      So that's how my email and bank account was drained at the same time as my luggage was broken into.

      TSA; stealing your iPods since 2001.

  • old story (Score:4, Informative)

    by UnderAttack ( 311872 ) * on Friday September 22, 2017 @09:34PM (#55248545) Homepage

    This has been happening at least since 2016.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Try 2012. http://www.zdnet.com/article/lessons-learned-from-the-recent-find-my-mac-remote-wipe-attack/

      People who enable the "remote wipe" "feature" on their macs (or the iCloud "feature" in general) are fucking stupid. If your data are valuable, encrypt your disk. If your computer is valuable, insure it. Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.

      • by Anonymous Coward

        If your data are valuable, encrypt your disk.

        I do, because there's no reason not to.

        If your computer is valuable, insure it.

        I have, because I insure anything that I can't replace cheaply.

        Putting a self-destruct button in your computer which can be triggered remotely is the height of stupidity.

        No, it isn't. Because if my data is valuable to others I want to be able to delete it remotely to stop anyone else accessing it. Because my data is valuable to me I backed it up, so wiping one copy doesn't hurt me.

        But let's be honest, if my data were valuable enough that I need to be concerned about my laptop being stolen I wouldn't give a shit about paying for a mere laptop, even if it was a MacBook. As it

      • by Anonymous Coward

        And use timemachine to backup your computer to a portable drive in your house. It isn't perfect, but it will save most data loss.

      • I've been using a self-destruct button since I was using Exchange on my phone back in 2006, where I could remote wipe it should the need arise.

        The key is maintaining access/control of your account. Apple has done some changes, but they do have 2FA available (although it would be nice if they offered a standard Google Authenticator QR code method as well.)

        Then there are backups. This is what Time Machine and services like CrashPlan or Backblaze are for. If you like packing your own parachute, buy/use Arq

        • by AmiMoJo ( 196126 )

          TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.

          • by tlhIngan ( 30335 )

            TFA says that they don't need to use 2FA to lock your device, presumably because if you lost your phone you might want to lock it but be unable to provide the 2nd factor for authentication. Their 2FA system seems to be somewhat flawed.

            Well, given you just lost your "2nd factor" for a lot of users, how do you envision implementing 2FA?

            You just lost your phone. You can't have 2FA use an SMS, an app, or any other thing that relies on the phone you just lost.

            And you can't rely on the user having more than one A

            • by AmiMoJo ( 196126 )

              The problem is that they can set any pass code they like. If the option was "lock with my pre-set passcode" the hijack wouldn't work, because it would be a code that the user set themselves and obviously knew.

      • by AHuxley ( 892839 )
        +1 for " If your data are valuable, encrypt your disk. If your computer is valuable, insure it." AC.
        Install some theft recovery software to get a webcam image and new ip.
  • by lucm ( 889690 ) on Friday September 22, 2017 @10:03PM (#55248645)

    The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.

    Citation needed (excluding Apple marketing)

  • > Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on

    iCloud is nice and all but suffers from security concerns. Such a powerful tool needs a stronger security implementation, and has to offer users the way to see when and where connections do come from. Gmail has been doing that for a long time, and Apple is still lagging behind.
    • by tk77 ( 1774336 )

      I believe it sends you and email whenever someone logs into Find My iPhone. Also 2 Factor Authentication is available (and should be used at this point).

      This really shouldn't be an issue anymore.

      • by tk77 ( 1774336 )

        Guess I should have paid more attention to the summary and main article.. I had thought 2FA was required even with Find My iPhone but I guess its not. That sucks.

        • by 93 Escort Wagon ( 326346 ) on Friday September 22, 2017 @11:06PM (#55248805)

          The problem is that, for many people, their iPhone is their only "trusted" device. Nowadays a lot of people don't own computers; and, of those who do, only some will be Macs. As far as I know, a Windows box can't be registered with Apple as a trusted device.

        • by Anonymous Coward

          Logging into iCloud sent an authentication code to my iPhone that I then had to enter back into iCloud. So I don't get how the hackers would have been able to log into iCloud to remotely lock unless the authentication code feature was only recently implemented.

  • iPhones use the same technique, right?

  • Who didn't see this coming? Surprised it didn't start happening when this feature was released in the first place.

No spitting on the Bus! Thank you, The Mgt.

Working...