Hackers hijack Find My iPhone to lock Mac and iOS devices for ransom

Tools

Dozens of users had their iCloud accounts accessed without their permission and the corresponding feature for finding lost phones or devices was exploited to demand a ransom. This was first reported by The Age in Australia, and could be evidenced by the many posts by affected users on Apple's Support Communities.

Victims describe a message that informs them about their device being hacked by a person called "Oleg Pliss", which in the same message demands between US$50 and US$100 via PayPal in order to unlock their devices. The attack is opportunistic in nature, and users who had set a device password were able to use it to immediately regain control of their device. Moreover, at least one user described successfully changing his iCloud password and disabling the device lock.

Users who have not already set a device password may be out of luck, however. Designed to help legitimate owners recover their misplaced devices, the feature allows users to set a device password directly from the cloud in the absence of an existing password. This means that the hacker could set a new lock code to bar the legitimate owner. The only option for these users may be to reset their devices--and lose their data if they do not have a recent data backup, or to cough up the ransom.

Static, reused passwords are the culprit

The number of reports coming from Australia as well as New Zealand has led some to speculate that the problem may stem from a localized data breach for a web service that is commonly used in those two countries. Unsurprisingly, the root cause is due to the fact that many users reuse the same passwords across multiple devices, allowing the hacker to leverage the stolen account data with iCloud.

In addition, iCloud does support two-factor authentication, introduced early last year with the use of a code that is sent to a preregistered mobile device. iCloud accounts that with two-factor authentication enabled would have stopped such extortion attempts in its tracks, even if the password was known. For now, things don't look too good for users who were locked out of their iOS devices, given that even Apple (NASDAQ: AAPL) may not have a way to reverse a remotely-configured password lock.

Ultimately, this incident is a somber reminder that two-factor authentication is really the minimum for borderline security. As it is, even two-factor authentication may be defeated by a new class of sophisticated Trojans that attack both mobile devices and computing devices. - Paul Mah  (Twitter @paulmah)