Hacked: Apple’s Helpful Security Service Turned Harmful
When things go wrong with Apple (NASDAQ:AAPL) products, Australia oddly is the place it seems to happen. Last year, when Apple rolled out Apple Maps in place of Google Maps as the default location application for iOS, Australia was where people were getting so lost that it almost cost them dearly. Now, Australia is the home to a hack across many different Apple products that — though far from lethal — might be costing users a bit of time and money.
According to TheAge – an Australian publication — and numerous postings on the Apple Support Communities page, users in many parts of Australia have reported their devices being “hacked” and locking them out. Apple’s “Find My iPhone” and “Find My Mac” services were evidently exploited to help the hacker(s) lock out users from their own devices — doing quite the opposite of what the tools were meant to do.
In many of the instances, the hacker goes by the alias “Oleg Pliss” and tells users that they need to send up to $100 to an PayPal account in order to get their phones un-”hacked” and have access to them again. In a somewhat odd twist, a PayPal spokesperson said the email address people were being told to pay wasn’t actually connected to any PayPal account, but the spokesperson did say that if victims of the “hack” had sent any money, it would be refunded by the service, reports The Age.
Another odd thing about the hack on these Apple devices is that it’s not exactly a hack, but rather more of a breach of security and potentially the aftermath of a separate hack.
As the “hack” is coming through Find My iPhone and similar services, it seems most likely that the hackers managed to get access to information that allowed them to log in to Apple users’ accounts, according to ZDNet, and from there lock out users on devices, treating them as if they were stolen and holding them for ransom. So, the service that’s meant to help users find their devices and lock out thieves has been flipped on its head to lock out users and allow attackers to extort money.
According to The Age, IT security expect Troy Hunt suggests the attack was the result of recent data breaches giving hackers to login credentials that helped them get into the Apple iCloud accounts, because many people use the same passwords across multiple accounts online — generally considered an unwise practice on the Internet.
There is hope in the matter, as users that had passwords set up on their devices before the attack have been able to regain control of the device with that password and a restore from iTunes. The problems arise for people who didn’t create a password on their device, as the attacker was able to create a password on the device that the user then had no way around it.
So, for some, getting past the attack is a breeze, though they may still want to change their iCloud login information, assuming the attackers haven’t changed any of that. Other’s have been struggling more, as Apple hasn’t announced a solution. ZDNet reports that one user took their device to an Apple Store and was still unable to solve the problem.
Though this is not particularly the fault of Apple — assuming Apple wasn’t hacked in order for the attacker to get the login credentials — it is likely more a matter of users not following best practices in securing their accounts and devices. If users’ iCloud account credentials didn’t match those of some other websites, they may have been less likely to suffer from this attack, and if they had secured their devices with passwords, they would have likely been able to resolve the issue quite quickly.
Nonetheless, this isn’t a great spot of publicity for Apple — though at least it’s mostly contained to a section of Australian users. This incident doesn’t suggest that Apple’s security is weak, but it does show that there is a bit damage to be done if security is breached. There may not be much Apple can do about it though, unless it forces users to use passwords and adopt more advanced security measures, like two-factor authentication, which sends a code to a secure device, making it a lot harder for a hacker to gain access to accounts.
This also isn’t the best timing for this kind of publicity. The Financial Times reports that Apple may be preparing a platform for more connected smart devices in the home at the upcoming Worldwide Developer Conference. This platform could include controls for things like lights and electronics, but also things like doors and security. A data breach letting attackers mess with an iPhone is one thing, but if it could put a users home security on the line, that’s a much bigger problem. If the issue isn’t resolved — or even worse, if it spreads — by June 2, it could be a black eye for Apple.
Follow Mark on Twitter @WallStMarkSheet