The ransom note pops up like any other digital message on a locked iPhone screen. “Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to email@example.com i sent code 2618911226.”
That was the message Australian iPhone user @Greta_Tar tweeted earlier today after she realized she was the latest victim of a security breach that is kidnapping Apple devices through a flaw in the Find My iPhone feature. Though an odd phenomenon so far mostly found in Australia, the hack does highlight an alarming breach in a system meant to ensure security for an Apple device. What’s the deal?
The Find My iPhone app has saved countless stolen and misplaced Apple devices. When a users can’t locate his or her device, he or she can log into iCloud to track the device’s location. Users can also lock the device and leave a message such as “This iPhone has been lost, please call this number if found.”
The hacker, so far only identified as Oleg Pliss (though whether that is the actual name of the hacker remains to be confirmed), has seemingly found a way to infiltrate the lock and message part of the app, locking the screen and leaving a digital ransom note. So far Apple has not released any information about the apparent hack, though complaints have popped up on Twitter and there is an Apple support thread discussing the issue. So far, a few dozen people in Australia and New Zealand and one person in the United States have claimed to have been hit. While some lock-screen messages demanded a PayPal payment, The Sydney Morning Herald reported that a PayPal spokesperson says there is no account linked to the e-mail address provided and any money sent as a result of the scam would be refunded.
With Apple remaining mum on the issue so far, tech experts have offered a few opinions as to what could be the culprit. Troy Hunt, an IT security expert, told the Herald, "It’s quite possible this is occurring by exploiting password reuse. Regardless of how difficult someone believes a password is to guess, if it's been compromised in another service and exposed in an unencrypted fashion, then it puts every other service where it has been reused at risk.”
In other words, if a password or other information was compromised through another flaw (recent examples include eBay, Heartbleed, and Target), a hacker could have access to passwords or other private information used for authentication purposes. This information could be used to access iCloud. He says it is key to use two-factor authentication to dissuade this type of vulnerability.
“Of course it also suggests that two-factor authentication was likely not used as the password alone wouldn't have granted the attacker access to the iCloud account,” he says.
Otherwise, possibilities include a man-in-the-middle attack, in which a hacker intercepts communication between iCloud and devices through an Internet Service Provider attack, or perhaps iCloud itself has a flaw. Nothing can be confirmed yet; Apple has not publicly made a statement.
What can Apple users do if faced with this attack? If users have a four-digit passcode, they can unlock their device using their passcode. If they don’t, they can restore their device to the last time it was backed up (which, be warned, may result in some loss of data that hasn’t been backed up). Otherwise, they can always bring it to an Apple store. To be safe, iCloud users may want to change their password to prevent future vulnerability.
This news comes in a particularly difficult year for private companies, as news of a new hack seems to pop up almost weekly. Most recently, eBay was hit with a major attack that left more than 145 million customers’ passwords compromised.