Apple ID Compromise and Device Lockout

Tue, May 27, 2014

- ∞ -

http://www.thesafemac.com/australians-getting-locked-out-of-ios-devices/

I’m seeing quite a few stories this morning (really, it started yesterday afternoon) about iOS users in Australia getting their devices locked out with a $100 ransom message.

It’s unclear at this point exactly how this is happening, but it seems evident that the affected users are having their Apple IDs hacked. Typically, such hacks involve things like weak passwords falling to brute force attacks by a botnet or falling for a phishing attack. That doesn’t really explain the fact that all the affected users appear to be located in Australia, however. Perhaps the most likely possibility is that an Australian e-mail provider has been hacked, giving hackers the ability to reset the password of weakly-protected Apple IDs associated with those e-mail addresses. Regardless of how it’s happening, though, those Apple IDs are being compromised.

So far this morning I haven’t seen anything definitive, but an Apple ID password reset email hack seems a reasonable presumption. Adding 2-factor authentication for all your Apple IDs has been a recommendation for a while now, and this story kind of makes that even clearer.

Another interesting point: If your device is already locked with a passcode, the remote attacker can’t change it – so they can’t lock you out and demand ransom. Of course, they could simply wipe it instead, out of spite.

And after hacking your Apple ID they can (possibly) buy things at the store using your credentials, and certainly delete information from your account (contacts, calendars, files) or just generally make your life miserable.

Bottom line: It remains important to select strong passwords (so they can’t be guessed) that aren’t reused (so one compromise won’t break your other accounts) and using 2-factor authentication (so they can’t just hack your email acocunt and send a password reset). And when setting up 2-factor authentication, if you’re given a “master reset password” of any form, be sure you retain that somewhere safe. It’s even a good idea print it out and store it in a couple places at home (like with your passports and other important legal documents) (just don’t keep it in your wallet).