Apple on Tuesday aimed to calm anxiety among its iCloud users with reassurances that the service hadn’t been breached in a ransomware-style attack.
“Apple takes security very seriously and iCloud was not compromised during this incident,” reads a company statement. “Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”
The referenced “incident” is a collection of reports on Apple forums by iPhone users, most of them in Australia, of early morning calls demanding they pay a ransom if they ever wanted to use their phones again. Ransom demands were US$50 or $100, payable through PayPal.
The extortionist, calling himself “Oleg Pliss,” apparently had gained control of a number of iPhone users’ accounts and had used Apple’s Find My iPhone service to lock down their smartphones.
Find My iPhone is an iCloud service designed to help a phone’s owner find a lost or stolen phone and, if necessary, wipe all data on it. It’s similar to the “kill switch” feature that major carriers have pledged to include in all smartphones after July 2015 and that some states are moving to require by law.
The Find My iPhone compromise is a painful example of what can happen when a kill switch falls into the wrong hands, however.
“Security is not 100 percent safety, but rather about managing risk,” explained Randy Abrams, a research director at NSS Labs.
“There is always a chance that a remote lock, locate or wipe feature can be hacked, no matter who is providing the service,” he told TechNewsWorld.
Admittedly, kill switches can be a double-edged sword, but one edge is far duller than the other.
“The instances of people getting into accounts and taking them over and using the kill switch are minuscule compared to the utility of a kill switch,” said Dave Jevans, chairman and CTO of Marble Security.
“I wouldn’t recommend that people not use kill switches because of this incident,” he told TechNewsWorld. “I would recommend that people not reuse passwords.”
Stolen passwords are one of the suspected means by which “Oleg Pliss” gained access to iPhone users’ accounts, although the exact attack vector has yet to be determined.
“In many of the headline data breach cases of late, user names and passwords were stolen, and if people use the same user name and password for iCloud that they do for Adobe or eBay, then they can be used by bad guys to get into a user’s stuff,” Chris Webber, a senior product marketing manager for Centrify, told TechNewsWorld.
Another theory is that iCloud credentials were compromised in a “man in the middle” attack in which communication between a user and iCloud was intercepted by a third party.
“There are a number of SSL vulnerabilities in iOS prior to version 7.1.1 that would allow a man-in-the-middle attack,” Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, told TechNewsWorld.
“There is a possibility that those vulnerabilities could have been exploited to get this information,” he added.
A bad app also could be at the root of the attack, although it would likely be an app without much reach beyond Australia.
“Apple has inadvertently approved applications with malicious payloads,” NSS’ Abrams noted.
“Apple almost never admits to hosting a malicious application and so it is not known if the number of incidents ranges up to dozens or even hundreds,” he added.
Imperfect Crime Vehicle
As a ransomware vehicle, Find My iPhone is imperfect at best. For example, users who have enabled the pass code feature can bypass the ransomware demand on their phone’s lockscreen, access their iCloud account, and reset Find My iPhone so it no longer thinks the phone is lost.
That should raise awareness among consumers about how to use a kill switch, said Michael Sutton, vice president of security research at Zscaler.
“It’ll draw attention to the importance of having a device properly locked down,” he told TechNewsWorld. “Here’s a situation where if you set up your phone properly, you’d be OK. If you had your pass code, you could recover your device and be in good shape.”
In addition, users without pass codes can reset their phones to their factory settings by connecting the devices to a computer running iTunes. After the reset, they can restore the phone to its pre-attack state from an iCloud backup — provided they had the foresight to activate the backup feature on the phone.