The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Australians getting locked out of iOS devices

Posted on May 26th, 2014 at 5:50 PM EDT

warning

There is a rapidly-growing topic on Apple’s forums right now in which Australians seem to be having iOS devices getting locked remotely. The affected devices are displaying a message claiming that they have been hacked by “Oleg Pliss” and demanding that a $100 USD payment be sent to a particular Paypal account.

It’s unclear at this point exactly how this is happening, but it seems evident that the affected users are having their Apple IDs hacked. Typically, such hacks involve things like weak passwords falling to brute force attacks by a botnet or falling for a phishing attack. That doesn’t really explain the fact that all the affected users appear to be located in Australia, however. Perhaps the most likely possibility is that an Australian e-mail provider has been hacked, giving hackers the ability to reset the password of weakly-protected Apple IDs associated with those e-mail addresses. Regardless of how it’s happening, though, those Apple IDs are being compromised.

Once hackers have access to your Apple ID, they can remotely lock all your iOS devices with a message. They can also see any data stored in iCloud (calendars, contacts, e-mail, notes, etc). If you have a Mac with Back to My Mac enabled, they could potentially get remote access to that. They could also make purchases on your Apple ID. For all these reasons, it’s very important to protect your Apple ID.

Unfortunately, there are ways that a hacker can lock you out of your Apple ID permanently. Hackers can change your security questions, which is a hassle to deal with but is technically recoverable. However, they could also enable two-factor authentication, and thus permanently lock you out of your Apple ID! Once two-factor authentication is enabled, Apple cannot help you regain access to your Apple ID.

If the idea of losing your Apple ID permanently doesn’t scare you, consider two things. First, all your purchases are tied to your Apple ID. Without your Apple ID, you could lose all your purchased music, movies and apps. More importantly, on devices running iOS 7 with Find My iPhone/iPad/iWhatever turned on, a hacker in control of the Apple ID can lock the user out of that device permanently! That’s right… your expensive iPad could be turned into an expensive doorstop. Restoring the device to factory settings will not be possible without the Apple ID, and Apple cannot unlock it for you.

Affected users will need to regain access to their Apple IDs. Reset the password, and make sure to change it to something very secure. Next, I strongly suggest that you enable two-factor authentication on your Apple ID. Doing so provides additional security, and should prevent the hacker from ever being able to take control of your Apple ID entirely away from you. When you enable this feature, be sure to store the recovery key very carefully! Write it down and put it in a safe, or store it in an encrypted (and well backed-up) place, such as your keychain.

Once your Apple ID is protected, a remotely locked device can be unlocked by following these directions from Apple:

http://support.apple.com/kb/ht1212

For those who might be upset at Apple at policies that make it difficult to regain access to a locked device, consider the opposite. Hackers used to be able to get access to Apple IDs by convincing an Apple tech that they were the owner of the account. Apple’s policies began to change abruptly after Mat Honan had his digital life effectively destroyed by hackers who gained access to his Apple ID.

Although it’s still unknown exactly what’s going on, Australian users of iOS devices should take heed and secure their Apple IDs, as well as the e-mail accounts associated with their Apple IDs. This is a good opportunity for people elsewhere to review the security of their Apple IDs as well.

Updates

May 27, 2014 @ 6:20 am EST: So far, everyone who has responded to queries about what internet service provider they are using has said they are using Telstra – Bigpond. This may be purely coincidence, but my suspicion at this point is that Telstra’s domain name servers have been hacked, and users who logged in to what they thought was an Apple site were actually visiting a malicious site that stole their Apple ID username and password. This is all speculation, of course, but nothing else appears to explain why only Australian users are being affected.

May 27, 2014 @ 7:00 am EST: As soon as I advanced the theory that it’s related to Telstra, I immediately heard from affected folks saying they aren’t using Telstra. So that shoots that theory.

May 27, 2014 @ 2:32 pm EST: A few people outside the Australia/New Zealand area have reported experiencing this problem… case in point, Jason’s comment, found below. This is still not a very widespread problem in any other countries though, so I still suspect there has to be some kind of tie to Australia. I’m running out of ideas, though, and from reading the coverage from quality sources, it seems I’m not alone. Sophos’ blog has the best coverage I’ve seen so far.

There’s a lot of very bad reporting going on, as well. Most reports I’ve seen simply regurgitate information from that Apple Support Communities discussion. In one article posted this afternoon, a reporter mentioned my theory about a DNS compromise, linking to my post in that discussion… many hours after it had been thoroughly debunked.

Bottom line, nobody really knows anything yet. We’re all guessing. Just be sure to secure your Apple ID immediately if you are affected!

May 28, 2014 @ 7:27 am EST: No new progress on determining a cause so far this morning, but Apple has now made a public statement to ZDNet.  In the ZDNet report, Apple is cited as saying, “Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”

This comes as no surprise to me, since the extremely limited locality has to mean there was no general iCloud breach. Without knowing what the cause was, and whether the attack is still active, it’s small comfort knowing that this wasn’t a generalized iCloud breach. Still, now we know for sure, and knowing anything about this incident with certainty is a good thing!

Tags: ,


6 Comments

  • jason says:

    This is not just happening in Australia, my wife’s phone was hacked in the same manner. We live in Florida USA.

    • Thomas says:

      I have the feeling that those few people reporting this from outside the Australia/New Zealand area will be the key to finding the cause. Are you using any kind of VPN service on the phone? Do you have any connection to Australia or New Zealand that you know of? Was this phone bought from Apple within the US? Anything you can think of could be helpful!

  • Teresa says:

    this has just happened to me as i type. I received emails saying that my apple id and email have been changed. i don’t have any ties to australia nor am i using VPN. Im such a random target, i only use my apple ID to buy apps for my daughters iPad.

    • Teresa says:

      oh and they also changed my credit card info, I’m on the phone with apple right now and they say I’m not the first to call about this today

  • Sharonto says:

    I don’t think setting a password makes everything go off beautifully. Some hackers easily gain access to Wi-Fi connected iPhone when it’s jail-broken if they try the default root password, 80% jailbreakers know nothing about the root password configuration after their jailbreak!!! Some users even install spy apps like ikeymonitor to steal unlock pass-code when the device is jailbroken. We are not living in a safe world protected by password.

    But it is at least safer than no password. In normal cases, password is a protective and useful shield, even if it is weak to some extend..

  • Kim says:

    Not affected personally but congratulations to the author as the best at showing the potential of Apple ID hijacking plus the link to the Mat Honan story and of course Apple Support Communities. The original victims did a great job of helping each other and the rest of us by being so generous with their solutions.
    From my reading no one foresaw this downside of Find My Phone (except Mat) and how vital the 4 digit passcode would be as protection against misuse of the option.
    Playing Sherlock I just see some disgruntled personnel being ignored when pointing out this downside and curious to know what time it was in various parts of the world when the messages began.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.