Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on May 26th, 2014 at 5:50 PM EDT
There is a rapidly-growing topic on Apple’s forums right now in which Australians seem to be having iOS devices getting locked remotely. The affected devices are displaying a message claiming that they have been hacked by “Oleg Pliss” and demanding that a $100 USD payment be sent to a particular Paypal account.
It’s unclear at this point exactly how this is happening, but it seems evident that the affected users are having their Apple IDs hacked. Typically, such hacks involve things like weak passwords falling to brute force attacks by a botnet or falling for a phishing attack. That doesn’t really explain the fact that all the affected users appear to be located in Australia, however. Perhaps the most likely possibility is that an Australian e-mail provider has been hacked, giving hackers the ability to reset the password of weakly-protected Apple IDs associated with those e-mail addresses. Regardless of how it’s happening, though, those Apple IDs are being compromised.
Once hackers have access to your Apple ID, they can remotely lock all your iOS devices with a message. They can also see any data stored in iCloud (calendars, contacts, e-mail, notes, etc). If you have a Mac with Back to My Mac enabled, they could potentially get remote access to that. They could also make purchases on your Apple ID. For all these reasons, it’s very important to protect your Apple ID.
Unfortunately, there are ways that a hacker can lock you out of your Apple ID permanently. Hackers can change your security questions, which is a hassle to deal with but is technically recoverable. However, they could also enable two-factor authentication, and thus permanently lock you out of your Apple ID! Once two-factor authentication is enabled, Apple cannot help you regain access to your Apple ID.
If the idea of losing your Apple ID permanently doesn’t scare you, consider two things. First, all your purchases are tied to your Apple ID. Without your Apple ID, you could lose all your purchased music, movies and apps. More importantly, on devices running iOS 7 with Find My iPhone/iPad/iWhatever turned on, a hacker in control of the Apple ID can lock the user out of that device permanently! That’s right… your expensive iPad could be turned into an expensive doorstop. Restoring the device to factory settings will not be possible without the Apple ID, and Apple cannot unlock it for you.
Affected users will need to regain access to their Apple IDs. Reset the password, and make sure to change it to something very secure. Next, I strongly suggest that you enable two-factor authentication on your Apple ID. Doing so provides additional security, and should prevent the hacker from ever being able to take control of your Apple ID entirely away from you. When you enable this feature, be sure to store the recovery key very carefully! Write it down and put it in a safe, or store it in an encrypted (and well backed-up) place, such as your keychain.
Once your Apple ID is protected, a remotely locked device can be unlocked by following these directions from Apple:
For those who might be upset at Apple at policies that make it difficult to regain access to a locked device, consider the opposite. Hackers used to be able to get access to Apple IDs by convincing an Apple tech that they were the owner of the account. Apple’s policies began to change abruptly after Mat Honan had his digital life effectively destroyed by hackers who gained access to his Apple ID.
Although it’s still unknown exactly what’s going on, Australian users of iOS devices should take heed and secure their Apple IDs, as well as the e-mail accounts associated with their Apple IDs. This is a good opportunity for people elsewhere to review the security of their Apple IDs as well.
May 27, 2014 @ 6:20 am EST: So far, everyone who has responded to queries about what internet service provider they are using has said they are using Telstra – Bigpond. This may be purely coincidence, but my suspicion at this point is that Telstra’s domain name servers have been hacked, and users who logged in to what they thought was an Apple site were actually visiting a malicious site that stole their Apple ID username and password. This is all speculation, of course, but nothing else appears to explain why only Australian users are being affected.
May 27, 2014 @ 7:00 am EST: As soon as I advanced the theory that it’s related to Telstra, I immediately heard from affected folks saying they aren’t using Telstra. So that shoots that theory.
May 27, 2014 @ 2:32 pm EST: A few people outside the Australia/New Zealand area have reported experiencing this problem… case in point, Jason’s comment, found below. This is still not a very widespread problem in any other countries though, so I still suspect there has to be some kind of tie to Australia. I’m running out of ideas, though, and from reading the coverage from quality sources, it seems I’m not alone. Sophos’ blog has the best coverage I’ve seen so far.
There’s a lot of very bad reporting going on, as well. Most reports I’ve seen simply regurgitate information from that Apple Support Communities discussion. In one article posted this afternoon, a reporter mentioned my theory about a DNS compromise, linking to my post in that discussion… many hours after it had been thoroughly debunked.
Bottom line, nobody really knows anything yet. We’re all guessing. Just be sure to secure your Apple ID immediately if you are affected!
May 28, 2014 @ 7:27 am EST: No new progress on determining a cause so far this morning, but Apple has now made a public statement to ZDNet. In the ZDNet report, Apple is cited as saying, “Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”
This comes as no surprise to me, since the extremely limited locality has to mean there was no general iCloud breach. Without knowing what the cause was, and whether the attack is still active, it’s small comfort knowing that this wasn’t a generalized iCloud breach. Still, now we know for sure, and knowing anything about this incident with certainty is a good thing!