Apple devices mugged - Hacked into, locked, then held at ransom

[Misanthrope]

Well this was bound to happen, I'm honestly kinda surprised this didn't happen with Android devices first so this might be the first time where fragmentation is actually a good thing, regardless apparently somebody used a feature to basically lock the phones and ask for ransom money:

 

AUSTRALIAN HACKERS apparently have hijacked Apple's Find My iPhone feature, enabling them to hold iOS and Mac device owners to ransom.

iPhone, iPad and Mac users have taken to Apple's support forum to complain about the hacking, in which hackers use the Find My iPhone feature to remotely lock users' devices and send messages demanding money.

One user wrote, "I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded $100 USD/EUR (sent by paypal to lock404(at)hotmail.com) to return them to me."

 

http://www.theinquirer.net/inquirer/news/2346670/hackers-hijack-find-my-iphone-to-hold-ios-and-mac-users-to-ransom

 

http://www.cnet.com/news/australian-apple-devices-hacked-and-held-to-ransom/

[qwertywarrior]

wow....

all i have is cerberus on my nexus 5

[LifesCompanion]

Call me crazy but restoring the phone might help.... 

[Anthony10]

As much as people will blame apple for this, although apple should have better security for such an important app, but you really can't blame them because a team of hackers decided to find a flaw in the app, because I'm sure they could do this to other companies apps too, however I guess those apps don't allow such access like the Find my iPhone.

[ericlee30]

wow....

My thoughts exactly

[Askew]

So this is effectively iCryptoLocker.

[Misanthrope]

Call me crazy but restoring the phone might help.... 

 

You'd think. but only to a point:

 

Some users have managed to unlock their devices following attacks, although one user noted that after successfully restoring their iPhone they were promptly hacked for a second time.

[coreRoss]

Whats really been compromised is the Apple ID account. Because people use the same password in to many places.

 

Having that lost means your in trouble because you can not reset devices or get back control.

 

Its all about having a good security and activating two step verification http://support.apple.com/kb/ht5570

[Misanthrope]

As much as people will blame apple for this, although apple should have better security for such an important app, but you really can't blame them because a team of hackers decided to find a flaw in the app, because I'm sure they could do this to other companies apps too, however I guess those apps don't allow such access like the Find my iPhone.

 

It's still undetermined how exactly they got access to all the IDs, it might not be an exploit on the app but a still unfound/undiscloused breach on Apple's databases.

[Vader]

I'm surprised this didn't happen to Android first. Hopefully they'll fix the exploit. 

[Misanthrope]

I'm surprised this didn't happen to Android first. Hopefully they'll fix the exploit. 

 

Yep, I'm suddenly reconsidering being so ingrained into Google's ecosystem, lots of my stuff depend on those logins and even with my bullet proof password (2 trillion years to crack on a desktop) I'm still not immune to exploits or central vulnerabilities (i.e. I really would need a new identity if I was to continue with my political activities since the NSA surely has my accounts being watched for my involvement in certain protests while in Canada)

[LAwLz]

Yep, I'm suddenly reconsidering being so ingrained into Google's ecosystem, lots of my stuff depend on those logins and even with my bullet proof password (2 trillion years to crack on a desktop)

Those online tests are bullshit and if you really typed in your own password into a random site then trust me, it might take 5 seconds to crack.

It is really bad to have a lot of important stuff connected to each other though.

[Misanthrope]

Those online tests are bullshit and if you really typed in your own password into a random site then trust me, it might take 5 seconds to crack.

It is really bad to have a lot of important stuff connected to each other though.

 

What I did is that I memorized 2 or 3 different serial numbers from old routers I had and threw in another randomly generated alphanumeric number I was given like 20 years ago by an old university ISP and usually combine those as phrases.

[LAwLz]

What I did is that I memorized 2 or 3 different serial numbers from old routers I had and threw in another randomly generated alphanumeric number I was given like 20 years ago by an old university ISP and usually combine those as phrases.

And then you might have sent that in clear text to some random person on the Internet hosting a crappy "how strong is your password" site.

Doesn't matter how strong your password is if you don't manage it properly.

[Misanthrope]

And then you might have sent that in clear text to some random person on the Internet hosting a crappy "how strong is your password" site.

Doesn't matter how strong your password is if you don't manage it properly.

 

true dat.

[The_Evenger]

meanwhile on Windows phone, nobody cares to hack it because there is no userbase.

[LAwLz]

meanwhile on Windows phone, nobody cares to hack it because there is no userbase.

Funny how the table have turned.

[WanderingFool]

It will be interesting to see where this problem is stemming from.   It could be Apples fault, but it could very well be a large phishing attempt that has caused this.  So until the details of how this hack are out, I will not blame Apple....but I will say this.  The following is what might have happened and who I would lay blame too.

 

App flaw, that allows bypassing/resetting the lockout password....in this case Apple would be to blame, and it is irresponsible for them to have written an app that has a vulnerability in the password area (Yes, it is impossible to write any complex software without any flaws, but when passwords are concerned, there should be no bypass for that initial check).

 

Apple was hacked, this would inherently be Apple fault, and would be very troubling as it would mean the passwords were stored in an unsafe manor.

 

Carriers had an open door.  Similar to the carrier problem in the US, where you just had to guess an url and you could get information about the customers.  This would not be Apple fault, but rather just the carriers to blame.

 

Compromised App.  Malware on the phone that stole the password when you typed it in.  This would actually be Apples fault, and depending on the App the customers fault.  Apple's fault, because they keep the strictest requirements to enter into the App market, and so there is the inherit trust that the Apps will be safe, although if it looked like a sketchy app then it is the customers fault as well

 

Malware on a computer.  This is the customers fault, no blame on Apple (Well unless if it was a Mac and it used a bug that Apple knew about for months, but I doubt that)

 

To be honest, I think it's either malware (app or PC) or a flaw in the app itself.  I can't really think of another way a hacker could rehack the same phone again.  (Well there is another way, but I don't want to think it is possible...it would mean the hackers would still have access to Apple's or the Carriers database)

 

 

 

Oh well, this at least will show people not to put faith in their phones.

[JAKEBAB]

wow....

all i have is cerberus on my nexus 5

U can have a rat installed on your phone? Dafuq. Why would u even have that on your phone anyway?

[qwertywarrior]

U can have a rat installed on your phone? Dafuq. Why would u even have that on your phone anyway?

a rat ???

[JAKEBAB]

a rat ???

cerberus is a remote access tool.

[qwertywarrior]

cerberus is a remote access tool.

cerberus is a mythical 3 headed dog

[jezza39]

Apparently people with passcodes on phones were able to get around the 'lock' the hackers put on it. Weird shit

[JAKEBAB]

cerberus is a mythical 3 headed dog

lmao clearly we were talking about 2 different things haha.

[ZombieMan762]

Nothing Apple wise was hacked. People had their login credentials stolen from somewhere else or brute forced then they tried the credentials through Apple. The phones or Macs were not hacked into.

People tend to have poor credential security using the same PW on many sites or systems. Once one place actually is hacked their entire online existence is compromised. That can mean someone trying the stolen credentials on iCloud and remote locking devices.