NEWS FROM THE LAB - Tuesday, May 27, 2014

ProTip: Use Apple? Turn Passcode On! Posted by Sean @ 16:32 GMT

Interesting Apple security news is being reported today. Apparently some Apple devices have been hijacked via Apple's "Find My iPhone" feature. How? Likely via poorly defended iCloud accounts, i.e., iCloud accounts with weak passwords.

Once you have access to iCloud, you have access to the Find My iPhone's "Lost Mode", which can be used to lock associated devices and send messages such as "Reward if found! Call this number."

iCloud, Lost Mode

Or then it could be an extortion attempt.

Here's an example from a German colleague's iPhone:

Find My iPhone

According to the sources linked above, "Oleg Pliss" is demanding money to a PayPal account. If the iPhone user has a passcode, they can unlock their device. If they don't have a passcode set… then they have a problem.

It's also worth mentioning the Find My iPhone feature includes a "Delete" option. Besides extortion, your iPhone can also be burned. And remember too that iCloud provides access to contacts and calendars.

So… besides enabling a passcode, you should also be using a strong and unique password for your Apple/iCloud/iTunes account. Sure, it will be annoying to input when you want to buy an app — but that's the price you'll need to pay.

Or else, disable iCloud functionality.

"Identify the critical accounts to protect, and then make sure the passwords for those accounts are unique and strong."

To do list:

1) Turn Passcode On! (It doesn't have to be required immediately.)
2) Reset your Apple/iCloud/iTunes password.

Optional (but highly recommend):

3) Get yourself a password manager.