Apple’s 2-Factor Authentication Crumbles – Criminals Remotely Lock Macs & Demand Bitcoins
Earlier this week, we shared a report that essentially proved all of us need to dump SMS-based two factor authentication. While that report focused on sophisticated hackers getting access to flawed SS7, it at least gave us the consolation that not every random Joe was going to attack us. What happens when you don't have any kind of authentication? Well, Apple users are finding that out the hard way.
Several Apple users over the past two days have tweeted being locked out of their machines after cybercriminals took over their iCloud accounts. The problem is that these users actually had 2FA enabled. They just never received a code...
Cybercriminals render Apple's two factor authentication completely useless
Apple apparently allows you to get "partial" access to iCloud even without a texted code. When you enter the email and password on iCloud.com and then click on the Find My iPhone instead of entering the code, you can see the complete list of your devices.
As seen in the above screenshot, you won't get access to your data, but, you will see the list of your devices and the ability to erase or lock them.
This appears to be a design flaw that Apple probably included to enable its users to lock their devices when they are lost or stolen, even when they can't get in iCloud because they might not be able to receive the authentication code.
So, why exactly are we talking about this
Hackers have apparently come up with a way to manipulate this issue. Over the last 30 hours or so, several Mac users have reported being locked out of their machines. Cybercriminals appear to have signed into their iCloud accounts probably using an email-password combination dumped in some of the mega data breaches of 2016. Without two-factor authentication and using the Find My iPhone, hackers were able to lock users out even if they couldn't get access to their data.
But data is not something they are after in this case. They want money - cryptocurrency, to be exact.
— Jovan (@bunandsomesauce) September 16, 2017
They aren't demanding a lot of money, similar to ransomware campaigns seen earlier this year. With amount as small as $20 or $50, users are more inclined to pay the ransom. And as some victims of this iCloud ransomware campaign have reported, they can't even get a Genius Bar appointment on time, so many might just pay the hackers instead.
So now my only option is to drag my iMac and MacBook to a Genius Bar, but they don't have appointments until next week. This rules.
— Jason Caffoe (@jcaffoe) September 20, 2017
So far, no one seems to have paid the criminals, though, which either shows that the target list is still very small or that the users have more trust on Apple responding to them soon.
NOT an Apple hack, but definitely an issue the company will need to address ASAP
The attacks don't seem to be widespread at the moment, however, it's unclear why the iPhone maker hasn't responded to users who have tweeted to the company at least two days ago. While not an Apple hack, the data being used to lock iCloud users out of their accounts could have easily been mined from a data dump after sites like LinkedIn, Tumblr, Yahoo, and several others that were breached earlier but exposed last year.
To stay safe from this iCloud ransomware campaign:
- Change your Apple ID password and never reuse passwords.
- Enable two-factor authentication, for whatever it's worth in this case.
- Most importantly, disable the Find My iPhone feature.
It seems to be the only kill switch right now. If you are a victim of this iCloud ransomware campaign, reach out to Apple or visit a nearby Store to have this lock removed and get access to your device back.