Criminals recently exploited Apple's lack of two-step verification (2SV) for the "Find My Phone" feature, a move which nearly cost a student his digital life.
Kapil Haresh Vigneswaren, a computer science graduate student at the University of Waterloo, explains in a blog post that the trouble started on 24 July while he was doing some he was building a particularly geeky incidence matrix on a whiteboard:
"Everything seemed fine, until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said 'Find My iPhone Alert' on the lock screen. That was odd.[A minute later,] my iPhone’s lock screen changes. The screen dims, with the following message, 'Hey why did you lock my iPhone haha. Call me at (123) 456–7890.'
Kapil quickly sprang into action to take both his iPhone and his Mac offline before the attacker, who had enabled Lost Mode on the student's Apple ID, successfully wiped both devices clean.
Fortunately, he was able to take his devices offline just in time. When he logged back into iCloud, he saw a pending erase request for his Mac:
Some additional poking around led Kapil to identify how the attack had occurred.
First, he noticed Apple does not spot when a login comes from an unexpected part of the world. While he normally logs into his account from a Mac based in Canada, he saw the attacker had logged in from an IP based in Ireland on a Windows machine.
This should have raised a red flag for Apple, the student believes:
"Ideally, at this point, it would have been reasonable to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID."
Second, while Apple does allow for the use of 2SV on iCloud, it does not do the same for Find My Phone. If there had been another login step, such as a secret security question, the student believes the attacker would not have been able to have almost wiped his devices.
A demonstration of that vulnerability is presented in a YouTube video below:
Kapil is still happy with Apple's security features. But he does feel Apply should look into those shortcomings sooner rather later.
He also has a message for the hacker who almost ruined his digital life:
"To the hackers — please get English classes. That was quite a pathetic Lost Mode message. Not as bad as the Oleg Pliss attack message in 2014, though interestingly, that attack could have been prevented as well if there was a second factor of authentication for Lost Mode, as the 2FA that everyone suggested to turn on doesn’t protect Find My iPhone as seen here."
Users should protect their Apple IDs as well as all of their web accounts with a strong password and with 2SV, if and when available.
Read more about two-step verification:
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)