Apple's lack of 2SV for Find My Phone nearly costs student his digital life

Attackers easily gain access to student’s ID, attempt to wipe devices.

Apple's lack of 2SV for Find My Phone nearly costs student his digital life

Criminals recently exploited Apple's lack of two-step verification (2SV) for the "Find My Phone" feature, a move which nearly cost a student his digital life.

Kapil Haresh Vigneswaren, a computer science graduate student at the University of Waterloo, explains in a blog post that the trouble started on 24 July while he was doing some he was building a particularly geeky incidence matrix on a whiteboard:

"Everything seemed fine, until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said 'Find My iPhone Alert' on the lock screen. That was odd.

[A minute later,] my iPhone’s lock screen changes. The screen dims, with the following message, 'Hey why did you lock my iPhone haha. Call me at (123) 456–7890.'

Kapil quickly sprang into action to take both his iPhone and his Mac offline before the attacker, who had enabled Lost Mode on the student's Apple ID, successfully wiped both devices clean.

Fortunately, he was able to take his devices offline just in time. When he logged back into iCloud, he saw a pending erase request for his Mac:

Erase pending

Some additional poking around led Kapil to identify how the attack had occurred.

First, he noticed Apple does not spot when a login comes from an unexpected part of the world. While he normally logs into his account from a Mac based in Canada, he saw the attacker had logged in from an IP based in Ireland on a Windows machine.

This should have raised a red flag for Apple, the student believes:

"Ideally, at this point, it would have been reasonable to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID."

Second, while Apple does allow for the use of 2SV on iCloud, it does not do the same for Find My Phone. If there had been another login step, such as a secret security question, the student believes the attacker would not have been able to have almost wiped his devices.

A demonstration of that vulnerability is presented in a YouTube video below:

Kapil is still happy with Apple's security features. But he does feel Apply should look into those shortcomings sooner rather later.

He also has a message for the hacker who almost ruined his digital life:

"To the hackers — please get English classes. That was quite a pathetic Lost Mode message. Not as bad as the Oleg Pliss attack message in 2014, though interestingly, that attack could have been prevented as well if there was a second factor of authentication for Lost Mode, as the 2FA that everyone suggested to turn on doesn’t protect Find My iPhone as seen here."

Users should protect their Apple IDs as well as all of their web accounts with a strong password and with 2SV, if and when available.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. Douglas Revell

    August 4, 2016 at 10:46 am #

    This story emphasizes the importance of 2SV. Good.
    BUT all the 2SV I've seen uses a mobile. If, like me (and many others who live in rural areas) you can't get a mobile signal in your home, that just isn't practical. If I wanted to use 2SV it would mean every time I logged in I would need to go across the road and spend some time finding the little patch of signal to get my code. How real is that?
    Is there no alternative?

    • Simon in reply to Douglas Revell.

      August 4, 2016 at 12:25 pm #

      Two Factor Authentication (2FA) is better, if supported/implemented.

      2SV 'in my opinion' can be intercepted, ie: email, SMS, voice call, etc… They're better than nothing, but a keen hacker can thwart these; email accounts can be hacked, mobile no's ported with little verification from the telco's, voice call's diverted, etc…

      True 2FA is something on you that doesn't traverse over any medium/they work offline, but are tethered to your account, ie; Google Authenticator, Yubi keys, RSA/Vasco tokens/apps, etc…
      Once released to the wild, these 'tokens' cannot be duplicated and requires a hacker to have limited physical access to utilise.

      In any case, if someone wants in, they'll attempt every exploit, tactic, trick to gets their pound of flesh. 2FA just makes it way more difficult for them.

    • David L in reply to Douglas Revell.

      August 4, 2016 at 2:37 pm #

      There are authentication apps that generate codes in place of sms, and most accounts will have can option for ten alternate code, pre-generated from the account page when you initiated 2sv. Those codes you keep in your wallet or purse. You can get those codes at any time too.

  2. SteveP

    August 4, 2016 at 12:15 pm #

    Apple's 2SV is so confusing I turned it off. For example, when updating an OS across multiple devices, the first login on an OS-X machine will bring up multiple, repetitive logins for the App Store, iTunes, iCloud, etc. These are impossible to postpone. Add in 2SV and you get caught in loops of what step you are on. Apple also has a penchant for using "ordinary" words in a flexible manner, so a password could be a PIN or a username for all I know. Then add in the use of app names likes "Photos" and "Mail" and it becomes a very confusing space in which to manage passwords.

Leave a Reply