The Sydney Morning Herald reports that several Australian Mac, iPhone, and iPad users are finding that their devices have been locked remotely through Apple’s Find My iPhone service by someone using the name “Oleg Pliss.” The hacker (or hackers) then demand payments of around $50 to $100 to an anonymous PayPal account in order to restore the devices to their owners.
An active thread on Apple’s support forum was started yesterday as users started to discover that they had been targeted by the attack. According to that discussion, users are finding all of their devices locked at once rather than a single device per user. Based on that report and the fact that Find My iPhone is being used to hold the devices hostage, it seems likely that the perpetrator has gained access to these users’ iCloud accounts—possibly through password reuse by those users—rather than some device-specific malware or hack.
Because the hackers used Find My iPhone to lock out the victims, users who had set a passcode on their devices were able to regain access. This is because Find My iPhone can only be used to add a passcode to devices that don’t already have one set. If you’ve created a passcode on your device, you (or malicous users with access to your account) cannot change it from Find My iPhone. It can only be changed or removed directly from the device.
Unfortunately, users affected by this attack will need to get in touch with Apple to work around the issue. It’s also highly advisable to reset your Apple ID password and security questions once you’ve regained access to the affected iCloud account.
For those who haven’t been affected, here are a few steps you can take to ensure you aren’t hit by a similar attack:
Use unique passwords. Using the same password on multiple services (iCloud, Gmail, Facebook, etc) put all of your accounts at risk. An attacker who gains your password for one service can then try it on the others. If you use the same password on some of them, they’ll have access to everything. One great way to ensure you’re using a unique password on each website is to use an app like 1Password to manage them.
Use two-factor authentication. Two-factor authentication boosts your online security by requiring you to enter a time-sensitive code after logging in and before accessing your account. Not all web services offer this extra layer of security, but many do, including Gmail, Facebook, Twitter, and yes, even your Apple ID. You can use an app like Google Authenticator or Authy to manage these codes, or get them via SMS.
Use a passcode or Touch ID on your iOS devices. If you’re not already using Touch ID or a passcode to secure your iOS devices, it’s a good idea to add one. That will prevent malicious users from remotely adding one to lock you out. As noted above, unprotected devices can be remotely locked, while devices secured with a passcode or Touch ID cannot.