New Way to Hack iCloud Account

Monday, March 21, 2016 @ 02:03 PM gHale


While Apple may provide a secure product, nothing, absolutely nothing, is totally bullet proof.

One case in point is there is a way to reverse Apple’s security features by hijacking Apple iCloud accounts and locking users out of their devices.

RELATED STORIES
Abandoned App Details in Open
Trojan Hooks Apple’s FairPlay DRM System
Samsung Mitigates Update Tool
Buffer Overflow Fixed in GNU C”

This vulnerability came to light when an Apple user named Ericka, reported the attack scenario to security vendor Malwarebytes, complaining about being locked out of her Mac and iPhone.

“The message read: ‘Contact me: hblackhat(at)mail.ru All your conversation sms+mail, bank, computer files, contacts, photos. I will public + send to your contacts,’ ” said Malwarebytes’ Thomas Reed in a blog post.

“She also received an e-mail message, in similarly broken English, from her own iCloud address. The message said he had access to all her bank accounts, personal information, etc, and would publish it if she didn’t respond within 24 hours.

“This is a pretty serious threat, and quite different from the typical Windows malware. Unfortunately, the story doesn’t end there. Apple designed Find My Mac/iPhone as an anti-theft feature. It is intended to allow you to take a number of actions on a lost or stolen device, including displaying a message, locking it, locating it physically and even remotely erasing it.

“Apple is focused on trying to ensure the security of your devices, and that’s a good thing. You don’t want a thief to be able to bypass this security and gain access to your data.”

The hacker used the Find My Mac feature to lock the device and then show the message as a screensaver. This same message also ended up shown via the Find My iPhone feature, but Ericka’s iPhone wasn’t locked, and she was able to re-access her device’s data.

With her iCloud account hijacked, and without a receipt for her Mac, which she purchased a while ago, Ericka was not able to prove to Apple’s staff she was the device’s real owner.

Apple refused to intervene, and did not unlock the device, nor reset her iCloud account. Essentially, the hacker had effectively locked all her data and iCloud backups.

There are some lessons to be learned from these events, Reed said.

First and foremost, make sure your iCloud account has a very secure password. Longer is better.

“As long as your password is long, and is not a quote from a book, movie, song or other media, and it’s not a common expression, and it’s not something that could be guessed with a little cyberstalking, it does not need to be horribly complex,” he said.

“A password like ‘horse airplane rutabaga flashlight’ is far more secure than a complex but shorter password like “h@c|

Second, do not use the same password on any other site.

Also, be sure to turn on two-factor authentication on your iCloud account. This ensures access to your iCloud account end up restricted only to someone in possession of one of your designated “trusted” devices.