The many announcements at Apple’s 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals.
Last week we got a concrete example of how some cybercriminals are now actively targeting Apple ID accounts. A thread in the Apple support forums was filled with users complaining that their devices had been locked, with a message from a certain “Oleg Pliss” demanding $100 to unlock the device. (The real Oleg Pliss is a developer for Oracle; his name appears to have been appropriated by the attackers.) Australian users appear to be the ones most affected by this attack.
How was this attack carried out? It appears that the Find my iPhone feature was abused. An attacker with the victim’s Apple ID credentials would be able to log into the Apple site providing this service, send the ransom message to the user, and lock the phone.
It’s unclear where the Apple ID credentials came from, but there are multiple possibilities. For example, we know that since last year phishing sites have tried to harvest Apple ID credentials. Reused passwords or social engineering may also have been used in this attack.
How could users recover from this attack? One way would be to restore a backup from iTunes. Unfortunately, many – perhaps even most – iPhone users are not particularly fastidious about backing up. One could try restoring from iCloud as well, but that would involve logging in with the user’s Apple ID account – which has been compromised by this very attack. As in any case where a user’s account has been compromised, recovery can be very difficult.
We will likely see more attacks trying to steal Apple ID moving forward. For example, we can see routers with malicious DNS settings being used in man-in-the-middle attacks to try and steal credentials. Phishing attacks may increase as well. The value of a stolen Apple ID can only go up as more and more information is placed in it by users. For example, the introduction of HealthKit and HomeKit in iOS 8 may mean that even more intimate and personal information may be tied, directly or not, to the Apple ID.
It’s a good reminder that despite Apple’s willingness to use mobile malware and vulnerabilities as a club against competitors, not all mobile threats can be so easily addressed and dismissed.
Figure 1. Apple criticizing Android fragmentation
So, what can users do? Our advice is similar to those for any other credential that needs to be protected:
- Don’t reuse your password.
- Use a secure password/passphrase.
- Enable security features like two-factor authentication, if possible.
To be fair, some of these steps are harder to perform on a mobile device than a desktop or laptop. Entering a long password may be hard without a password manager (like DirectPass), for example. Despite this increased difficulty, it has to be done: it is now clear that mobile device credentials – like Apple ID – are a valuable target for cybercriminals.