Smartphones are the digital journals of the lives of millions of users. Inside these pocket computers, most of us house our family photos, text conversations, notes, calendars, and other priceless data we can't afford to lose.
Imagine having all of these digital memories wiped out and erased by a stranger from afar. A single click is all it takes.
This is the nightmare scenario that all iPhone, iPad and Mac users are still facing every day. Due to one glaring oversight in Apple's two-factor authentication (2FA) system, hackers can still break into your Apple account and erase your devices.
Apple introduced 2FA in 2015 to add another level of protection to Apple and iCloud accounts. This verification method requires users to input a one-time code sent to their iPhones, together with the password, when logging into an iCloud account for the first time.
This means that if someone successfully cracks your iCloud password, they still can't log into your account without the code.
The big problem is that this 2FA protection doesn't apply to Apple's Find My iPhone service. This allows hackers to remotely lock and wipe an iPhone, iPad or a Mac by merely cracking a user's iCloud account password.
This is exactly what happened to a University of Waterloo cryptography and security student named Kapil Haresh one fine Sunday afternoon on July 26. According to his blog entry, he was doing a cryptography assignment for school, of all things, when his iPhone's lock screen mysteriously dimmed and displayed this mocking message:
“Hey why did you lock my iPhone haha. Call me at (123) 456–7890.”
He quickly recognized what was taking place. Someone hacked his Apple ID and is attempting to remotely wipe all his Apple devices via the Find My iPhone service. Fortunately, he took swift action and immediately took all his other Apple devices offline before the attacker could issue more remote wipe requests.
After logging back into his iCloud account, he saw pending erase requests for both his iPhone and Mac, which he promptly cancelled. If he did not figure out what was happening as quickly as he did, all his data on both devices could have been wiped out.
Some might say that 2FA authentication on a lost iPhone is useless since the code will be sent to the lost phone itself but Haresh offers two possible solutions that aside from the code may prevent attacks like this.
One is pattern recognition. By checking the location of the remote wipe request and comparing with known locations from where an iCloud account usually logs on, Apple could then send a confirmation email first before a remote wipe will be approved.
His second suggestion is to have security question authentications built-in to the Find My iPhone service to provide another layer of protection before a remote wipe could be requested.
These are all valid options that Apple should look into but for now, if you have an Apple and iCloud account, even with 2FA enabled, make sure you use strong, complex passwords, as usual, to prevent this ordeal from happening to you.