Apple's "Find My iPhone" is an essential feature for tracking down your Apple gadgets ' locations. When used as intended, this service is great for locating and protecting your Apple gadget in case it's ever lost or stolen.
But imagine having a stranger use this very same tool for holding your gadgets for ransom, locking them and worse, wiping them out from afar.
This is exactly what several Mac users have been reporting these past few days - hackers are breaking into their iCloud accounts and are remotely locking their machines through Apple's "Find My" service.
How the "Find My (Device)" attack works
Apple's "Find My" tracking service helps you get your iPhone, iPad or Mac back in case it's misplaced or stolen. It also has an option to put your Apple gadget in "Lost Mode" and display a specific message (your contact information, for example) on it, and for security purposes, even an "Erase" option to wipe all its data.
This sounds like a really life-saving feature but unfortunately, it can also be used against you.
Essentially, if someone manages to gain access to your Apple iCloud account, they can utilize these same tools to lock your own Apple gadgets and display a "ransom note" on the lock screen itself.
— Jovan (@bunandsomesauce) September 16, 2017
As reported by some Mac users, their computers are being locked by strangers with a passcode and a ransom message demanding a 0.01 amount of the digital currency Bitcoin (worth about $40).
So how did these hackers break into iCloud accounts? Known as the password reuse attack, the passwords were most likely taken from other data breaches and the victims were probably using the same credentials.
How about two-factor authentication (2FA)? Shouldn't that protect most users for password reuse attacks?
Yes, but due to this one quirk in Apple's two-factor authentication system, hackers can still break into your Apple account and lock or even erase your devices.
How does Apple's two-factor authentication work?
Apple introduced 2FA in 2015 to add another level of protection to Apple and iCloud accounts.
When accessing iCloud.com on a browser, this verification method requires users to input a one-time code sent to their other Apple gadgets, together with the password, when logging into an iCloud account for the first time.
This means that if someone successfully cracks your iCloud password, they still can't log into your account without the code.
The big problem is that iCloud's 2FA protection doesn't apply to Apple's "Find My iPhone" service.
A user can simply bypass the authorization code input process and click directly on the "Find My iPhone" icon on the page to see all the gadgets registered under the account. These gadgets can then be locked with a special message via "Lost Mode" remotely.
This allows hackers to remotely lock and even wipe an iPhone, iPad or a Mac by merely cracking a user's iCloud account password.
How to protect yourself
Fortunately, having a passcode already set up on your iPhone or iPad protects you from this attack. If someone manages to remotely lock your iOS gadget out via Lost Mode, just hit the home button once then enter your saved passcode normally to unlock it.
Macs, however, are still vulnerable. Even if you have a local password in place, iCloud.com hackers can still use the "Find My" service's Lost Mode to remotely lock your machine with a specific passcode. You can always disable "Find My Mac" by going to System Preferences >> iCloud >> deselect Find My Mac, but you will lose the tracking benefits of this feature. Location tracking may not be as needed for static desktops like iMacs but it can be useful for portables like a MacBook.
Perhaps before disabling your "Find My" services, it's best to review your iCloud password first (and for that matter, all your online passwords too.) It's your first line of defense, after all.
Since these recent hacks were reportedly initiated by password reuse attacks, it's critical that you regularly change your passwords and never use the same password across multiple sites and services. Click here to find out how to create hack-proof passwords.
Additionally, with all its weaknesses, enabling Apple's two-factor authentication on your iCloud account is still critical because it adds an extra layer of protection from hackers.
If you ever get victimized by the "Find My" ransom attack, please don't pay the ransom. Just take your device to your nearest Apple Store for ways to recover it.
Better yet, always keep a backup of your data so you can restore your device in the case of an emergency. Always create a Time Machine backup of your Mac and for extra security use an online backup service such as our sponsor IDrive.
IDrive allows you to back up the data from your computers, tablets, and smartphones into one account. Right now for a limited time, you can get 90% off in celebration of their 10 year anniversary.