SHARE

Many people love Apple’s iPhones, iPads or Macs, and they pay a lot of money to enjoy these products, to store important data on them (notes, text conversations, photos etc.). Apple knows how important these digital memories are, and it’s no secret that hackers are targeting VIPs or rich people who usually make online transactions, and in some cases, they manage to steal large sums of money, besides private photos or other delicate content. The two-factor authentication (2FA) system was supposed to be a secure one, but since it doesn’t apply to Find My iPhone service, hackers are able to remotely lock and wipe any Apple device, by cracking users’ iCloud account passwords.

2FA was introduced in 2015 and it added another of protection to users’ iCloud accounts. When logging into their iCloud accounts for the first time, users receive a one-time code on their iPhones, alongside the password which, even if they are cracked, they are no use to hackers, because they need the code.

Two weeks ago, a University of Waterloo cryptography and security student named Kapil Haresh was busy ding a cryptography assignment when, out of the sudden, he received this message on his iPhone: “Hey why did you lock my iPhone haha. Call me at (123) 456–7890.”

He realized that his Apple ID has been hacked and someone was trying to remotely wipe his device via the Find My iPhone service. The attack was a failure because he immediately took his iPhone offline, so the attacker didn’t have time to issue more remote wipe requests.

Haresh logged back into his iCloud account and he noticed that there were pending erase requests for his iPhone and for his Mac, and he cancelled them. He did the right thing and he prevented a catastrophe, because otherwise, he would have lost all data on both devices. The good thing about 2FA authentication is that when users lose their iPhones and want to log into their iCloud accounts, the code will be sent to that lost device and the person who finds it can’t unlock the iPhone and have access to that code.

Haresh suggests that security question authentications should be built-in to the Find My iPhone service, because this way, it will provide another level of protection.

6 COMMENTS

  1. people are always the biggest problem in any security scenario. It reminds me of that old computer quote:

    “The only truly secure computer is one buried in concrete, with the power turned off and the network cable cut.

  2. As soon as there’s even the smallest hole to get through the whole system is weakened immeasurably. If someone is determined enough and goes after you in a targeted attack, there is almost nothing you can do. It’s not a question of if, it’s a question of how much will it cost them and, if they can afford it, when.

  3. I’d be curious on the legal recourse against the phone company he has. They allowed themselves to be socially engineered. I’d certainly write a letter to have corporate investigate what happened and if any policies were broken. Far too many times does the human element bite the actual humans in the rear.

  4. I’d be curious too but I’m not sure there’s a lot he can do. Even when they stick to policies these things are possible. But yes the problem with everything is always people! If you want something secure put it in a hole and fill it with concrete. It’s only when you need a door to get to it that you have problems!

  5. I think they may have just used the phone to impersonate Blakeman and get around 2FA that way rather than intercept the code. If they did that then even Authy wouldn’t have helped!

  6. There is another weak spot – biometrics.

    It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication. The following video explains how biomerics makes a backdoor to password-protected information.
    https://youtu.be/5e2oHZccMe4

    It’s a pity that so many people are so tragically misinformed. Biometrics should not be activated where you need to be security-conscious.

LEAVE A REPLY