How Did Apple’s Australian iCloud Hack Happen?

Apple users were rightly mystified this week by some iPads, iPhones and Macs being compromised, remotely locked and held to ransom. Security experts have weighed in on the possible cause, and their recommended solutions.

The unwanted locking of several iOS and Mac devices controlled via iCloud led to the police and government recommending users change their iCloud passwords as quickly as possible, with no official reason yet forthcoming from Apple either in Australia or internationally.

We checked in with a few antivirus and security companies’ Australian offices to see whether they knew what was going on.

How Did This Happen?

David Harley, ESET Senior Research Fellow: It’s not exactly clear what has happened here –- nor why the only people affected so far are Australians and New Zealanders. Based upon what is known, it is extremely unlikely that Apple itself has been hacked or suffered a vulnerability.

A far more likely scenario would be that ANZ consumers have been targeted by exploiting password reuse — where malicious hackers obtain password and ID credentials in some type of data breach or phishing attack and then reuse them to gain access to other accounts.

Crispin Kerr, Webroot Australia Managing Director: It is not yet known for certain why this hack was limited primarily to Australian users — the devices themselves were not actually compromised. The hacker gained access to lock out the devices remotely, using user credentials for iCloud. The hacker used [those] compromised credentials to activate the ‘Find My Phone’ feature of iCloud, which allows users to lock down the device remotely in case of theft.

It is unlikely (but not impossible) that Apple itself was hacked, since the hack primarily targeted Australian users. A popular third-party Australian website or service was most likely hacked, and user credentials were attained this way. Because most users use the same passwords for multiple sites and services, passwords attained from other sources were likely used to gain access to iCloud. Unfortunately it’s impossible to say for sure, given the information currently available.

Why Did This Happen In Australia?

Crispin Kerr, Webroot: Australia is no more or less vulnerable from a threat perspective than other areas of the world. This kind of vulnerability could have been exploited anywhere. Popular websites are regularly hacked globally and sensitive data is often stolen. The recent hacks of credentials from eBay and credit card information from Target are good examples of this. For this reason, it is highly recommended that users create unique passwords for each major website and service they use and also change these passwords regularly.

What Can Apple Users Do To Protect Themselves?

David Harley, ESET: Regardless of the root cause, the most important preventative measure is to enable Apple’s 2-factor authentication for Apple ID credentials. As far as I can ascertain, no-one in Australia or New Zealand who’s activated 2-factor authentication has received the ransom demand alert.

Essentially, this allows you to authenticate using a password, a 4-digit PIN (verification code) texted to a trusted device at each login, and also generates a 14-digit recovery for emergency. This might also be a good time to change your AppleID password and ensure that you’re not re-using a password that might have been compromised from another service. Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary, and claims that an iCloud breach is not responsible.

Crispin Kerr, Webroot: Users affected by this hack should contact Apple support directly to have their devices unlocked. The passwords used for iCloud should be changed as soon as possible. To avoid this situation in the future, users should use a different password for each service and/or website they frequent. It is also highly recommended that users change these passwords regularly.

Given the available information, it is impossible to say whether or not antivirus or identity theft protection software would have prevented this attack. If a popular website or service was directly compromised and the credentials were stolen from there, no locally run security software would have made a difference. However, it is always a good idea to have security software running on endpoints and mobile devices wherever possible.

How Would You Deal With The Ransom?

David Harley, ESET: At ESET we are yet to come across an instance where someone has paid the ransom demand, but there’s no reason to assume that the criminal would actually restore the victim’s access to the affected device(s). So I guess it begs the question — even if you pay, will the hacker give you back your digital assets stored on the device?

For people who have been affected, you could try to erase the device and its password using recovery mode. For more details on how to do this, Apple has a support page with details.