So this wasn't, as the hysterical Daily Mail reported, a virus.............
Owning iCloud accounts probably would be child's play for a hacker with a list of user names in hand, with lucrative results. Yet the crim who locked down antipodean iPhones appears to have waltzed through accounts by the dozen - with nothing to show for his efforts. To be clear, the method used in the Oleg Pliss ransom …
Friday 30th May 2014 07:15 GMT Chairo
Friday 30th May 2014 09:12 GMT Chairo
It was written in El Reg, so it must be the truth!
But seriously - the article mentioned specifically password guesses against iCloud accounts. It would be interesting to know which interface is affected. El Reg, can you give some more information here? If it is really true, that Apple had some interface open, that allowed unlimited password guesses, it would be unspeakably stupid.
Friday 30th May 2014 10:34 GMT Velv
"To protect your security, your Apple ID will be automatically disabled if your account password is incorrectly entered too many times."
No definition of what "too many times" is, and as stated, there doesn't appear to be any incremental delay in blocking failed logins (which iOS does with failed PIN/Password attempts). So while a full on brute force attack might not be possible, a brute force of common bad passwords is perfectly feasible.
Friday 30th May 2014 11:17 GMT Mike Bell
No definition of what "too many times" is, and as stated, there doesn't appear to be any incremental delay in blocking failed logins (which iOS does with failed PIN/Password attempts)
I can't say I'm surprised that the actual qualifier is not stated. That's probably not important, and is likely a reasonably small number.
The difference between logging into an iOS device and logging into iCloud via a web client is that the latter is serviced by http requests. It's only badly designed web apps that introduce lengthy delays in returning an http response (OK, I've been guilty myself of making a few of those. Not intentionally, though.).
Friday 30th May 2014 19:46 GMT Anonymous Coward
I highly doubt this was a result of a brute force attack per account. Even if (I say if because I see no proof of the author's assertion) iCloud doesn't rate limit, Apple would surely notice the effects of brute force attacks against a number of accounts at once as the load on the servers handling it would be massively increased.
More likely Oleg used passwords lifted from one or more of the countless exploits of systems all over the world, some of which escape into the wild making it really easy for him. There are probably several such exploits of "millions" of accounts each week. He has a simple script that tries logging into iCloud with each email/password pair, knowing that some users will have the same password on iCloud that did on one of the exploited systems. When it gets in, it sets the ransom message.
The reason Australia was hit first was perhaps because the exploit list he used first was from some Australian ISP, bank, utility or government site.
Monday 2nd June 2014 05:40 GMT DerekCurrie
"Isn't it nice, how Apple cares about the security of it's customers? What a complete, utter and inexcusable fail!"
It's always a joy to watch idiotic hater comments get thumbed up by fellow idiotic haters.
As a couple of us have proven in the comments, dear Chairo, the FAIL is your comment. The Registry is wrong about brute force attacking Apple logins. Not possible at all. If you are going to hate on Apple, please do it with verified facts. Apple occasionally deserves a swift kick up the back orifice. Change is most likely to result when your criticism is REAL.
Friday 30th May 2014 07:18 GMT Anonymous Coward
Friday 30th May 2014 08:05 GMT Kevin Johnston
Friday 30th May 2014 19:50 GMT Anonymous Coward
How do we know he wasn't set up to collect the ransom? If he was, Paypal will have quickly froze/closed the account once notified of the attack. Unless Paypal explicitly says they did not do this, outside observers probably can't tell the difference between "wasn't set up" and "was frozen".
If it was all the work of a do-gooder, why make the message sound like a ransom? Why not say "hey Apple, I tried to warn you, you didn't listen" and put egg in their face for not heeding his warning?
Friday 30th May 2014 11:26 GMT R&D
As a non-technical person, I think this could be the case. It appears to be some sort of alert to Apple that its popular advertised security feature (the find my phone feature) can be bounced back on users as a hack and is dysfunctional as a result. Australia (relatively tiny market) seems to have been used as some sort of test bed for a response from Apple, and then when nothing of substance was forthcoming, the hack penetrates wider to the US and so on.
I reckon the perpetrators calculated it would annoy the hell out of Apple distributors by creating a steady flow of complaints and requests for 'restore' assistance from users who hadn't set pass-codes for their devices. It doesn't look like it was designed as a serious money making pursuit by hackers.
Friday 30th May 2014 08:46 GMT cracked
Please enter a Unique Username ...
Is the problem bad password choices and third parties with inadequate defences, though?
Just like every other person who has ever coded an online Registration Form, I too saw that Computer Weekly example from 1993 and have since always requested or demanded that the username is an email address.
Obviously this is because that email address must be unique in the Universe - Which was great, because back in 1993, on a modem, endless "Sorry That Username Has Already Been Taken" messages would have been painful
Sadly, now that close on eleventy-billion websites use those very same unique keys; you can easily acquire any old random list that has been spaffed somewhere and guarantee that a good proportion of the same unique keys are present as accounts on all of the big and juicy websites.
And then 123456 comes along to smack everyone upside the head
Is it Friday yet ... ?
Monday 2nd June 2014 12:39 GMT Tim Bates
Re: Please enter a Unique Username ...
"demanded that the username is an email address."
A major website I was looking at the other day had a list of security tips. Among them was to ensure you don't use the same username and password on multiple sites. Guess what they required your username to be....
(For the simple folk, they required your email address - something most users won't have the option to just make up another one).
Friday 30th May 2014 13:35 GMT Nifty
I thought that valid iCloud login credentials
a) Allows you to not just lock but also remotely wipe the iThing
b) With IOS 7, iCloud login credentials are essential if you want to factory reset the phone (Activation Lock, locked to individual devices, thus making them worthless to steal?)
Also, nowadays some rich folks who want to pay for a lot of iCloud storage choose to back up only to iCloud so restoring from disk may not be an option.
(a) would mean that there really, really needs to be 2 factor authentication in order to do a wipe
(b) would make the statement above that the victim can simply reset to factory "not true"
Friday 30th May 2014 16:28 GMT chr0m4t1c
Re: Please confirm...
(a) Yes, it does. But if you do that *first* then why would anyone pay you the ransom?
(b) Also true. But our hacker has to cunning enough to change your password so that you can't just re-authenticate the device. It appears our hacker was not cunning enough, or not motivated to do that for some other reason. One problem with that is that when you change your password Apple will immediately email you to say you've done it, so that would at least ring alarm bells for some people. Although, given that this appears to be a case of re-used login credentials from somewhere else, that may be wishing too much intelligence on the users.
IIRC, in order to delete iCloud backups you have to use an iDevice authenticated to iCloud, I don't think you can use a web browser, so that would be time consuming.
(a? again?) Two factor authentication is available for account access, but it is not turned on by default and as one of the options is to have a code sent to a mobile number as the second stage, this would be problematic when trying to wipe a stolen device. Think it through. You would need to be able to securely change the second phase of two-factor authentication to something else. Answers on a postcard, please.
(b? again?) No, it doesn't, for the reasons detailed above.
Saturday 31st May 2014 00:31 GMT Andrew Jones 2
All these people saying this is a case of password reuse should probably view the actual thread about this on the Apple forums (bearing in mind it has taken El Reg 3 days to report on this) from the huge number of people who swear their Apple password is NOT used anywhere else, and there is one post from a parent who says the 3 iPhones that belong to his kids all have a unique password that is not used anywhere else AND the kids don't know the password to prevent expensive in-app purchases.
This should not be written off as a simple password reuse case. Yet.
Monday 2nd June 2014 05:20 GMT DerekCurrie
Ahem El Reg: Please Properly Educate Yourself About Apple
"One reason that attack vector may be feasible is that Apple doesn't rate limit password guesses against iCloud accounts, opening it up to brute force attacks."
To Quote Apple:
"Apple ID: 'This Apple ID has been disabled for security reasons' alert appears
. . .
To protect your security, your Apple ID will be automatically disabled if your account password is incorrectly entered too many times."
Monday 2nd June 2014 13:05 GMT Tim Bates
Re: Ahem El Reg: Please Properly Educate Yourself About Apple
OK, so after reading a few posts saying this, I'll pick this one to reply to...
Apple states they lock accounts. That is not rate limiting. If you don't see any difference, read on...
Say you've got a list of a million account names, and Apple will lock an account after 5 failed logins. That's 4 million login attempts without getting caught. Because it's not rate limited*, you can do that in however long it takes Apple's servers to process things, and no accounts get locked still.
Now add in a list of known common passwords and you've got a fairly good chance of getting into a significant number of accounts.
*Apple may rate limit - the point is the account locking isn't rate limiting.
Monday 2nd June 2014 05:30 GMT DerekCurrie
Was This Merely A Proof Of Concept Attack?
Proof Of Concept malware and Internet attacks are designed only to point out a weakness in a system. It's a bit difficult to believe that a hacker, black or white, would be so dimwitted as to not complete their ransom scheme unless the point was to merely demonstrate a problem. IOW: Creating no actual PayPal account for sucking in the cash was most likely deliberate.
Clearly, the ability to lock down an iOS device via Find My Mac within a hacked Apple iCloud account is something of a problem or concern.
Attack vector proven. Hacker's proof of concept, a success. √