PDA

View Full Version : Remote locking Apple devices



Raz0rEdge
08-18-2017, 10:06 AM
I've been reading a few posts on various places about people having their Apple devices (Macs and iPhones) getting locked with messages asking them to contact email addresses that end in @gmx.com who ask for payment in lieu of releasing the device.

Without paying the ransom, the only way to remove the lock on the device is to go to your nearest Apple Store and prove your ownership to them which allows them to remove the lock. This can be a huge pain if you have multiple devices and especially ones where you cannot clearly establish ownership (purchased an older machine used which doesn't have AppleCare for example)..

The method for these hackers to get access to your devices is fairly straightforward even if you have 2FA enabled on your account. When your AppleID is compromised, the credentials can be used to login to iCloud. Once the username/password is entered, the site properly sends the 2FA request, however at the bottom the page you can still access Find my Phone and Settings of the account. With access to Find my Phone, the hacker can see all of the devices on which you have enabled the Find My Phone functionality and can enable Lock Mode with a pin/passcode that you can't get around.

This is quite a huge security hole with Apple's system even when 2FA is enabled. Ideally, everything should be locked down until you fully authenticate yourself into the account.

So my suggested recourses are:

1) Ensure your Apple ID password is as solid as it can be. Use a password manager to create and save them.
2) Enable 2FA if you haven't already, just a good security measure
3) Disable Find My Phone on your devices (especially your Desktops, since they are not moving anyway). This just means that you have to keep a closer eye on your phones and Macbooks, but I suppose that is better than having someone remotely lock your devices..

I'll be sending feedback through the iCloud Feedback (https://www.apple.com/feedback/icloud.html) link and I think others should as well..

chscag
08-18-2017, 03:21 PM
The problem with disabling find my iPhone is that if it or any other device is stolen, you have no way of remotely locking the device or locating it. I know that hackers quite frequently sell locked iPhones on Craig's list or even eBay. The buyer not being aware, tries to activate the newly purchased phone and finds out he can't.

The best solution is if your iPhone is stolen is to notify your carrier and have them ban the imei number which will prevent the phone from being used by the thief but not necessarily prevent him from selling it.

The bottom line.... I do not recommend turning off Find my iPhone but I do agree that a strong password for your Apple ID is a must. As for 2FA, I don't use it but everyone has to weigh whether or not that's something they wish to implement.

IWT
08-18-2017, 03:25 PM
Thank you Ashwin for this extremely helpful post.

In case newcomers to this thread think that this is an overstatement, a quick Google search brings up this list of affected users - and Apple Support's response:

https://www.google.co.uk/search?client=safari&rls=en&q=Remote+locking+Apple+devices+@gmx.com&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=Oi2XWa-3KtLc8AfA0qHYDw

Ian

Raz0rEdge
08-18-2017, 03:52 PM
I like the Find My Phone feature, but if it can be used maliciously so easily, then it's more of a hinderance. Using a really strong password that isn't easily hacked means that there's less change of getting access to the feature..

lclev
08-18-2017, 04:14 PM
I have 2FA turned on but I wonder if it is all that safe. Example: If I sign into my apple account on my MBA I get notified on the same MBA of an attempt to sign in and the approximate location of the device - which is usually within 50 to 100 miles of where I am. When I "allow" the sign in on my MBA, then the six digit number I need to complete the sign in appears on my MBA screen so I can type it into a box ... on my MBA screen...really. This will happen on my MP also. This make no sense to me.

If a "bad" person has my username and password and is using my ID on a device and it will authenticate on their device with a code on their device... see my point.

Lisa

IWT
08-18-2017, 06:00 PM
Lisa,

I see your point exactly! The idea behind 2FA is "something you know" (PW) and "something you own" (device). But if the "something you own" is the exact same device as you are using, the 6 digit code gets sent there, defeating the point completely.

You can change the destination of the code to a Mobile, landline, or even to a friend's number. You do this within your iCloud account.

My wife got a 2017 MacBook Pro and, never having had an Apple ID previously, was given an @icloud.com email address and 2FA was compulsory - the authenticating code being sent to her MacBook Pro! We changed that to her Mobile (which, although hers, is under my Apple ID).

Ian

ferrarr
08-18-2017, 09:23 PM
I have 2FA turned on but I wonder if it is all that safe. Example: If I sign into my apple account on my MBA I get notified on the same MBA of an attempt to sign in and the approximate location of the device - which is usually within 50 to 100 miles of where I am. When I "allow" the sign in on my MBA, then the six digit number I need to complete the sign in appears on my MBA screen so I can type it into a box ... on my MBA screen...really. This will happen on my MP also. This make no sense to me.

If a "bad" person has my username and password and is using my ID on a device and it will authenticate on their device with a code on their device... see my point.

Lisa
@ Lisa, I believe, the reason it shows up on all your devices is because you are near your devices when you attempt 2FA. Try when you are away from all device, but one. Then see if the code shows up on that device, when you need to input it. It shouldn't, it should be on the other devices.

lclev
08-19-2017, 09:28 AM
Ian - I have 2FA set to my mobile number. I also have an email address setup. There is no other setting to indicate only show on these devices or don't show on the device I am signing into. Interest thing is when I signed in just now on my MBA, my MBA, iPhone and iPad all showed the location map and allow button. Having had this happen in the past I know all three will have a different 6 digit code. I guess the only security 2FA offers is if someone tries to use my id and password then in theory I will catch it on one of my devices and can deny it.

Bob - I will give it a try although that is kind of inconvenient if it works. Just imagine.... I need to access my account but the code is on one of my other devices which I am not able to access in a timely manner. I guess I had better hope I get an email on the device I am using. ;D

Lisa

ferrarr
08-19-2017, 11:30 AM
Bob - I will give it a try although that is kind of inconvenient if it works. Just imagine.... I need to access my account but the code is on one of my other devices which I am not able to access in a timely manner. I guess I had better hope I get an email on the device I am using. ;D

Lisa
It's meant for thieves, to not have the other device, to get your code. At least, that's the way I see it. If a person finds your iPhone, they wouldn't be able to get into it, unless that is where the code is sent, then that would defeat the purpose. I haven't tried it, but I will if I remember when I'm out and about. I just looked and my iPhone phone number is the only option I have enabled, which is why I only get one code across all my devices. Again, I have only activated it while I have been home, so I may be completely wrong about Apple 2FA.

https://support.apple.com/en-us/HT204915