My devices have been hacked. What do I do?

kkneufeld wrote:

But shouldn't they at least acknowledge it?

Not necessarily. For one, they probably don't have enough information yet to make any kind of intelligent comment at the moment, so making a comment would be a waste of their time and ours.

Secondly, this doesn't appear to be a breach of Apple's security. If it were, we wouldn't be seeing only Australians and New Zealanders getting this message. It would be affecting a broader spectrum of Apple's users. This means it must be a breach of some system local to Australia and New Zealand that has allowed hackers to capture Apple ID passwords.

It was a flash SMS which does not show up in your messaging app.

Chris, that doesn't explain why people are now locked out of their phones with passcodes. Flash SMS is just a kind of message, it can't lock your phone.

thomas_r. wrote:

kkneufeld wrote:

But shouldn't they at least acknowledge it?

Not necessarily. For one, they probably don't have enough information yet to make any kind of intelligent comment at the moment, so making a comment would be a waste of their time and ours.

Secondly, this doesn't appear to be a breach of Apple's security. If it were, we wouldn't be seeing only Australians and New Zealanders getting this message. It would be affecting a broader spectrum of Apple's users. This means it must be a breach of some system local to Australia and New Zealand that has allowed hackers to capture Apple ID passwords.

Noted.

I will just have to wait it out and hope for the best.

I don't think it's passwords - or at least not just. We have three iPhones at home, all on different accounts, all with strong passwords (all more than 12 characters, all with a mix of upper case, lower case, numbers, and punctuation, with no words or embedded leet-speak words) that aren't used on other sites. Two of them came up with this overnight, the third didn't. The only obvious difference is that (through sheer accident) the third had WiFi switched off at the time, and was thus accessing Apple via a different ISP - the mobile phone carrier.

Given this seems to be happening mainly in Australia / New Zealand I suspect a man-in-the-middle attack (a bit like the idoulCi hack) where someone has redirected Internet traffic from some ISP's in Australia/NZ to a server that's doing the nasty. :-( There's very little checking in many of the peering fabrics used by ISP's to transfer domestic traffic to each other, it would only take one ISP to be hacked and insert a route saying "Apple this way!" to a single peering fabric to steal 30%+ of customers in Aus/NZ.

That said, as we should in these circumstances we have changed passwords on all accounts to new strong random passwords, just in case someone has hacked Apple and retreived passwords.

I was in Sydney Apple Store at George street today at 11:00am with this issue (iphone 5 was without pass code, at night it was message that phone was hacked and pass lock installed). In the store they told me that first time listen about such issue and if I don't have itunes synced with my phone I can only reset it to factory default.... I was able to change Apple ID password, but unable to remove lock.... I synced my iphone with computer some time ago but after itunes update (and iphone ios update) they are unable to connect back. I have some family photos there which I don't wish to lost, but looks like companies who restore information unale to work with iphone 5... 😟

i have restored my phone. unfortunately my last backup was 2012 so i have lost a lot of pics/vids/contacts. but atleast my phone is now functioning and i have reset all my passwords.

fwiw i didnt have the same apple password as ebay or my email

Interesting thread. We have eleven iDevices in our family. Three have had the same hack as under discussion. The three that have been hacked had the "keychain" option on iCloud enabled. All three (they belong to younger family members) were used regularly for popular games with "in app" purchasing. All three owners used the same password on multiple accounts, both Apple and Android. Android is notoriously insecure with its "permissions" being granted to all all manner of developers. None of this might be relevant, but they seem possibly suspect to me.

All three have been restored sucessfully from iTunes backup and their passwords changed. None now have the keychain option selected.

I would love to know whether others use Android devices for the same mail accounts as on their Apple devices, or use iCloud (it's an easy thing to do) on Android.

If you look at 'lozzab22's entry (currently at the top of page 9):

"I have an unlocked iphone originally from Australia, but its now with me living in Toronto, Canada - and got the same hacked message mid-morning. So this tells me its not Aussie service providers, and only icloud related. "

This suggests it might not involve ISP's but point back at Apple being more involved as it is the common denominator.

Andrew Rutherford wrote:

Given this seems to be happening mainly in Australia / New Zealand I suspect a man-in-the-middle attack (a bit like the idoulCi hack) where someone has redirected Internet traffic from some ISP's in Australia/NZ to a server that's doing the nasty. :-( There's very little checking in many of the peering fabrics used by ISP's to transfer domestic traffic to each other, it would only take one ISP to be hacked and insert a route saying "Apple this way!" to a single peering fabric to steal 30%+ of customers in Aus/NZ.

That said, as we should in these circumstances we have changed passwords on all accounts to new strong random passwords, just in case someone has hacked Apple and retreived passwords.

That's what it certainly seems like to me as well. Traffic being redirected to a fake iCloud site to capture logins.

This is interesting, however the attacker was only demanding $100 per client or something. The attacker will have claimed $0 at the moment! Not much reward. So it isn't going to be a sophisticated attack. Hacking an ISP is a sophisticated attack. Hacking Apple is a sophisticated attack. If you knew how to attack either of these reliably, then you wouldn't waste it setting iDevices to lost.

If it isn't a password attack then I would go the next simplest with Mums and Dads - routers using default passwords. Although how to man in the middle redirected SSL traffic to get the passwords remains unsolved. But I still think password reuse is far far more likely.

Interesting points, Andrew - I think that password quality is likely to be an issue in a number of cases, but it sounds like your environment is one which is pretty secure. Any chance you're using 1Password? Is anyone who has had this happen using 1Password -- mostly out of knowledge of the quality of the passwords that can generate.

The BGP/IP hijacking explanation, whilst possible, doesn't seem probable or the numbers of people impacted would be vast.

Another potential explanation could be the way in which Apple IDs are contingent upon email addresses - is it possible that targets were socially engineered or phished, either through email in recent weeks/months, or, fake "support" calls which scammers are always busy with?

And even if they didn't accidentially reveal their passwords, it's possible the password reset/recovery functionality of their email provider could have also played a role.

So far I've seen most of the Telco carriers mentioned - but what about the email providers, any common threads there?

I'd go looking for common routers rather than common ISP's. If it isn't passwords, then the next big weakness in the home is routers with old firmware, well known backdoors, default passwords. This isn't a sophisticated attack. The amount of money involved is too small.

You may be right TallPete but I still wonder if it is not MITM.

There a a few reasons for that idea:

There is no evidence yet that the number of people affected is not large. That remains to be seen.

The number of people here with the issue in such a short time is unusually high. That points to a large issue - especially since there is no reason to suppose that the majority of those impacted would come here first.

I would even suspect that there would be a number who would pay... not that they would say so out loud. The amount demanded is relatively small and the method of fixing it relatively arcane to the non-technical user. That makes for payment the easy option.

There is evidence from Apple that until recently iTunes was open to MITM exploit.

Not everybody religiously patched their software and it is reasonable to suppose that there is a significant number of unpatched iTunes out there..

On the other hand - as you say - there could be other explanations.

I think that the significant number of attacks in one night points to a harvesting of Apple IDs and Passwords that has been happening over a number of days followed by a programmed exploit to launch the ransom demand. The quickest way to have achieved that would be to have had a phishing exercise via email or other software infection.

There is also a large number of people whose IT security practices make phishing easier.

The fact that the issue seems local to this region could be related to the vector of deception.

The weak point in the attack is that the actions taken did not prevent a fairly simple restoration. It might be that the hijacking of the whole account either was not possible in the time frame allowed for the attack - or that the attacker was only 'almost clever'.

It will be interesting to see what the story is when it comes out in the fullness of time.

so anyway, the story's now hit the MSM. Source: mostly this very thread. Some of you are (almost) famous:

http://www.brisbanetimes.com.au/digital-life/consumer-security/australian-apple- idevices-hijacked-held-to-ransom-20140527-zrpbj.html