Apple designed macOS’s Find My Mac feature to help those who have lost a Mac or had one stolen recover their machines while simultaneously rendering the computers inaccessible. Unfortunately, Find My Mac has recently been subverted by extortionists relying on usernames and weak passwords leaked from account breaches at major sites like Yahoo and LinkedIn — not iCloud itself.
These criminals log in to iCloud.com with a leaked username and password, lock your Mac via Find My Mac with a secret code, and then post a message on the screen telling you where to send Bitcoin to receive the numbers to unlock your Mac.
If you have fallen victim to this attack, do not pay the ransom! Instead, go to an Apple Store or independent Apple Authorized Service Provider and — according to Apple’s FAQ — with proof of purchase in hand, Apple can unlock your Mac. But change your iCloud password first.
You would think that Apple’s two-factor authentication (2FA) would block this attack, but it doesn’t, for the simple reason that Apple lets certain iCloud activities take place without a 2FA code. That’s an intentional security decision that Apple made to allow people to lock lost devices even if they couldn’t gain access to a trusted device or phone number — imagine that your Mac and iPhone are both stolen. But given how extortionists have subverted Find My Mac, Apple needs to rethink this feature immediately.
If you use the same password for iCloud and other sites or if you haven’t changed your iCloud password in years, change it immediately. Some pundits are recommending that you disable Find My Mac, but doing that removes a valuable tool for data protection and device recovery. The password is the issue, not the Find My Mac service.
To see if your credentials may have been exposed in one of these major account breaches, you should also consult Have I Been Pwned?, a trustworthy site run by Australian security expert Troy Hunt that compiles public account breaches.
This attack doesn’t work against iPhones and iPads that already have a passcode in place because iOS’s Lost Mode relies on the passcode to unlock the device. But if your iOS device lacks a passcode or if you have a Mac, the Lock (Mac) and Lost Mode (iOS) in iCloud.com’s Find My iPhone screen allow an attacker to enter a code only they know and display a custom message telling you how to pay up.
In addition to online reports and our testing, we have a direct report of this attack. A graduate student at Cornell (whose mother is a TidBITS reader and got in touch with us) fell prey to this attack this week. Both of the student’s MacBooks were locked, and a dialog appeared on her screens with an email address intended to appear as though it belonged to Apple.
Luckily, she had both Time Machine and Carbon Copy Cloner backups. Instead of responding to the email address, she called Apple and was told to take her MacBooks to the nearest Apple Store. (It’s an hour away, and they couldn’t fit her in for three days; just because Apple can help doesn’t mean it will be convenient.) Upon doing so, and proving ownership with receipts, the Apple Store employees were able to unlock both computers. And the student’s mother managed to refrain from admonishing her daughter for ignoring parental advice to use strong passwords and not reuse them across sites.
That’s all you need to know. However, if you want to understand why these attacks are happening now, read on.
A Feature Becomes a Bludgeon -- To be crystal clear, iCloud has not suffered a major breach. Rather, this attack was made possible thanks to breaches at other sites that revealed usernames and passwords. The problem stems from people using the same password on both iCloud and a site that was breached. Since nearly five billion accounts have been exposed in breaches over the years, it’s entirely likely that the bad guys have your credentials from those snapshots.
You would think an attack relying on reused passwords would already have happened to iCloud, and it has: many iCloud users had problems a few years ago when weak passwords in early breaches were cracked. The thing is, crackers are still churning away at stronger passwords from those exfiltrated databases using ever more powerful computational engines. Thus, passwords that might have withstood cracking in the past are falling to this continued effort. Plus, because Apple now actively encourages two-factor authentication, some people still rely on relatively weak passwords due to the belief that 2FA will protect them. That’s actually a reasonable assumption — except in this one terrible case!
2FA does prevent someone with just your password from gaining full access to your iCloud. What criminals have realized more recently is that they can still wreak havoc on accounts that have crackable passwords, regardless of 2FA.
At iCloud.com, a login attempt for a 2FA-protected account begins with a request for the username and password. Next, on all 2FA-enrolled computers and devices, a prompt appears that asks the user to Allow or Don’t Allow the login attempt. But here’s the hole. Without dismissing that dialog, iCloud.com allows someone to access Find My iPhone, Apple Pay, and Apple Watch Settings, and from the Find My iPhone screen, lock a Mac or put an iOS device in Lost Mode. Apple should address this vulnerability immediately.
(Pay attention if you ever get an unexpected 2FA login request because it could indicate that someone has obtained your password. Whenever you receive an unexpected request, immediately disable Find My Mac on your Macs, change your iCloud password, and then re-enable Find My Mac. Also note that Apple recently changed what happens when you click Don’t Allow. Formerly, nothing happened. Now, on the device from which you clicked Don’t Allow, you receive a warning that someone might be trying to access your account and suggesting that you change your password.)
The other reason these attacks are happening now is that the spread of ransomware has popularized the notion of locking someone’s files in exchange for payment. Such payments can be difficult to track to their recipients, thanks to Bitcoin, a largely anonymous cryptocurrency that can be readily used internationally and is the coin of the realm for illegal and dubious transactions. (Yes, Bitcoin is used for plenty of legitimate transactions, too, but it’s the preferred medium for online black markets.) And before you ask, yes, Apple could track the IP addresses from which the Find My iPhone locking requests originate, but with VPNs, Internet cafés, and other ways to obfuscate origin, that wouldn’t help.
We believe that attackers won’t be able to erase your Mac or iOS device if you have 2FA enabled because erasure requires your second factor. We tested this with iOS but weren’t able to confirm the final steps with macOS, not having a Mac we could erase on hand. Nonetheless, the same process appears to be followed. (Apple doesn’t document these erasure steps to that degree of granularity, which would help.)
Improve Your iCloud and General Password Security -- The summary of our best advice for your iCloud password and security, and for password hygiene in general, is as follows:
Use a password manager. We use 1Password and LastPass around TidBITS. You can also use iCloud Keychain more extensively in iOS 11, which allows third-party apps to tap into an iCloud Keychain password store.
Create a unique password for each site. With a password manager, this is trivial, both for creating them and filling them in.
For services like iCloud, Google, and Netflix where you may need to type your password instead of using a password manager, use long passwords that are easy to type. The old advice — which many sites enforce, unfortunately — of using short passwords (often just 8 to 12 characters) with a mix of letters, numbers, and punctuation is outdated. The latest recommendations, including those promulgated by the National Institute of Standards and Technology, say longer, memorable, and easy to type is better. Password managers can create those for you, too.
Enable 2FA everywhere you can, including iCloud. While this attack exploits a loophole in Apple’s use of 2FA, 2FA retains its advantages everywhere else.
For more advice on password selection, using password managers, and general account security, consult Joe Kissell’s excellent “Take Control of Your Passwords.”
Thanks to high-profile breaches, many sites have dramatically increased their password-encryption security. Any intelligently run company has shifted to using better algorithms and approaches for encrypting passwords. Many sites now choose an algorithm that has a scaling factor — over time, the site can keep dialing a number up to keep stored passwords infeasible to crack despite increases in computing power. 1Password, LastPass, and others already use this technique to protect their vault passwords. In 2015, LastPass suffered a severe breach, but there were no reports of cracked accounts because of the computational burden to break through even a single password.
What we don’t know is whether users are now regularly choosing better passwords and not reusing them across sites. The popularity of 1Password and LastPass would point toward some improvements there, but I’d argue that the outdated password requirements presented by many sites have kept less-savvy users from increasing password strength. Sites need to get with the times, follow best practices, and give users the best modern advice (which is coincidentally less frustrating, too).
Apple Needs To Rethink This Loophole -- Letting someone with just an iCloud password lock a Mac with a secret code seems like a bad idea. Perhaps Apple could change macOS’s behavior to mimic that of iOS, which lets you unlock a device with the passcode. What if you could regain access to a Mac locked via Find My Mac using one of its macOS administrator passwords?
Apple could adapt a feature already used with FileVault 2 to enable such a capability while still allowing Mac owners who had just lost all their 2FA-enrolled hardware to lock their devices.
With FileVault, Apple uses the Recovery partition to store account information for all macOS logins that have FileVault access. When you turn on or restart a FileVault-protected Mac, macOS actually boots into Recovery. Entering your password unlocks the full-disk encryption key used for your main boot partition and allows the startup sequence to proceed normally.
Right now, however, if you don’t have FileVault enabled, the Recovery partition has no account credentials that it could compare against when unlocking a Mac. That’s likely why Apple lets the person locking a Mac choose the secret unlock code. If Apple updated macOS to store encrypted credentials for an administrator account in the Recovery partition, it would become possible to unlock a locked Mac with just the administrator password, just as in iOS, where the passcode disables Lost Mode.
With such an update, Mac users wouldn’t have to worry about being extorted through iCloud password reuse, social engineering, or any other lost password scenario. We hope Apple is working to make this change or something similar.