iOS hack highlights the need for good password policy
It seems we can’t go a week without another site issuing a warning over compromised user passwords and potential data breaches. That certainly seemed to be the case when a large number of users of Australian Apple iOS devices — iPad and iPhones — reported that they’d been locked out of their devices entirely, with a message stating:
“Device hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 50 $/one of this (Moneypack/Ukash/PaySafeCash) to…”
The thing is, Apple stated that they had no evidence whatsoever of an attack, and at least at first, it appeared to only affect Australian users. If Apple’s internal account security were compromised, that’s more devices worldwide than the entire population of our own happy island, so you’d think that scammers would target everybody.
Instead, what seems most likely — because it’s not like scammers deliberately position themselves for interviews on the nightly news — is that the scammers got hold of passwords for other services and tried them, brute-force style against existing AppleIDs. The location of the hacks suggests that it may have been a particularly local service compromised, although there have been very limited reports of the Oleg Pliss scam on other iPhones overseas since.
If you’re curious as to how this could happen, it relates to the functionality built into iOS devices that allows you to remotely lock them if they’re lost or stolen. That’s quite handy if it happens to you, because you can block down the device, keeping your data safe while also displaying a message allowing anyone who found the device to return it. It also makes it more or less impossible for crooks to then sell on to anyone else.
Except, of course, unless the very login that you use to activate that service is compromised. Again, the details aren’t clear, although if Apple is being evasive about the hack it’s both very weird in its extreme locality, and opening itself up to some serious legal claims. Presuming no obfuscation, what seems more likely is that users hit by the scam have been using the same login and password combination across multiple services.
For logins that’s often unavoidable, because many services want you to use your existing email address. If you’re particularly paranoid you could set up unique email addresses for each service you use, but for most of us we want that kind of information centralised.
For passwords, however, it’s just plain lazy, and as this hack demonstrates, an exceptionally bad idea. You’re not likely to get actual satisfaction out of whoever’s behind “Oleg Pliss” by sending them money, because like any blackmail scam, it just alerts them to the fact that you’re willing to pay.
Having a solid password strategy with unique passwords isn’t hard if you use password management software such as Keepass or 1Password, both of which will generate strong and unique passwords for you on demand. Equally, where services allow for two-factor authentication (and Apple’s services do) it provides another barrier to this kind of attack.
If you’re reading this and you have been hit with the bug, it’s not actually insurmountable to get your device back up and running. If you synchronise your iOS device with iTunes on your computer, restoring from a backup of your device as per Apple’s instructions here should get you back up and running. Also, obviously, change your passwords to unique combinations for each service pronto!
If an iTunes restore doesn’t work, you may be able to gain access to your device with a recovery mode reset. That’s a destructive reset — so it’ll wipe everything on the iPhone or iPad, so it’s really an option of last resort — and as per Apple’s instructions involves:
- Turn off your device. If you can’t turn it off, press and hold the Sleep/Wake and Home buttons at the same time and wait a few seconds for it to turn off.
- Plug the device’s USB cable into your computer only.
- Hold down the device’s Home button as you connect the USB cable to it.
- When you see the Connect to iTunes screen, release the Home button. If you don’t see this screen, try steps 1 through 3 one more time.
iTunes should open and display a message such as: “iTunes has detected an iPhone in recovery mode. You must restore this iPhone before it can be used with iTunes.”
- Use iTunes to restore your device.
A reminder again: That’s a DESTRUCTIVE reset, so you should only use it as the option of last resort, because it’ll give you access back to your device. Hopefully you won’t need to go that far if you have been unlucky to be hit by this particular scam.