Hackers Threaten to Erase Apple Customer Data

Turkish hackers are threatening to erase millions of iCloud user accounts unless Apple pays a ransom.

This is a weird story, and I'm skeptical of some of the details. Presumably Apple has decided that it's smarter to spend the money on secure backups and other security measures than to pay the ransom. But we'll see how this unfolds.

Posted on March 23, 2017 at 9:09 AM • 38 Comments

Comments

AimableMarch 23, 2017 9:34 AM

Bluff. If you can delete something, you can encrypt it. And if you give someone time before you delete / encrypt, they'd back up. Don't know why I''m even taking the threat seriously.

BarryMarch 23, 2017 10:16 AM

It is a strange story and from other news reports that I've read I suspect that the group have pieced together details from other compromised accounts.

My password is long, unique and stored in a password manager. I also have the new 2FA (not the old 2SV) activated. Out of an abundance of caution I've already changed my password to my account; I'd suggest others do the same.


https://hotforsecurity.bitdefender.com/blog/apple-if-hackers-have-our-customers-passwords-they-didnt-steal-them-from-us-17844.html

https://support.apple.com/en-us/HT204915

vs.

https://support.apple.com/en-us/HT204152

Thibideaux CreoleMarch 23, 2017 10:20 AM

serious question, how can one determine if an iPhone or Mac has been infected and what (if any) mitigation techniques exist?

SeanMarch 23, 2017 10:28 AM

I don't believe they can either. Now that Apple has backed up its data a few hundreds times, I'm wondering how they planned to do it, or even to attempt doing it without providing any information that would help Apple correct any vulnerability.

Clive RobinsonMarch 23, 2017 10:29 AM

@ Bruce,

I do like the refrence to "Green Lanes"[1] North London. It used to be one of my old stamping grounds back in the 1980's when VHF Pirtate Radio was the up and comming thing, as was indie music.

Whilst it does have a large Turkish community in and around the area with some of London's best Kebab shops and restaurants, it is also London's longest road...

Thus I suspect that it's more "cover story" than actuality. Further the UK is not a wise choice for a place to commit Internet extortion of this type.

GCHQ realy do log all international traffic comming in and out of the UK. If accurate time stamps can be obtained then it's a reasonable chance traffic and contact analysis will give identifiable information on traffic routing etc. Thus if they are in the UK collars are likely to be felt. Even if the traffic is passing through and encrypted there is still a better than average chance the perps will get identified.

Which just leaves the question of if they will do the analysis or not.

Politicaly because of Brexit the UK Prime Minister Theresa May has been courting Turkish business (not a good idea but then neither is Brexit).

[1]https://en.m.wikipedia.org/wiki/Green_Lanes_(London)

MarcrMarch 23, 2017 11:03 AM

I'd like to make a few comments on some of the user comments on this blog. Please excuse that English isn't my first language.


"If you can delete something, you can encrypt it."

This doesn't apply here. These hackers are threatening to activate Apple's remote wipe feature which destroys the encryption keys to the full disk encryption of the iOS device (stored in the secure enclave which is a chip or, depending on the model, a part of a chip, the CPU, if I recall correctly). Therefore, in this instance they can only delete or lock the device, but not encrypt it. Technically, they just delete the decryption key. Locking it would make no sense because Apple might be able to unlock it if the owner can prove his identity – but I'm not sure if this is really the case.


"Now that Apple has backed up its data a few hundreds times"

This is partly true for most costumers, but not for everybody. You don't have to backup everything to iCloud, as a matter of fact, I'd suggest to leave sensitive information out of your backup (as I do) and to leave out everything that gets backed up somewhere else.


"serious question, how can one determine if an iPhone or Mac has been infected and what (if any) mitigation techniques exist?"

This is nothing that infects a device. Mitigating this is extremely easy: Change your password. Make it sufficiently long and don't lose it. That's it.

You might also want to enable two factor authentication, but be advised that this does not help against this threat. Only a password change will. (That's because Apple's remote wipe feature can be activated without the second factor. This makes sense because most people use this feature when they have lost their device. You can't receive your second factor if you don't have your device.)

Who?March 23, 2017 11:05 AM

From Motherboard's article:

The hackers, who identified themselves as 'Turkish Crime Family', demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

$100,000 USD worth of iTunes gift cards? What a bunch of computer nerds!

An odd story. It is a very low ransom, considering both the size of Apple and the number of accounts they say are compromised; the usual way to conduct the ransom "business model" is shooting first, ask questions later.

They do not care if payment is done using a cryptocurrency (they say bitcoins or ethereum are ok) or done by means of iTunes gift cards? I would say the latter has a huge chance of being tracked by Apple!

Will go for the popcorns!

I agree with other people here, it seems fake.

On a different matter, wouldn't it be great if some day all our data on Internet is deleted? It will be the best way to start again, this time with more knowledge about the truth of the Internet and better security practices.

Thibideaux CreoleMarch 23, 2017 11:12 AM

@ Marcr,
I was perhaps too vague in my wording, I'm interested in how to discover if the UEFI has been compromised on a device (Mac, iPhone, whatever) if it truly is being sabotaged at the factory level. Your suggestions for strong passwords and two-factor are meaningless if a given device has been compromised in such a manner- vault 7 appears to show that this is the primary way (specifically physical access) of getting around end-to-end encryption.

George ShroutMarch 23, 2017 11:15 AM

As I read the various articles concerning the threat, I think there are two separate issues. The first is the wiping of iPhones and iPads. By using the stolen credentials and logging into iCloud.com, they could invoke the Find iPhone utility and remotely wipe your device, IF you have configured this on the iPhone or other Apple device. You can mitigate this feature if you go into your iCloud account on the device and and turn on Two-Step Verification under Password & Security. This feature sends a four digit PIN to a selected device via SMS that must be entered in the browser that is attempting to use iCloud.com to perform the remote wipe.

Of course the other mitigation is performing backups of your Apple device, and you can simply restore, but I dont think would take kindly to have their phone wiped in the middle of the day while on business or other endeavors.

Most people don't take these additional steps, so it could be a potential real threat. Apple should advise people to change passwords, and put Two-Step Verification on.

If the second threat is to erase accounts for Apple's servers, then that is on Apple, and they have a problem.

Thibideaux CreoleMarch 23, 2017 11:20 AM

@George Shrout
Two-Step is the older, less secure method Apple uses, but it is better than nothing and would still prevent this style of attack (Assuming the target wasn't fully compromised). What you really want is 2-Factor since it uses 6-8 digit pin and sends notifications about the geolocation of the login attempt.

PeteMarch 23, 2017 11:25 AM

Just another reason why centralized control is a bad thing.
Join the federation! Do your part.

MarcrMarch 23, 2017 11:26 AM

@George Shrout
@Thibideaux Creole

"This feature sends a four digit PIN to a selected device via SMS that must be entered in the browser that is attempting to use iCloud.com to perform the remote wipe."

That's incorrect. Remote wipe does not need a second factor, the password is sufficient. That's because you might not have access to your second factor, when your device is lost or stolen.

If you don't believe me, simply try it out. Log in at https://www.icloud.com/ WITHOUT your second factor. You still can remotely wipe your device. You don't have to do it, just have a look at the options that are presented to you. As a matter of fact, this option is located right under the input field for the second factor.

Two Factor Auth doesn't help here.


@Thibideaux Creole

Is it possible that you confused the Wikileaks CIA leak from today with this hacker threat? They are unrelated.

The CIA has methods to infect EFI etc. (we all already knew that, but Wikileaks now leaked some of these methods today).

This post is about some hackers who claim to have the passwords to a couple million iCloud accounts.

markMarch 23, 2017 12:05 PM

I agree, I find it weird. Even on a serious server, it's going to take real time to log into each account and wipe it, and I'm talking a script doing that.

One wonders if this is a fake threat....

George ShroutMarch 23, 2017 12:05 PM

@ Let me clear up my statement - "This feature sends a four digit PIN to a selected device via SMS that must be entered in the browser that is attempting to use iCloud.com to perform the remote wipe."
Assuming the hackers have never signed on to your iCloud account before, the first time they attempt to sign into your account from another computer, and you have Two Step Verification on, their browser will not be recognized. It will ask to send the four digit PIN to a designated device (which you have), which then must be entered as part of logging into iCloud. I verified this by logging onto a PC that has never been used with my iCloud account, and I was prompted. Once you are through this verification, you are correct in that no 4 digit PIN is required to wipe the device.

As far as the wipe of devices, multiple articles including this one, have stated one of the threats is to remotely wipe devices.

http://appleinsider.com/articles/17/03/22/hackers-attempt-to-extort-apple-with-threat-to-remotely-wipe-iphones-ipads

MarcrMarch 23, 2017 12:21 PM

@George Shrout

I appreciate that you took the time to try to verify what I said and what you said. :) It's great to see that some people on the internet are reasonable and interested in a real discussion. Thank you. :)

I'm sorry to say that, but: You are still wrong.

"I verified this by logging onto a PC that has never been used with my iCloud account, and I was prompted. Once you are through this verification, you are correct in that no 4 digit PIN is required to wipe the device."

You are right, you were prompted. But instead of entering your PIN you can directly wipe your device. Without ever entering a PIN. Look closely, there is an option to find (and lock or wipe) your device right under the the six input fields for the PIN.

Two Factor Authentification does not prevent this attack. You can remote wipe an iPhone with the Apple ID and the password, without the second factor. Both for the older two step verification and the newer two step authentication.

The reason for this is obvious: If you lost your iPhone, there has to be a way to lock or wipe it. You can't wait until your carrier has provided you with a new SIM card that would enable you to receive a second factor via SMS. Apple can't expect you to own more than one Apple device (although a lot of people do). There has to be a way to lock or wipe your lost or stolen device instantly, without access to your two factor authentication. And there is. It's right there, on icloud.com.

SeanMarch 23, 2017 12:24 PM

"An odd story. It is a very low ransom, considering both the size of Apple and the number of accounts they say are compromised; the usual way to conduct the ransom "business model" is shooting first, ask questions later."

I couldn't agree more. And you'd probably start negociating privately. This story sounds more like a political advertising coming up after the diplomatic clash between Turkey and Germany / The Netherlands, and its following twitter accounts hacking campaign, than anything else.

D-503March 23, 2017 12:25 PM

One way to mitigate this kind of attack:
Make multiple, air-gapped backups of your data, under your own, direct physical control. This should include a couple of bootable backups of your entire system on magnetic media. Anything you absolutely can't afford to lose, back up onto passive, non-rewriteable media such as DVD disks. Store in more than one secure physical location.
How many of the ~800 million iCloud account victims (AKA "users") actually do this, though? It requires developing good habits and organisation.

supersaurusMarch 23, 2017 1:59 PM

@D-503

"...non-rewriteable media such as DVD disks..."

600Gb of photos comes out to about 600/8.5 = about 70 double layer dvds. a pro can easily shoot that much data in a day. how long would it take to burn that, 16 hours or so? this is the same reason cloud backup isn't suitable for some data.

non-rewriteable is a nice idea for a directory full of christmas cards, but a little thin.

George ShroutMarch 23, 2017 2:08 PM

@Marcr - You are correct, that is what I get for not maximizing a window. That said, I think this makes the threat worse. Unless you turn off Find iPhone on your device, they could wipe your device.

D-503March 23, 2017 2:35 PM

@supersaurus
Ha, ha! I can easily shoot that much in a day, and I'm just an amateur.
Obviously, one needs to be organised and make decisions which files are critically important, and which files are less important. Anything less important can go on magnetic media backups, as I wrote before.
Henri Cartier-Bresson supposedly said "Your first 10,000 photos are crap." Face it. He was being generous.
If you have a portfolio of 50 decent photos, you're doing exceptionally well. That can fit on a DVD, plus two more for backup. Family and vacation snapshots can be stored as JPEGs. Sorry to break the news to you, but they aren't professional quality: you don't need the RAW files anymore. Three more DVDs. Intimate photos of your ex? She/he asked you to destroy those years ago. What on earth were you planning to do with those, anyway?!? Work files? I'm looking at a huge box. I have it right here. But how much of that is crtitically important? Maybe one DVD worth. Emails? Likewise, especially if you dump the spam.

Maybe Frankie Will Let You Eat His Shotgun TooMarch 23, 2017 3:16 PM

(1) CIA sabotages Apple products

(2) Assange denounces and instantiates CIA sabotage of Apple products

(3) Implausible hackers threaten the privacy of persons using Apple products

(4) An army of CIA sockpuppets blame Assange for CIA's sabotage of Apple products in 3, 2, 1...

Test your backups and archive files eg Zip etc et!March 23, 2017 4:05 PM

Earlier this year there was this story about an org that had an incident where a backup was accidentaly deleted or something like that and initial efforts appeared to show alternate backups were not viable!

Happened to me with a DVD backup, found out after a disaster some disks were not readable. I was in a rush to make the DVD backups and foolishly skipped the step for testing the integrity of data on the DVD provided by the DVD writing software!

supersaurusMarch 23, 2017 4:57 PM

@D-503

"...Sorry to break the news to you..."

you must have exceptional vision to see what I and many others have from your distant perch.

D-503March 23, 2017 5:20 PM

@supersaurus
If your house is on fire, what do you grab while you flee?
If you try to grab everything in your house, you'll lose everything.

So you have to prioritise, take only small valuables. Or better yet, rescue your family and pets first.
No exceptional vision required to point that out. Just personal experience (I haven't had a house fire, thank heavens, but I have lost data in the distant past because I failed to make backups)

@Test your backups and archive files eg Zip etc et
Excellent, important advice!

AnonMarch 23, 2017 5:56 PM

Assume they can log in to get to the point of wiping devices, don't Apple have a way of detecting that a single IP address suddenly wants to access even 100 accounts nearly simultaneously and lock it out?

There are lots of ways such an attack could be mitigated. I see nothing here that suggests they have insider access.

I call BS.

Dirk PraetMarch 23, 2017 6:23 PM

So: change your iCloud password, use iTunes to back up your iOS devices and time machine for your Mac itself. Now dump your iCloud account. There. That'll be 50 euro, please.

Tipsy MacScotchslurpenMarch 23, 2017 6:35 PM

@Who?

I thought the same thing regarding the iTunes gift cards (that is, that they would be trackable), but then take notice that they are asking $100k vs the $75k via other methods. This suggests to me that they could use their 'criminal enterprise' to sell off the gift cards for 0.75 on the dollar to end up with the $75k for which they are looking. If some random street vendor sells you a valid gift card on some Turkish (or otherwise) street corner, do you remember what he/she looks like?

I know you aren't going to walk away with that person's real name and contact info.

Clive RobinsonMarch 23, 2017 7:57 PM

With regards,

    Test your backups and archive files eg Zip etc et. Excellent, important advice!

Whilst good advice it is also lacking another important point.

Back in the days of analog tape master tapes were regularly "rewound" that is what was the outer layer of a reel became the inner layer after being rewound.

It was important because the tapes would remagnatize themselves from layer to layer over time under the influance of natures clock called entropy.

Whilst you got plenty of warning with "ghosting" on analog tapes you don't notice the same with digital tapes untill you get unexpected bit flips thus errors and whole data blocks become inaccessible.

Whilst people might consider optical media safe from this, it to still suffers from entropy

Thus you should have more than one backup and you should test regularly. If an error appears you must be able to not just notice it but correct it.

Many backup formats do not take this into account, nor do many storage technologies report increasing errors to the operator. which could prove rather fatal.

John SmithMarch 23, 2017 8:34 PM

Clive Robinson:

"Many backup formats do not take this into account, nor do many storage technologies report increasing errors to the operator. which could prove rather fatal."

I do a deep-level test, on all hard drives in my personal network, once a year, using Steve Gibson's s/w (https://www.grc.com/sr/spinrite.htm). Each large drive can take days to test. If I get any errors or warnings, I backup and retire the drive (and later disassemble it to scavenge certain components inside).

I do this on all drives, not just the ones dedicated to backup.

It's surprising how drives that seem to be working ok can nevertheless be starting to fail.

65535March 24, 2017 1:02 AM

Apple execs take the high road:

[Apple execs to extorinionist]

Dear Turkey skiddies:

We will not be extorted and we will not pay! We will lead the cloud industry to the moral high gound [sniff].

Why don't you just ask each 620 million users to pay you the $150 large and it works out to about 2 dollars per customer. That not too much for them to pay... considering iphones cost them 600 to 700 USD.

We have all ready sold their crapy selfies another usless data to advertisers and certian intellegence agencies.

Feel free to try to milk that cash cow one more time. It dosent' hurt use. What doesn't hurt Apple may hurt a few teenage girls - big deal we don't care.

We sell shiny bling to them each year so what is a few lost customer selfies to us? Nothing. And, we will certialy give them one free year of iCloud space and a fee credit monitoring subscripition under our label.

Thanky you from the bottom of corporate heart and best of luck.

Senior security specialist,
Steve knobs
Apple Inteleligence Service.

CallMeLateForSupperMarch 24, 2017 12:11 PM

From the blog.robertelder... Re: dot files/directories

"Does It Work On Linux?
Unfortunately, I was unable to get this feature to work on Linux. This only serves to further prove that people who use Linux are boring and don't have much of a sense of humor."

Not entirely true. Krusader, a (KDE) file management tool, lets you create, view and manipulate dot directories and their contents, but the graphics file viewer Gwenview does not see dot directories nor their contents.

John GaltMarch 26, 2017 9:49 PM

LOL!

Obviously, CIA field agents in Nigeria are the ones who are making the demand!

jayMarch 27, 2017 8:47 AM

Comment : ""...non-rewriteable media such as DVD disks..."

600Gb of photos comes out to about 600/8.5 = about 70 double layer dvds. a pro can easily shoot that much data in a day. how long would it take to burn that, 16 hours or so? this is the same reason cloud backup isn't suitable for some data...."

Many commercial USB aux drives have software to backup Ios and Android to hard disk (in addition to using them to backup the home computer). Not really that difficult.

I do all my computer backups to USB disk to help mitigate ransomware attacks. The backup disk is only attached to my computer during the backup process.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.