Is your iPhone at risk after the Oleg Pliss hack?

May 29, 2014 by Andrew Smith, The Conversation
Bad news for iPhone users. Credit: Vasile Cotovanu, CC BY

iPhone users in Australia were greeted with an alarming message this week when they tried to use their devices. They were told that a hacker or group of hackers going by the name Oleg Pliss had taken control of their phone and will lock it permanently unless a $100 ransom is paid.

It's not yet clear whether the attack is likely to affect iPhone users outside Australia but even if it doesn't, the attack has raised questions about the security of the iPhone. Apple products have a reputation for being more secure than others and this is the first major attack of its kind.

I recently said the iPhone is one of the most secure smartphones and that is still true. This attack is a very clever compromise but it does not actually hack into your phone.

Instead, Oleg Pliss seems to have found a way of attacking the remote server that supports an iPhone user's iCloud account. It is through this account that the user has cloud data storage for their phone as well as the opportunity to access the Find My iPhone service.

We don't know the exact detail of what has actually happened. Apple has issued a short statement saying that the iCloud was not compromised, but that users should change their passwords as soon as possible and has not given much more away.

It seems the hackers have identified a vulnerability by harvesting compromised data from other sources. That has allowed them to gain access to a large number of iCloud accounts. By identifying whether someone has an email or, the attackers have worked on an assumption that there are people who have used the same password for their iCloud account as well as for the other compromised service.

So instead of attacking the castle, they have compromised one of the supply pipes connecting the castle to the outside world.

Designed as a post-theft tool, as well as a fallback for those of us who regularly misplace our phones, the Find My iPhone app allows you to locate your lost device, lock it or send a message with a contact number that will let anyone who finds it know how to reach you without giving them full access to your information. The app comes as an automatic addition to the latest iPhone.

Find My iPhone is recommended by police and there have been tales of police and citizens using this service to locate stolen phones.

After accessing the system, these hackers are sending remote warnings to iCloud users, threatening to wipe their devices unless they pay up. This suggests they are taking advantage of a feature of the app that allows you to wipe your device remotely if it falls into the wrong hands.

iPads and Mac computers also use this service so while the initial concern has been for iPhones, there is the potential for others to fall victim too. The chances are the cybercriminals could use their advantage in other ways.

What to do now

We don't know all the facts in this case but it would be prudent to change the password for your iCloud account. The possibility of this compromise not being an issue local to Australia is worrying. It is worth picking a password that has never been used on any other service.

The attackers may exploiting weaknesses caused by the Heartbleed bug or another vulnerability like the one recently discovered at eBay to gain access to iCloud accounts.

While Apple services were not affected, they may have been able to discover your @icloud email address if you've you've used it on other sites and services. If you're one of the many people who use the same password for different sites, your iPhone will be more vulnerable.

It's important to note that this is not a weakness in the iPhone or the services provided by Apple. Whoever these cybercriminals are, they have been very clever in their exploitation of other systems and are now putting this data to good use.

Explore further: Video shows Find My iPhone kill effort without password

Related Stories

Video shows Find My iPhone kill effort without password

April 4, 2014

Could a thief bypass protections from the Find My iPhone system? YouTube user Miguel Alvarado this week posted a video "Delete iCloud Account from iPhone without Password iOS 7.1" showing what he did with an iPhone, indicating ...

Google's ADM phone finder coming this month

August 5, 2013

Android Device Manager will be available later this month for phones with Android 2.2 or later. The official Android blog carried the announcement last week in a posting by Android product manager, Benjamin Poiesz. The service ...

Recommended for you

Microsoft aims at Apple with high-end PCs, 3D software

October 26, 2016

Microsoft launched a new consumer offensive Wednesday, unveiling a high-end computer that challenges the Apple iMac along with an updated Windows operating system that showcases three-dimensional content and "mixed reality."

Making it easier to collaborate on code

October 26, 2016

Git is an open-source system with a polarizing reputation among programmers. It's a powerful tool to help developers track changes to code, but many view it as prohibitively difficult to use.

Dutch unveil giant vacuum to clean outside air

October 25, 2016

Dutch inventors Tuesday unveiled what they called the world's first giant outside air vacuum cleaner—a large purifying system intended to filter out toxic tiny particles from the atmosphere surrounding the machine.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.