Several users have logged the problem on Apple's support forum, saying their phones or systems locked unexpectedly. They then received an email from ‘Find My iPhone' and an on-screen message saying the device had been hacked, with the attacker using the pseudonym ‘Oleg Pliss'.
One user, ‘veritylikestea' from Melbourne, said on 26 May: “I was using my iPad a short while ago when suddenly it locked itself. I went to check my phone and there was a message on the screen (it's still there) saying that my device(s) had been hacked by 'Oleg Pliss' and he/she/they demanded US $100 /EUR (sent by Paypal to email@example.com) to return them to me.
“I have no idea how this has happened. I am not aware of having been exposed to malware or anything else.”
In a 27 May advisory, the Australian Government's Stay Smart Online alert service said the attacks were possibly the result of hackers compromising the victim's Apple ID and using this to access their iCloud account, then activating the device's ‘Lost Mode' and possibly resetting the user's access code.
The advisory warns: “A hacker with access to your Apple ID can potentially lock any device associated with it remotely, they can see data you have stored in iCloud, access your Apple Store purchases and potentially set up two-step verification (also known as two-factor authentication) on your device, locking you out of your phone completely, and even remotely erase your device.”
It adds: “Affected users are advised to change your Apple ID password as soon as possible. Users not affected may also consider changing their Apple ID password as a precaution.”
Apple has not yet commented officially.
Analysing the attack in a 27 May blog post, Sophos' Paul Ducklin said it was so far confined to Australia and New Zealand and that the ransom demand ranged from £30 to £60 “for unlock device”.
He said the hackers could have gained access via user ID credentials stolen in previous breaches - though not necessarily the recent eBay attack as some victims do not have eBay accounts.
Ducklin reported: “Could a breach against an Australian online service have coughed up passwords that victims re-used elsewhere? That's plausible. We're inclined to consider this the most likely reason we've seen so far, but it relies on all victims being the sort of people who re-used passwords.”
If this was the cause, Ducklin said: “Using Apple's two-step verification would almost certainly have protected you. If you have an Apple account, we suggest you look into two-step verification right away.”
Independent Apple security expert Kevin O'Reilly, senior consultant at Context Information Security, warned: “There is no reason why a similar attack would not spread to the UK.”
And industry watcher Scott MacKenzie, CISO with cyber security solutions provider Logical Step, agreed, telling SCMagazineUK.com by email: “Technically this attack could happen in the UK or anywhere else in the world.”
Supporting Ducklin's analysis, O'Reilly told us: “It seems it all rests upon the attackers gaining access to iCloud accounts, possibly using Apple ID credentials which are the same as users' other credentials compromised in recent attacks.
“The remedy is simple; Apple users should ensure that their Apple ID credentials are not the same as those used for other online services, and are otherwise ‘strong', composed of a long string of characters, numbers and symbols.
“Enabling the two-factor authentication (2FA) option with Apple IDs is also a step which will make the user much less vulnerable to this attack.”
MacKenzie backed this view, saying: “This attack does not appear to affect Apple users who have enabled 2FA.”
He added: “Apple systems are now designed to be secure (unlike the early iPhones that ran all processes as root), utilising AES 256-bit keys to encrypt the storage. Additional security steps still need to be taken by users, such as setting screen locks, enabling 2FA, and checking what access apps have to the device before installing them from the App Store.”
Apple – and its iCloud service – have run into flak recently over flawed security, including a report last week by SC US that hackers were able to bypass iCloud's security features using a man-in-the-middle attack.
But O'Reilly said of the current problem: “Although the temptation here may be to heap criticism on top of Apple, particularly considering recent failings pertaining to iCloud security, in this case it seems they are not necessarily at fault, with poor password safety and practice of users being the main culprit.”
Ducklin urged users not to pay the ransom, saying that if they have a recent backup, they can recover it using iTunes, as explained here.
If not, though, he said users will have to do a “recovery mode” reset of their device, which will erase all their apps and data.
Michael Sutton, VP of security research at security vendor Zscaler, was more positive, telling journalists via email: “Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought.”