Apple user credentials exploited to “freeze” users iPhones ?

From the Telegraph comes this interesting story:

It appears that the hacker, who goes by the name Oleg Pliss, has managed to exploit the Find My iPhone feature which can track and remotely lock stolen devices.

Users have been told to send ransoms of between $50 and $100 Australian dollars (up to £55) to a PayPal account in order to have their devices unlocked.

Those affected have taken to Apple’s support forums to seek help. One user, veritylikestea from Melbourne, said: “I was using my iPad a short while ago when suddenly it locked itself.

via iPhones frozen by hackers demanding ransom – Telegraph.

While it seems the actual method of exploitation is still unknown, several theories suggest phishing or brute forcing weak passwords, its clear that a number of users are being target by this new ransom scheme. This sort of attack is interesting in that usually criminals that take control of a customers credentials attempt to use it to purchase digital goods or some other scheme to make money but locking customers out of their device and ransoming it back its a interesting, although not unprecedented approach. What is really significant though about this attack is the logical next step which is leveraging thins such as API’s or services provided by Google, Apple, and the like to remotely lock or wipe devices for large scale Denial of Service or disruption. One can only imagine the Chaos a criminal could cause to, lets say a financial company, that equipped its employees with enterprise wide iPhone distribution. 


Chip and Pin exploits

Many European and some US banks issues ATM and credit cards with a security system built into them called chip and pin or EMV. Cards using chip and pin contain a small microchip that replaces the traditional magnetic strip. Users then simply place their card on a reader and then enter their PIN to authenticate. This has greatly reduced in Europe, at the teller, credit card fraud and many of the Banks who have pushed CNP have claimed the security is so robust around CNP that it cannot be exploited. Like all security technologies though their are always issues and they always get exploited by dedicated attackers. Krebs publishes a article here on researchers at Cambridge paper on various ways they have exploited CNP, in part, based on flaws in the cryptography at the teller endpoints as well as typical man in the middle attacks. This is interesting in that people who have had their cards exploited are being denied fraud claims by Banks who claim that such fraud is not probable. Its of further interest because the US is also moving towards CNP.