Thieves defeat apple
The iPhone's security is great - but it's not perfect. Nothing is.
Enterprising thieves have now figured out a way to break into stolen iPhones after they've been locked if the owner isn't careful.
It requires duping the target, so it's possible to detect and block - but you need to know what you're doing.
We heard about the trick from Joonas Kiminki, who wrote a blog post about it over on Hackernoon after experiencing it first-hand. Here's how it works:
- iPhones come equipped with the ability to be locked after they're lost, via the Find My Phone website. This stops anyone from getting in without the correct password, rendering the device effectively useless.
- But criminals have found a way to game this - by spoofing an email or SMS from Apple telling you your phone has been found.
- To do this, they need your contact details. But they can often get these from your Medical ID info page. Or you might have them saved in the message you can display on the phone when it's locked, to try and get whoever finds it to contact you.
- This spoof message will tell the target that their device has been found, and directs them to a website that pretends to be iCloud where they can supposedly get more info about where the phone is exactly.
- The victim then enters their iCloud account email and password, but it doesn't work, saying the password is wrong. Meanwhile, the login details they typed are secretly transferred to the thief.
- With these they can then unlock your device, and either steal your data or wipe it completely and start fresh.
It's clever - but if you're alert about it, you don't need to get stung.
Double-check the email address of any message asking you for your login details - Kiminki's came from "icloud.insideappleusa@gmail.com," which obviously isn't an official Apple account. Likewise, make sure that the URL of any "official"-looking websites match up to the real deal. It should also have a green padlock beside it which means the connection is encrypted and verifies the company's identity.
No comments: