Not a Great Week For Apple Users

UPDATE:  Apple says that a preliminary assessment of the most recent Wikileaks document dump shows old, fixed flaws for iPhone and Mac.  Some of the documents released had a date of 2008, so that those flaws are fixed is not completely surprising.  I am sure that Apple is continuing to review those documents.  Unlike the first Wikileaks dump where they still haven’t given Apple the data needed to figure out whether those flaws are still working, in this dump Apple, apparently, had enough information to figure out how the attack worked, so they could tell if they had fixed it.  Wikileaks tactics may be to dribble out information from the oldest (and likely least valuable because they fixed) vulnerabilities to the newest ones (likely not fixed), so no computer vendor should relax just yet.

A group of hackers is threatening to wipe the devices of more than 600 million Apple users on April 7th using hacked Apple account passwords.

According to the hackers 220 million of the credentials have been verified to work.

Initially, the hackers asked for $75,000 in Bitcoin or Etherium, but they have raised that “request” to $150,000.

Apparently, Apple has told them that they don’t pay bad guys.

It is not clear what Apple’s plan is.

One thing that the could do is force everyone to turn on two factor authentication, but that would cause a wee bit of chaos.  Alternatively, they could force a billion users to change their passwords between now and April 7.  No big deal.  RIGHT!

As a user, I would say it is every person for themselves and we would suggest a couple of things:

  1. Change your password.  Now!
  2. Enable two factor authentication.  Yes, it is a little bit extra work, but probably worthwhile
  3. Make backups of your Apple devices and store them offline and disconnected from the net.

It is possible that Apple has a plan.  It is also possible that the hackers are lying, but there is (or was) a video on YouTube showing someone testing accounts with passwords not hidden behind ****s and that demonstrates some degree of reality.

Changing your password alone MAY NOT be sufficient if the hacker has a way inside Apple to obtain changed passwords.

This is all speculative, but assuming that you don’t want to wake up on April 7th to a wiped device, planning ahead seems like a good idea.

The second Apple news story of the week is that WikiLeaks posted more information about the CIA hacking tools and there are details of compromised iPhones and Macs that were hacked in the distribution channel before the original buyers ever saw them in a way that even doing a factory reset would not remove (i.e. a hack of the firmware itself).

The hack the story talked about required physical access to the devices, but knowledgeable people have told me that hacking which requires them to have physical access and implanting hardware is so last year, so we can assume that the CIA has upgraded this capability to allow them to do the same thing without needing physical access.

Why would the CIA want to hack iPhones instead of Android phones?

Well first, why would you assume this is INSTEAD rather than IN ADDITION TO Androids?  Likely they can deal with either.

Second, the likely reason for going after Apple devices is not that they are more or less secure, but rather that they are status symbols in many parts of the world.  That means that people that the CIA is interested in knowing a lot about are likely iPhone/Mac users.  There are other reasons too, but that one is probably good enough.  If you are interested in the details, read the WikiLeaks Post.  It is pretty fascinating.

What that means is that Apple users are now in the cross hairs and who knows what the boys and girls from “The Company” might be looking at.  Just sayin’.  I would say, in general, they are not looking at U.S. citizens unless they have a reason.

So for those people who thought Apple devices were immune from hacking, I would say that you are probably in the same boat as the rest of us.  Sorry.

Information for this post came from Mac World and WikiLeaks.

Leave a Reply

Your email address will not be published.