Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.
The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)
It could have been worse
Apple acknowledged the incident, saying that the security of iCloud itself wasn't compromised and that affected users should reset their iCloud password and security questions, which seems to confirm the presumed vector of the attack.
It's also worth noting that the attack was easy to prevent or recover from as users with a passcode or Touch ID enabled on their devices could simply ignore the message and unlock their devices (and ideally reset the iCloud password). Users without a passcode should be able regain use of their devices by forcing them into recovery mode and restoring them via iTunes and a device backup.
What's important to consider is that the potential impact could have been much more damaging. A user's Apple ID, which functions as their iCloud login, delivers access to dozens of Apple services, ranging from Find My iPhone to setting appointments in Apple's stores; purchasing and accessing iTunes content; syncing sensitive account and credit/debit card numbers across devices using iCloud Keychain; and managing enterprise app installation on a user's device if it is used in the workplace.
Time for IT to talk security
That makes the incident a great opportunity for IT shops to talk about mobile and cloud risks to employees.
Over the past few years, IT departments have had to grapple with the trend of users taking their workplace technology needs into their own hands. Today's cloud- and mobile-enabled world means that workers frustrated by security restrictions, enterprise apps and collaboration systems that are slow or difficult to use -- and IT staffers that are slow to respond to their needs or don't respond at all -- can build their own set of tools and technologies without IT's permission or awareness.
In many cases, this can make work-related tasks easier, help employees be more efficient and productive, and boost collaboration between coworkers and with contacts outside of an organization. It also opens the doors to all manner of data security and privacy concerns, with potentially disastrous consequences - things that most workers don't think about or consider to be their responsibility.
This incident should prompt IT teams to explain the very real risks employees, managers and executives take when they use iCloud, Dropbox, Google Drive, and other cloud services or when they store sensitive data on a personal and unsecured mobile device. You can say the same thing about other data breaches that have occurred in recent months, but this one is ideally suited to being a teachable moment, largely because it was an attack that non-tech folks can relate to their everyday experience. This isn't some abstract hacker threat; it's an iPhone or iPad that suddenly won't work, with a ransom note attached for good measure.
Important points to make
Here are the important points IT departments can, and should, include in a security conversation with users.
- Users with the most basic mobile security -- a device with a passcode -- while not immune to the issue weren't significantly affected. That demonstrates the power a simple four-digit PIN can offer and why, despite the slight inconvenience, IT requires officially-sanctioned devices to use one. It also opens the door to discussing the personal as well as professional data that can be exposed and exploited when a device is lost or stolen. Focusing on the potential consequences of someone having complete access to all the data on one the most personal devices people own is likely to drive the point home.
- The potential for damage is greater people that choose to use the same credentials across a range of sites and services. This underscores why IT requires regular password changes and often prevents them from being re-used.
- Apple's own iCloud security systems were not at fault. This attack succeeded because users ignored common security lessons. Apple isn't responsible for it and isn't seen as a scapegoat. A similar incident affecting corporate resources could be blamed on the employee(s) in question rather than on the IT department, particularly if IT can prove it had no knowledge of where the data or credentials were stored by users.
- This could have been much worse for the affected users if the perpetrator had used iCloud credentials to access data and documents synced or backed up to iCloud or stored there by a range of iOS and Mac apps. That lesson extends to every cloud service, email system, social network, and online account that a person has, both personal and professional. If any of those accounts had sensitive corporate data or data subject to government regulation under privacy laws (such as those related healthcare or finance), it could have done a great deal of damage to a company and resulted in termination for any employee that allowed data to be exposed.
That last message, in particular, is most likely to get the attention of workers who may have been oblivious to security, or reluctant to take even basic steps to protect data. Because while the Oleg Pliss hack wasn't bad, it could have been much worse. And this almost certainly isn't the last time something like it will happen.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to CITEworld.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter (@ryanfaas).
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.