If your dad were the technical advisor for the realistic hacks on Mr. Robot and he lovingly micromanaged your gadgets, you'd probably feel pretty badass about the security of your personal devices. So when one of Marc Rogers' kids had their iPhone pickpocketed at San Francisco Pride this year, things took an unexpected turn when tech-savvy thieves pulled off hacking tricks that had Rogers beside himself with curiosity and fascination. And concern. Lots of concern.
"Since this was my kid we are talking about, the phone was up to date and had a strong password and FaceID enabled, and activation lock was turned on," Rogers told Engadget via email. The teen noticed the phone missing within 10 minutes of its theft and immediately began security protocols. "As soon as the phone was found to be missing it was switched to Lost Mode and later a wipe command was sent to it," he explained.
Since that's exactly what you're supposed to do, that should have been the end of it. A loss to be sure, and a pain to start over with a new iPhone. Except Rogers noticed that neither the Lost Mode activation or wipe command went through, leading him to "believe the phone has been immediately powered down or placed in a bag that blocked signals. That and the fact that it never resurfaced told me that whoever stole it knew what they were doing and had done this before."
Most likely, the iPhone was powered down immediately and placed in a radio frequency-blocking bag (also called a Faraday Bag or RFID bag), a foil-lined sleeve or even an empty potato chip bag. This step interferes with Activation Lock, Find My iPhone, and Remote Wipe. In fact, after anti-theft "kill switch" features were introduced, iPhone theft rate dropped by 40 percent in San Francisco and 25 percent in New York within 12 months. London saw its iPhone thefts reduced by half.
The blocked signals didn't surprise Rogers; understanding digital crime is his job, after all. He explained in a post on Dark Reading what usually happens to a stolen iPhone after that:
The devices are then powered up only when thieves are positive no signal can reach or inspect them. If the phone is out of date and a software vulnerability exists, they hack the phone and wipe it clean to be resold. If the phone is up to date but not valuable enough to resell, it is either junked or sold for parts. This can easily happen on both older and newer models of phones.
But what happened to his kid's phone next surprised him. Within a few days, the teen "started getting these highly targeted messages using information they had apparently managed to extract." That information included the child's correct Apple ID, its associated email address, "they knew the phone number associated with it even though the SIM card had been killed," and the attackers "sent a range of different messages trying several different social engineering tactics" to try and trick Rogers's kid into clicking on tainted links.
The messages, sent by SMS/iMessage, were made to look like they came from Apple. Yet Rogers noticed they "rotated through a range of different mobile numbers, possibly to avoid detection." The attackers also rotated through a variety of iCloud addresses in order to prevent the victim from ignoring or blocking any of the messages.
Even though Rogers reported the messages as "junk" (this is what Apple advises), the messages came in a relentless flood. "At one point, more than 10 messages per day came in at all hours," he wrote.
He did some online digging and discovered what others are experiencing at the hands of similar attackers. "Apple forums are full of users asking for help after clicking on similar phishing emails. After which their phone is almost instantly deleted from their account, never to be seen again." If the target clicked on one of the links, Rogers explained, "they were immediately redirected to a fake Find My iPhone page that attempted to harvest their AppleID and password, as shown below, taken from fake Apple servers." From there, he wrote for Dark Reading:
If the target entered their AppleID credentials into the site, the phone would have been quickly deleted from their account. And often, the first moment targets know this has happened is when the missing device disappears from the list of devices trackable through Find My iPhone.
Sometimes, for good measure, the thief will hijack the target's AppleID, changing email addresses and contact information to exploit the account further."
Rogers was taken aback by the accuracy and automation of the attacks. "This is the first time I have seen spear-phishing used as a technique like this to bypass anti-theft technology used by consumers," he said. "The attacks appear to have been around since 2017 but steadily getting more sophisticated and more targeted."
He added that "normally this kind of very personal spear-phishing is something you associate with high-value targets like the directors of companies, however now it is being used against ordinary smartphone users. We have clearly reached a point where tools are readily available to do this."
So what seems like a basic iPhone theft at first glance is pretty serious and has implications of a bad privacy or security bleed happening somewhere. "All smartphone manufacturers and the mobile carriers need to find out how the attackers are harvesting personal information from their victims with nothing but a locked stolen phone," Rogers told Engadget. "Clearly they have found a route they can leverage to extract key pieces of information, likely through a multi-step process. A thief should not be able to extract the victim's contact information from a locked stolen device."
"This information exposure could have bigger ramifications than just spear-phishing."
While the attack method is somewhat of a mystery, it comes to light at the same time as a newly revealed bootrom exploit for iPhones, called checkm8. It, by the way, requires physical access to a victim's iPhone -- exactly the scenario for pickpockets and phone-snatches. Right now what is known about the checkm8 attack is that it jailbreaks iPhones, which could allow an attacker to revert the operating system to an unpatched version, could be used to undermine iCloud account locks (used for remote security actions like wipes), and more.
What's key here is that since Marc Rogers saw what happened with his kid's stolen iPhone, the world has found out that there's a whole new way to crack iPhones. And being told that attackers must have physical access to the phone is no longer a reassurance.
Personally, I'm inclined to believe we live in a terrible timeline in which privacy is burning, security is a smoking husk of good ideas and all companies hoarding our personal information are big fat thieves and liars. Maybe I'm not wrong! Or maybe I'm just feeling a little dour after finding out about the evolution of attacks on the people most at-risk to be exploited and have their lives torn apart. Namely, people who aren't up to date on all the latest security-savvy. Or, what hackers call "normal people." And companies seem to want to think of as "reputation risks when anyone finds out bad things are happening."
So like usual, we need to think a step ahead of the latest security measures. According to Rogers, that means being extremely cautious about text messages (and tell your friends and family too). "Don't trust messages with links in them, go to the site manually without clicking," he advised Engadget. "Keep your phone up to date and make sure you use all the security features available in your device. Finally, make sure all your accounts that support multi-factor authentication have it enabled. It's a good, simple defense against phishing attacks."
Yep, trust no one. Got it.