Your iPhone or Mac could be hacked with an iMessage
There’s a new warning for Apple iPhone and Mac users about a security vulnerability that could let a hacker infiltrate your device by sending you a rogue iMessage. iMessage has been hacked!!
CNET reports the bug was discovered by a researcher from Cisco Talos. The company warned that hackers could send a .tif file (a type of photo file, like .jpg) via iMessage that, when received, can execute a code that gives the hacker access to your device’s internal storage and stored passwords.
You may think you’re safe as long as you don’t click on any suspicious images, but unfortunately, that’s not the case.
“A malicious image file can execute remote code,”. “The problem is, certain applications like iMessage automatically render images by default. Remote code execution could also be achieved through MMS messages, attachments and web pages.”
Effects and Causes
Before discussing how to undo the hack, it’s critically important to understand why dealing with a hacked Apple ID must be done quickly. I’ve seen people who have allowed their Apple IDs to remain hacked for months before bothering to do anything about it. This allows the hacker to continue making purchases with your Apple ID, sending e-mail messages or iMessages as you, accessing your iCloud data, etc. However, there’s an additional problem that most people are either unaware of or don’t think about.
The anti-theft features of Mac and iOS devices involve your Apple ID, and can be abused by someone with access to your Apple ID. Your Apple ID could be used to remotely erase your Mac or iOS devices, which could be a disaster if you don’t maintain a good set of backups. Worse, in iOS 7, your Apple ID can be used to lock your iOS device in a way that cannot be bypassed – even by erasing the iOS device – without access to the Apple ID. If the hacker manages to permanently lock you out of your Apple ID, which can be done in a 3-day period using two-factor verification (more on this shortly), then he/she can then permanently lock your iOS 7 devices!
In other words, if you believe your Apple ID has been hacked, you need to respond quickly and decisively to regain access and lock the hacker out. Failing to do so could cause you to lose all purchases made with your Apple ID, lose all your data and even turn your iOS 7 devices into expensive paperweights!
The first thing most people want to do is scan for viruses, but there is actually little point to doing that. On the Mac, there is very little malware out there, and I’ve never heard of a single confirmed case of an Apple ID being stolen through an infected Mac. On iOS devices (ie, iPads, iPhones and iPod Touches), there is no known malware capable of affecting them unless they have been jail broken (ie, hacked to disable security in order to download apps from outside the App Store). Further, due to the security features that prevent malware, there is also no anti-virus software capable of scanning an iOS device. If you are using your Apple ID on a Windows machine, keyloggers are possible, but that’s a matter for your Windows anti-virus software and your local Windows tech.
Apple IDs are typically hacked through other means. Some (though certainly not all) possibilities are:
- If your password is a poor one, it may fall to simple brute-force attack by a botnet.
- You could be fooled by one of the many Apple ID phishing scams circulating, in which you receive an e-mail message that is supposedly from Apple, but when you click the link provided in the message, you end up on a fake Apple site that harvests your login information (if you enter it there).
- The e-mail address associated with your Apple ID might have been hacked, possibly allowing a password reset. (The exception here is if you are using an @me.com or @mac.com address as your Apple ID, in which case the address and the Apple ID are the same… hacking one means hacking the other.)
- Your password may have been stored insecurely, such as on a Post-It note in your office that any passers-by can see or in a plain text note in some online account that has been hacked.
- Your password was the same as that used by some other account you own that was hacked first.
- Another account was hacked that gave information about you, such as what your security question answers might be.
- Someone with physical access to your devices has installed spyware in order to harass or steal from you. (Yes, this is even a possibility with iOS devices… with physical access, a hacker can jailbreak them, install spyware, then cover up the fact that it’s jailbroken.)
How to undo the hack
If you think that someone with physical access to one or more of your devices has installed spyware, or if you are using Windows and think you’ve been infected with some kind of spyware trojan or virus, you need to deal with that first and foremost. Most people will be tempted to install some kind of anti-virus software and scan for malware, but that is pointless. Anti-virus software cannot detect many of the things that a person with physical access could do. The only meaningful response is to erase any potentially affected devices and reinstall their systems from scratch.
The two-factor security authentication approach has been in play with Apple’s iCloud service since last September. FaceTime and iMessage users who are also iCloud users will find the security mechanism enabled on the two additional services.
The Apple security support page offers a simple how-to instructional for users:
- Go to My Apple ID.
- Select Manage your Apple ID and sign in.
- Select Password and Security.
- Under Two-Step Verification, select Get Started and follow the onscreen instructions.
According to Apple, users will need to register at least one “trusted” device, which is defined as a device that can receive a four-digit code via SMS or using the “Find My iPhone” feature.
“Then, any time you sign in to manage your Apple ID at My Apple ID, sign in to iCloud, or make an iTunes, iBooks, or App Store purchase from a new device, you’ll need to verify your identity by entering both your password and a 4-digit verification code, as shown below,” stated the instructional.
If you have any questions please feel free to comment below.