Apple iCloud security flaw exposed
Researcher able to brute force entry to computers using Find My Mac
A GitHub user has devised a way to gain unauthorised remote access to Apple computers using iCloud’s Find My Mac function.
Find My Mac is similar to the Find My iPhone service, which allows users to track their device on Google Maps and remote lock or wipe it. This is particularly useful if the phone has been lost or stolen.
Find My Mac works the same way, with the ability to remote lock and wipe the computer via any iOS device linked to the same iCloud account.
When an Apple computer is remotely locked by an iOS device, the user needs to enter a four-digit PIN to unlock it.
However, the GitHub user, who goes by the screen name knoy, claims to have created a programme called iCloudHacker to get round the PIN entry requirement.
The code for iCloudHacker is just 70 lines long, approximately, but knoy said he has successfully tried and tested it on a 2010 13-inch MacBook and a 2012 13-inch MacBook.
It works by simulating a mouse and keyboard via USB and starts cycling through possible passwords.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
Find My Mac does have some rudimentary security built in. If you enter the PIN wrong too many times it initially locks you out for one minute, then five minutes if you continue to get the PIN code wrong.
In the first instance, iCloudHacker will wait for the minute to pass before starting to guess again. However, in the second instance, the programme will restart the computer. The computer will not remember it had just launched a time-based lockout, so iCloudHacker can just start again.
According to knoy, the maximum amount of time it would take to crack open any given computer would be 60 hours.
However, it is quite likely that it would take much less time than that for iCloudHacker to force open the PIN, as the most commonly used code is “1234”, according to research by security blog DataGenetics.
Of the 3.4 million passwords they examined, 11 per cent used that combination, meaning 11 per cent of machines could be opened in one guess.
The next most popular is 1111 at 6 per cent, followed by 0000 at roughly 2 per cent and 1212 at about 1.2 per cent.
Additionaly, repeated pair couplets, such as 1212 or 8080, were used in just under 18 per cent of all PINs.
Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.
Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.