Apple's Find My iPhone Used to Hold Devices Hostage

Find My iPhone is a potentially very helpful iOS feature that does exactly what it sounds like, but in the wrong hands, it can do more harm than good. A slew of unlucky iPhone and iPad owners, mainly in Australia but including a few in North America and Europe, have found their devices remotely locked and held for ransom by at least one unsavory scammer.

The information comes by way of the official Apple Support Communities forums, where a number of users described the same phenomenon. Upon attempting to use their iPhones, they discovered that the devices were locked. Even a locked device can receive certain messages, though, and this message demands a $100 payment via PayPal to a Hotmail address in order to unlock the phone again.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

While Find My iPhone/Find My iPad is a useful system, it's still ripe for exploitation. When a user loses his or her Apple phone or tablet, he or she can then go online and activate the Find My iPhone protocol. By entering an iCloud username and password, a user can then track an iPhone's location, lock its screen or send a message to whomever may have found it.

This feature is useful if you've left your iPhone at a bar and want to display a message for other patrons to call your landline. It can be devastating if someone gets his or her hands on your login information and decides to hold your phone for ransom.

One user, "veritylikestea" from Melbourne, Australia, described her experience as follows: A user named "Oleg Pliss" locked her iPad remotely (the scam works on any modern iDevice), and told her that he would restore functionality for $100 USD or €100 ($136.46). Interestingly, Oleg Pliss is the name of an actual software engineer in California, but it's inconceivable that the real person would ransom iPhones or use shady Hotmail addresses to do so.

If this happens to your iPhone, iPad or iPod touch, it means someone has gotten his or her hands on your Apple username and password and logged into your iCloud account. You need to change your Apple password as soon as possible, and also change it on any other online account on which you registered with the same email address and password.

After that, you'll need to get control over your iPhone back (don't even think about paying the ransom; there's no reason to believe that a scammer would honor the agreement). You could try bypassing the lock screen, as described on the Apple support website. If that doesn't work, you'll have to factory-reset the device.

Instead of attempting to factory-reset the device via iTunes (since a scammer who has your Apple username and password could interrupt this process), perform a hard reset. Shut down the phone, then hold the Home and power button simultaneously until the Apple logo appears. From there, access Settings, General and Reset. Choose Erase All Content and Settings. Now restart the phone, sign in with your revised iTunes login information, and you're good to go.

In order to ensure that this doesn't happen again, be sure to pre-emptively lock your iPhone with either a PIN or a password. Doing so ensures that only the most dedicated hackers can get into your system. You can also activate two-step verification to further secure your device — although a dedicated hacker could also use this functionality against you in much the same way as Find My iPhone.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.