Proponents of equipping smartphones with obligatory kill switches to prevent theft should heed a new type of fraud that has spread from Russia and Ukraine to Australia in recent days and is probably coming to other countries soon: Holding iPhones for ransom using their kill-switch feature.
About three weeks ago, the first reports of the scam hit Russian Apple fan sites. IPhone owners started getting a message on their screens saying, "Your device has been blocked because of a complaint. I can help you unblock it. Check your e-mail!" Indeed, a message in their mailboxes said unblocking the phone at a service center would cost 1,500 rubles ($44), but wiring 500 rubles to a specified electronic wallet would solve the problem immediately.
In this high-tech version of a traditional Russian scam involving the theft of car license plates, fraudsters use the Activation Lock feature included in the seventh version of Apple's iOS operating system. It is essentially a kill switch allowing the smartphone's owner to lock a lost or stolen device and send a message asking the finder to return it. Before iOS 7, owners could erase and block their phones remotely, but that could be reversed by reinstalling the operating system. Not any more.
Scammers break into a victim's e-mail and use that to reset the Apple ID password, the credential to access all services in Apple's ecosystem. Then they block the phone and demand a small ransom, so that it's easier for the victim to pay up than to complain and attempt recovery through Apple, which requires documents including the original proof of purchase for the device.
Having tested the scam on home ground, the phone hijackers hit Australia. Incidents were also reported in New Zealand and the U.K. The message on the screen was now in English, saying, "Device hacked by Oleg Pliss." The name, while not particularly widespread, sounds either Russian or Ukrainian. Whoever is using it has set up PayPal accounts to receive ransom payments of 100 Australian dollars ($93).
Make no mistake, the U.S. will see its share of phone hijackings soon. People addicted to their phones would rather pay $50 or $100 than endure severe withdrawal while the problem is sorted out through official channels.
Americans are worried about growing smartphone theft. The devices are expensive, ubiquitous, small, practically generic and often in plain sight -- what more could a thief wish for? In 2013, the number of stolen smartphones in the U.S. almost doubled to 3.1 million devices, up from 1.6 million in 2012. To curb theft, New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascon led an initiative called Secure Our Smartphones (S.O.S.), demanding that manufacturers and mobile carriers make it harder to use stolen phones. In April, major carriers and manufacturers signed the Smartphone Anti-Theft Voluntary Commitment, promising that all the phones sold in the U.S. after July 2015 would have a kill-switch feature. Minnesota and California have even legislated on smartphone kill switches because they are such a popular concept.
It is certainly less painful physically to have one's phone purloined by a hacker than to be mugged for it. The ability to disable a phone remotely goes a long way toward making sure muggers, pickpockets and other real-world criminals stop targeting the devices. A technological solution to "analog" crime, however, creates new potential for the digital variety.
Sure, manufacturers could work to prevent hijackings, making user identification for their cloud services more complicated than Apple's current simple system. Criminals, however, will always be one or two steps ahead, and some people will inevitably be victimized before enforcement catches up.
That, by the way, is a core problem with the much-touted Internet of Things: In an "intelligent home," simple devices like faucets and door locks will soon present opportunities for cybercrime. The more connected we become, the more we will get hacked.
To contact the writer of this article: Leonid Bershidsky at firstname.lastname@example.org.
To contact the editor responsible for this article: Mark Gilbert at email@example.com.