Unlocking a lost or stolen mobile device can be very difficult, as the news made quite clear earlier this year. While the FBI eventually found a way into Syed Farook’s iPhone, privacy boosters could take heart that it required months of time and the massive resources of United States federal law enforcement to do so. Presumably that’s a high bar to get over, and so typical phone users can feel that their personal information is relatively safe from the average person who might find or steal a phone.
But where there’s advantage to be had, people tend to find a way. So I was very interested recently to read an account of a spear phish aimed at unlocking a lost iPhone. Finnish technologist Joonas Kiminki lost his iPhone and eleven days later received a sophisticated spear phishing message pretending to be from Apple. It ultimately aimed to get his login credentials.
Joonas gives a good account of the steps in the attack, complete with screen caps, which is well worth the read. It’s interesting to note that this phish appears to be a generic attempt to unlock just any iPhone. Joonas states that he was on vacation in Italy and left the phone in his rental car, from which it was stolen. So it’s hard to imagine a scenario in which he specifically was targeted for the specific contents of his phone.
Rather, it appears that the stolen phone eventually found its way into the hands of someone who uses this spear phish to unlock mobile devices. Presumably this same basic kit is applied to many such stolen devices.