Troy Hunt: The mechanics of the iCloud “hack” and how iOS devices are being held to ransom
Really good write up of the iCloud ransom attacks. That being said I think there is a lot more to be said here with a focus on how its not really a good idea to build in remote locking or wipe tools into electronics without some very careful planning and thought. While the author, probably correctly, opinions this is not a Apple security issue since that attack seems to be taking advantage of weak user passwords I would argue that its really a poor architecture issue. One of the issues with these sorts of cloud services for finding electronics, wiping them, locking them, or monitoring them is they all are rife for abuse and not just by criminals. They could be abused by stalkers, suspicious spouses, company insiders, and worse governments who can access the information infrastructure that companies like Apple use to communicate with your devices. Furthermore its just a matter of time before a malicious organization or individual compromises a organizations cloud services and uses it for mass chaos against consumer devices. Indeed for all we know countries or entities already have or have the capability to use for future large scale denial of services. Indeed without getting into it this is a attack I have warned people of for over 5 years could happen and have, in a few cases, demonstrated potentially worse large scale automated ones. This all suggests that companies need to spend more time carefully thinking through the consequences of the services they add such services to their products. Really creating programmatic services to remotely brick, wipe, lock, track, and the like is just begging for disaster.
Robi Sen's Blog 