Apple, Ransomware, and the Disabled

If you want to feel what it feels like to be the subject of ransomware, try upgrading a disabled person’s iPhone (which apparently was compromised). It is not bad enough that the disabled and elderly are targets of scams, and phishing, now Apple and the Cellular Service providers want to get in on it. As a caregiver of a disabled person, whose life revolves around using some Apps on their phone, Apple has implemented policies that more than likely will result in the elderly/disabled spending a period of time without access to their devices for weeks when they try to upgrade.. Their policies also potentially could be life threatening which I will get into in a moment - and their support department’s response is “We Are Sorry” - but nothing changes.. and there is no one to call.

Problem One - AppleID and Family Sharing

As anyone who has taken care of an elderly parent or disabled person, who is suffering from cognitive issues, their mobile device can be a lifeline. If you try to contact Apple about trying to having the disabled individual added to your “Family Unit” so to make sure they are not taken advantage of - you will quickly find out that you cannot add the handicapped person to your “family” as a child (even though the really need to be treated as children in many ways). Obviously, you need to get the handicapped individual their own AppleID, since you don’t want to associate their device with your AppleID because your AppleID has associated with it your credit cards, etc. The extent to which Apple allows you to support the dependent (who is older than 18), is basically via family sharing controls which basically translates into meaning you can limit their purchases. Apple will not notify you if the dependent's account is compromised, and there is no ability to filter what the disabled person will be receiving in the way of content. All the caregiver wants, is to be notified if suspicious activity is going on.. which can't be arranged based upon the Apple Policy.

Problem Two - Apple and its AppleID Recovery Program

If you have ever been a target of Identity theft, you know the feeling that goes over you when you find out that your ID has been compromised. It is a terrible feeling and the policy discussed above (Problem One) will more than likely result in the disabled dependent being taken advantage of. Apple, in not letting you treat your “dependent” as a child, requires you monitor all email sent and received with the dependent’s associated Apple ID email. If you have ever tried to monitor your kid’s email activity - this is no small matter (and taking care of someone with cognitive issues is worse). If Apple would allow for caregivers to receive important security notifications with regard to the dependent - we would at least stand a chance at catching the dependent being taken advantage of.

Luck would have it, my disabled sister had her AppleID apparently compromised from what would appear a rogue ATT employee. I never knew about it and she never let me know about the email she received from Apple with regard to her AppleID credentials being updated, telling her to contact them if she didn't authorize the action.. (she wouldn't understand the message). My sister does remember going to the ATT booth at the Mall but the representative never gave her the new password he apparently set for her AppleID. Fortunately I had family purchasing turned off and there were no credit cards associated with my sister's AppleID.

Eventually, Every caregiver needs to replace a dependent's phone and this is when we find out we have an issue. I backed up my sister’s old phone to my computer (Cloud backups are not as complete). I attempted to restore her "backup" to the new phone while at the ATT store should I have problems.. That is when I found out that the credentials I had set for the phone no longer worked. I then logged into the email account associated with the Apple ID to find out 6 months ago - Apple had sent notification of someone effectively updating credentials. I provided all the information that was requested of me to verify that the AppleID was indeed my account.. I was at the ATT store so the request for verification via the "Trust this device" couldn't be received (Actually the notification came to my Apple watch 15 minutes after the fact). I did supply the code which Apple emailed to the email address associated with my sister's AppleID, and I provided the code texted to my phone which was a trusted device. Yet - through a confusing set of prompts I ending up putting the phone in Recovery mode. I contacted Apple Support which tried to be sympathetic saying that she, herself, had done that to her own phone - You know it is confusing when the support department does it to themselves. I effectively purchased a bricked phone which couldn't be used, for which I just signed a contract for data services which in no way could I use. The Apple support people tried to consul me that I could still use the voice and text services on the phone - just not the Apps because they might trigger some activity on the AppleID triggering further delays.. Go tell a person who is cognitively disabled not to click on an icon on their phone - I'll tell you how far that gets.

After 24 hours had passed, since purchasing the phone, I got the email from the AppleID security folks telling me that the process would take 2 weeks. I contacted Apple support - who told me there was nothing that could be done... and my disabled sister would have to forgo having a cell phone (since she couldn't be depended upon to not click on an app). Yes - she is supposed to go without a phone, when doctors call her. I even thought about re-initializing the phone, and getting a new AppleID since there were no assets associated with the "Frozen" AppleID.. but turns out you can't even re-initialize a phone once a restore from backup has been done without having access to iCloud.. I NEVER logged into iCloud - and yet it wouldn't let me turn off the "Find my iPhone" feature to allow for the reinitialization of the phone. Will someone tell me how that relates to securing my information? I emailed Apple's security department in attempt to find out why - and to report issues as I saw as vulnerabilities in these security policies. All I got was automated responses.

Work Around
After speaking with the Accessibility Group at Apple, they came up with a work around for cognitively disabled people whose AppleID ends up in Recovery Mode. If the person being cared for needs access to simply the phone/text function, you, as caregiver can enable "Screen Time" identifying the disabled person's phone as the child's phone and restrict access to applications for almost 24 hours other than specific built in features... Phone, Text, Facetime, and Safari. ScreenTime allows you to provide your AppleID as the basis for programming the "Childs" phone and does not trigger the locked AppleID.

Work Around

After speaking with the Accessibility Group at Apple, they came up with a work around for cognitively disabled people whose AppleID ends up in Recovery Mode. If the person being cared for needs access to simply the phone/text function, you, as caregiver can enable "Screen Time" identifying the disabled person's phone as the child's phone and restrict access to applications for almost 24 hours other than specific built in features... Phone, Text, Facetime, and Safari. ScreenTime allows you to provide your AppleID as the basis for programming the "Childs" phone and does not trigger the locked AppleID.

Epilogue (Technical Aspects)

If you want my opinion, as a cyber security professional, Apple should be using OAuth technology for validating AppleID’s that appear to be compromised . Instead they use the “Trust this Device” notification system, which is buggy at best (you don’t always get the notification). If you want to talk about being insecure - Apple transmits the date/time at which you will be sent a text message with the code to unlock your account via email, in plain text! Anyone with any cyber security training (Security +), knows how insecure email is. The fact that Apple emails you two weeks with the exact date/time to expect a text message to be available means that a “Man in the Middle” attack can be mounted. In the case of the dependent I take care of - it looks more than likely it was an AT&T employee who took advantage of my dependent getting her to tell them her AppleID password, never supplying her with the password he changed the account to.. That person may have the resources to capture the notification that is to be sent to me, since all my Family’s cellular devices are associated with a single family based service contract. As for the waiting period - I can’t figure out what that period provides in the way of security… Possibly making sure there is no activity on the account for all other devices associated with the AppleID that is reported compromised..? But there are none. What does the period give a handicapped person? The “tag line” as to being evidence of their security stance (as Apple Support people tell you) - well that makes no sense and honestly is Bull S**t. It is theft of services - in which a person pays for data services which they can't use!.

Update

Apparently IOS v15 will being implementing something like Oauth with a trusted person who can reset password. Surprisingly no one in the Apple support group (support.apple.com) mentioned this.. The guys in the Accessibility group told me about this expected capability. Still - Apple needs a mechanism to protect cognitively disabled individuals... A way of locking down the AppleID password for caregivers. Hopefully the IOS15 feature doesn't have a 2 week grace period to regain access..