What Apple should have done
Mat Honan was powerless to prevent the attack on his iCloud account but there are steps organisations could be taking to protect their clients' data, says HackLabs security expert.PT1M18S http://www.canberratimes.com.au/action/externalEmbeddedPlayer?id=d-23p1z 620 349 August 6, 2012
What would you do if your entire digital life started evaporating before your eyes and there was virtually nothing you could do about it?
I really worry about everything going to the cloud ... I think there are going to be a lot of horrible problems in the next five years.Apple co-founder Steve Wozniak
This is the nightmare scenario that greeted US technology journalist Mat Honan, who had all of the contents of his iPhone, iPad and Macbook Air wiped, and lost control of his Gmail and Twitter accounts, all in the span of just over 15 minutes.
'It's been a shitty night' ... Mat Honan has recounted how his web world fell apart.
And the scariest part is that he had a strong, seven-digit alphanumeric password. Apple has confirmed to Honan that its own tech support staff provided the hacker entry into his online world via a bit of clever social engineering.
Several others have reported similar stories of Apple handing access to their accounts over to hackers. Security experts say it is "very concerning" that Apple's staff could be so easily tricked, while even Apple co-founder Steve Wozniak believes the move to cloud computing will create "horrendous" problems in the next five years.
It all snowballed after the hacker gained access to Honan's account on iCloud, an Apple service that allows users to keep all of their files backed up in the online "cloud", to trace stolen Apple devices and even to wipe them remotely if they fall into the wrong hands.
Mat Honan's online passwords were reset by someone who had gained access to his iCloud account.
Cloud computing is becoming increasingly popular as users warm to the idea accessing all their data from any device. The technology is also attractive to companies, which can store huge amounts of data offsite, with much lower costs and no hardware to maintain.
Once the hacker gained access to Honan's iCloud account, he or she was able to reset his password, before sending the confirmation email to the trash. Since Honan's Gmail is linked to his .mac email address, the hacker was also able to reset his Gmail password by sending a password recovery email to his .mac address.
Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad and Macbook Air remotely. Since the hacker had access to his email accounts, it was effortless to access Honan's other online accounts such as Twitter.
In a blog post published at the weekend, Honan said he was playing with his daughter when his phone suddenly went dead and rebooted to the set-up screen.
"This was irritating, but I wasn't concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more," Honan wrote.
"I entered my iCloud login to restore, and it wasn't accepted. Again, I was irritated, but not alarmed."
He then fired up his Macbook to try to restore his data from a back-up, but an iCal message popped up saying his Gmail account information was wrong, and then the screen went blank, asking for a four-digit pin.
"By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn't turn on my computer, my iPad, or iPhone," Honan wrote.
The hacker eventually deleted Honan's Google account and he was unable to restore it as this required Google sending a text message to his phone, which was now offline.
Honan was previously a writer for gadget blog Gizmodo and still had Gizmodo's Twitter linked to his account. The hacker started tweeting from the Gizmodo account and from Honan's personal account with racist and other offensive remarks.
Apple's tech support could do virtually nothing to help and told Honan that the data on his iOS devices would most likely be gone for good without "serious forensics".
"I've lost more than a year's worth of photos, emails, documents, and more. And, really, who knows what else. It's been a shitty night," Honan concluded.
Honan eventually got his iPhone back online but because he uses Google Voice, and his account was deleted along with his Google account, he couldn't send or receive text messages or make calls. All he could do was wait to see if Google would decide to reinstate his account.
He wrote on Twitter that, even though he used a password management tool called 1Password, this provided no protection as the hacker broke into his account without knowing his passwords.
Honan's blog post went viral on the net, and it wasn't long before staff at Apple, Google and Twitter were on to it. Clearly, being a technology journalist for one of the major tech sites helped him as his Google and Twitter accounts were restored on the weekend. Honan also sent an email to Apple chief executive Tim Cook and, within 10 minutes, received a call from Apple Care.
The hacker also contacted Honan to let him know that they accessed his account "via Apple tech support and some clever social engineering that let them bypass security questions".
Apple has today confirmed to Honan that it was tricked by the hacker and has since assured him that now only one person at Apple can make changes to his account. The company is still trying to restore the data on his MacBook.
Honan is not the only one whose online life has been upended by a hacker who used social engineering tricks on Apple. Chance Graham, a "designer at Apple" according to his Twitter page, tweeted: "Exact same thing happened to me - iCloud was social engineered via support. All accounts compromised. Hacker contacts me. Same m/o?"
The website MyBB.com was recently hacked and in a blog post the site's owners revealed the attackers attempted unsuccessfully to use the same social engineering method to try to access their accounts.
Chris Gatford, of security consultancy HackLabs, said social engineering was always the easiest method to gain unauthorised access and organisations could only defend themselves by having it performed and seeing how employees react.
"This I assume has not happened at Apple specifically the people at Apple Tech support anyhow," said Gatford.
"This is a very concerning situation and I hope Apple look into this and investigate ASAP."
Apple co-founder Steve Wozniak predicted at the weekend that there would be "horrible problems" in the coming years as cloud-based computing takes hold.
"I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years," he said.
"With the cloud, you don't own anything. You already signed it away ... a lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything on to the web, on to the cloud, the less we're going to have control over it."
Ty Miller, CTO at Pure Hacking, said email accounts were considered a "trusted primary contact point" and once your email account is compromised the attacker can easily reset passwords for almost all your other online services. The impact you feel is going to be dependent upon the attacker's intent, he said.
"This can range from destroying your data and a public shaming of the victim for being hacked, through to causing financial losses by causing large Skype bills, or performing complete identity theft where the attacker can take control of your bank accounts and finances," he said.
"To reduce the risk of your online identity becoming compromised, individuals should set very complex answers to password reset security questions, utilise two-factor authentication where possible for online services, and make sure that different passwords are used across all online accounts."
Honan and Apple did not respond to requests for comment.