Apple Lets Hacker Erase Man’s Entire Online Existence

Imagine you’re playing with your young daughter when suddenly your iPhone goes blank. You check your iPad, but it’s been wiped clean too.

You run to your laptop, and catch it erasing all its own data. You get online, but both of your email addresses have been hijacked, your online storage has been emptied and someone else is using your Twitter account.

This nightmare scenario happened in real life Friday afternoon (Aug. 3) for Mat Honan, a technology journalist based in San Francisco.

Someone took over Honan’s Apple account, which let him remotely wipe Honan’s iPhone, iPad and MacBook, then leverage that power to take over Honan’s Google and Twitter accounts as well, plus the Twitter account of Gizmodo, the tech blog Honan sometimes writes for.

Yet Honan’s enemy wasn’t an elite hacker who used advanced techniques to crack Honan’s password. Instead, the attacker simply placed a call to Apple tech support and convinced Apple to give him control of Honan’s Apple account.

[10 Pros and Cons of Jailbreaking Your iPhone or iPad]

Tale of the tape

“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash,” Honan wrote on his Tumblr account, which was spared. “At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

“At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter.” (Honan posted a screen grab of the notifications his Gmail account received.)

The attacker, identifying himself as part of a hacker group calling itself “Clan Vv3,” used Honan’s Twitter account, “@mat,” to post, “@gizmodo Tell this dumbass employee mat he’s an idiot for using insecure email services, having a 3-letter Twitter, and having access to [Gizmodo].”

 (The Clan Vv3 posts are still up on Honan’s Twitter feed.)

Then he or she took over Gizmodo’s Twitter account and posted offensive messages for about 15 minutes.

Clan Vv3 has been hijacking the Twitter accounts of minor celebrities for several months, for example one belonging to comedian and TV star Whitney Cummings in June.

After a distressing couple of days, Honan has now regained control of his Twitter and Google accounts and has an appointment with an Apple Store Genius Bar today (Aug. 6) to try to recover the data on his Macbook.

[Cracks in the Cloud: Security Issues Loom Over Online Backup Services]

Technology is smart, but people are dumb

The entire episode should serve as a warning to others about two issues.

First, Honan was overly reliant on one company’s services — in this case, Apple’s. Honan backed up his MacBook, his iPhone and his iPad, but he did so only to iCloud, Apple’s own cloud-storage service. All of that was destroyed with one password.

Cloud storage is great, as long as you have reliable Internet access, but it’s best to have backups you physically control — for example, on an external hard drive.

Honan’s “.mac” email address was the emergency confirmation address that Honan had instructed Google to notify if anything went wrong with his Google account.

So when the attacker, posing as Honan, pretended he’d forgotten his Google password, the confirmation email went to the .mac address, which the attacker already controlled.

Once the attacker had control of the Google account and the Gmail service, he used that to take over Honan’s Twitter feed.

Honan could have used Google’s two-factor authentication service, which upon a password-reset attempt sends a text message to a designated cellphone as well as an email to a non-Google email address for confirmation. But that wouldn’t have prevented the wholesale wiping of all his Apple products.

Second, no matter how good security technology gets, it will never be able to stop “social engineering” attacks, or what your grandparents would have called a good con job.

In the early ’90s, famed hacker Kevin Mitnick found that the best way to get into any secure system was to simply telephone the system’s administrators and convince them you were an employee who’d forgotten his password.

Twenty years and thousands of successful hacks later, the same method still works on the world’s most valuable and most high-profile technology company.

It’s not clear exactly what the attacker said to the tech-support person who answered the phone, but as some experts have pointed out, Apple should not give frontline tech-support staffers the ability to reset user passwords.

Most online-account hijacks are the result of weak passwords — the passwords are too short, too obvious, used in too many places or limited to lower-case letters. 

Honan’s password was rather short, but it was unique and used mixed characters. “My password was a 7-digit alphanumeric that I didn’t use elsewhere,” he wrote on his Tumblr page.

But it didn’t matter. As Sascha Segan of PC Magazine tweeted, “The strongest password in the world wouldn’t have saved @mat.”

Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.

LEAVE A REPLY
Name*
Email* (will not be published)
Website
*Indicates required field
Comments*
Submit Comments

FIND A REVIEW
Laptops
All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Brand
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating Editor's Choice 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
Resolution
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options
SUBSCRIBE