Apple’s reputation when it comes to security has taken a bit of a battering over recent months and another high-profile case will do little to allay fears that Apple users are just as vulnerable as Windows users.
This one however is not to do with viruses, as the headlines earlier this year were. Instead, it seems attackers bypassed Apple’s security measures and gained access to a US technology journalist’s iCloud account, wiping his Apple devices and locking him out of various online accounts. The attackers also gained access to the Twitter feed of Gizmodo.
Mat Honan, who wrote for the gadget website, first noticed an issue on Friday (August 3), when his iPhone shut down and began to reboot. As he explains on his blog, he thought nothing of it, assuming it was a software fault. He tried to restore via iCloud but found his login credentials didn’t work.
He headed over to his MacBook Air to try to restore from there – but found it was asking him for a four-digit pin, which Honan hadn’t set up. He turned to his iPad, but that too had been reset. He tried logging into his Gmail email account on his wife’s laptop. The password for that had also been changed, as the hackers had sent a password reset email to his .mac address, which he was of course locked out of.
He was locked out of his email and Apple accounts, and his devices – an iPhone, iPad and MacBook Air – had all been remotely wiped. At this point he also noticed his Twitter account was sending out foul-mouthed messages, as was the Gizmodo account.
Honan called Apple support but found that they couldn’t really help beyond setting up an appointment for him at the Genius bar in one of their stores. They couldn’t simply stop the data deletions that were ongoing, meaning all his photos, documents and so on were gone. (There is of course a lesson here about relying on just a single cloud service for backup – it is better to keep an online and offline backup of your data)
Honan and colleagues from Gizmodo pulled some strings with Google and Twitter to regain access to his emails and suspend the Twitter account.
At first this seems like a standard hacking story – perhaps the same password was used for all accounts and once the attacker had accessed one, they had access to all of them. But here’s where this story gets even more interesting. One of the attackers got in touch with Honan to explain how the hack happened.
It was not a case of a compromised password or a brute-force attack (where the service is bombarded with passwords until the right one is found). Instead, the attackers had talked their way into Honan’s accounts.
The hacker, part of the Clan Vv3 group, phoned Apple’s tech support line and convinced the operator they were Honan. This process is called social engineering.
They then bypassed the security questions and had free reign over his accounts. Although they were only in control for a short period of time they were able to do a significant amount of damage, both in terms of deleting data and reputational damage to Honan and Apple.
If the hacker managed to sweet-talk his or her way around the security questions so no answered had to even be given, Apple tech support security procedures leave a lot to be desired.
Paul Ducklin of Sophos says these types of attack are actually very hard to defend against, adding that having a human involved in the loop, while useful, will occasionally result in lapses like this. That however seems to ignore the fact that letting anyone bypass security questions is a huge breakdown in the system. It simply should not be allowed to happen.
Thankfully, at the time of writing, Honan had recovered access to his Gmail and Twitter accounts and his Apple devices, although he is unsure whether data deleted from his laptop is recoverable. "The last major piece of this is my MacBook," he wrote. "I have a genius bar appointment today. I guess I’ll know what the damage is once I’m there."
Honan added that he has been in touch with Apple. "I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes)," he wrote. "I want to give the company a little more time to look at its internal processes, but should be as simple as a policy change."
"So far, I haven’t received any acknowledgement from Apple corporate. I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. So I gather corporate is aware of what happened and looking into how to most effectively respond to make sure this doesn’t happen again," he concluded.