Bit9

Former Gizmodo reporter Mat Honan blogged last week that he was hacked “hard” via his iCloud account. “Hard” is an understatement. Here’s what happened: his iPhone, iPad and MacBook Air were remotely wiped, his Twitter accounts (both personal and Gizmodo’s) were compromised, and his Gmail account was deleted. In just a few hours, Honan’s digital life evaporated. Years of photos, contacts, email exchanges and more were gone in an instant. He admits to being — in his words — “a jerk” for not backing up his files via Apple’s Time Machine service (or something like it), but this level of coordinated attack — to a personal account — is simply staggering.

One of the many problems Honan experienced was how all of this data was stored.  With only one login (and the inability to add two-step verification), iCloud users can access all of their data by opening just one door. This offers convenience for both the user in the short-term and the hacker in the long-term. iCloud doesn’t just store files and content, it acts like a Rosetta Stone for your digital life. Because iCloud connects to other services such as social media and Google accounts, once the hacker gets inside, he/she now has unlimited access to all of the user’s data. All they have to do is get through a single layer of protection: one password.

With a simple social engineering attack, Honan now has to go through digital reincarnation.

Honan admits he didn’t use two-step verification with his Gmail account (which would have saved it), but reiterated the lack of such an option within iCloud itself. Because of this, he lost everything, not just emails.

It’s a sad state of affairs and will hardly be the last. The future is the cloud. Many services and tools begin and end there — with content never getting stored locally on one’s machine. All of these services have one simple and obvious front door with password criteria hardly regulated and rarely enforced. We’ve seen this with Yahoo!, Gmail, LinkedIn and others in the past, and with it so easy now to burrow into this environment, one personal breach can lead to several social engineering attacks for others.

It’s hard to understand why two-step verification was unavailable for an iCloud service that connects to so much, but where applicable, one should enable it. Security is largely about educating users of the risks, so you should see many services mandating two-step verification as opposed to leaving it optional. Many users have heard of such a process, but without the prompt to employ the verification, many will never use it.

The other concern is how this impacts a person’s employer. Honan’s breach, didn’t stop at his personal account, it attacked his former employer Gizmodo as well. Because Honan’s Twitter account was connected to Gizmodo’s, the tech blog could only watch as racist tweets were blasted out to more than 410,000 followers before the company suspended the account.

What’s even scarier is that this all could have been worse. If Honan, who works for Wired now, had more company account data connected within iCloud, the hacker could have nuked many Wired and Gizmodo digital assets out of existence. Also, somehow the iCloud account was compromised through a third-party: an Apple technician. Without extended verification of the identity of the social engineering attack, this was just too easy for the hacker.

Honan also reached out to Tim Cook, Apple’s CEO, about the issue. Ten minutes after his email, Honan received a prompt phone call from AppleCare saying that they were looking into it and only one person at Apple could now make changes to his account.

After this enormous fiasco, Honan’s digital life may never be restored to its former state. With a simple social engineering attack, Honan now has to go through digital reincarnation. So the lesson for all of us is to understand the value of two-step verification, the necessity of having strong/healthy passwords, and the importance of backing up content on a localized device disconnected from the Internet. Eventually, there will be ways to lockdown third-party cloud services, but it just isn’t there yet. Until then, the cloud remains a treasure chest for hackers with the key dangling from the lock.

Leave a Reply