Apple tech support 'socially engineered' in hack of journalist's iCloud account
Tech reporter Mat Honan's iCloud account was compromised on Friday, wreaking havoc on both his personal machines as well as Gizmodo's Twitter feed, and it was discovered on Sunday that Apple tech support was partly to blame for the breach.
The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years," though in the process of reconfiguring accounts it was confirmed that the issue wasn't a password, but the "social engineering" of an Apple tech support employee.
In recounting the experience on his blog, Honan first realized something was amiss when his iPhone rebooted to the default setup screen. He couldn't log in to iCloud to restore the handset's previous settings from the device itself, so Honan connected the iPhone to his MacBook Air which displayed an iCal error message before its screen went gray and asked for a four digit PIN.
"I didn?t have a four digit pin," Honan wrote. "By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn?t turn on my computer, my iPad, or iPhone."
Things got progressively worse from there as Honan's Google account was deleted, the only way to restore it would be via text message to the iPhone he no longer had access to. The tech writer's Twitter feed, along with his previous employer Gizmodo's, were also compromised. Perhaps most troubling was that his MacBook Air was being remotely wiped, along with his iPad and iPhone, using Apple's Find My Device feature. The wipe may be recoverable, however, as Honan stopped the process by powering the MacBook Air down before an over-write began.
Find my iPhone on iOS 5.
Honan noted in a blog update that a person claiming to be the hacker made contact and told him "[I] didn't ur password or use bruteforce. i have my own guide on how to secure emails."
From Honan's blog:
Honan reached out to Apple Corporate as well as the company's PR team, though no response has been given at the time of this writing.
The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years," though in the process of reconfiguring accounts it was confirmed that the issue wasn't a password, but the "social engineering" of an Apple tech support employee.
In recounting the experience on his blog, Honan first realized something was amiss when his iPhone rebooted to the default setup screen. He couldn't log in to iCloud to restore the handset's previous settings from the device itself, so Honan connected the iPhone to his MacBook Air which displayed an iCal error message before its screen went gray and asked for a four digit PIN.
"I didn?t have a four digit pin," Honan wrote. "By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn?t turn on my computer, my iPad, or iPhone."
Things got progressively worse from there as Honan's Google account was deleted, the only way to restore it would be via text message to the iPhone he no longer had access to. The tech writer's Twitter feed, along with his previous employer Gizmodo's, were also compromised. Perhaps most troubling was that his MacBook Air was being remotely wiped, along with his iPad and iPhone, using Apple's Find My Device feature. The wipe may be recoverable, however, as Honan stopped the process by powering the MacBook Air down before an over-write began.
Find my iPhone on iOS 5.
Honan noted in a blog update that a person claiming to be the hacker made contact and told him "[I] didn't ur password or use bruteforce. i have my own guide on how to secure emails."
From Honan's blog:
In the last update to Honan's saga, AppleCare was able to confirm the hacker's claims of bypassing iCloud's password protection by going through an employee. A more detailed account of how this was done will be made public in a Wired report on Monday.I know how it was done now. Confirmed with both the hacker and Apple. It wasn?t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I?m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
Honan reached out to Apple Corporate as well as the company's PR team, though no response has been given at the time of this writing.
Comments
Just wondering, If you set really easy questions for the "confirm it's you" bit, then Google searches may have the answers. (E.G. if you haven't got a private FaceBook account, quite a lot of info will be publicly avaliable, therefore making it very easy for a clever person to bluff their way through proving that they're "you"!
Having said that, I have backups of important data that is stored in iCloud (Contacts, photos etc), since if iCloud dies, or goes offline, I don't want to loose it all.
I work in IT, and I keep having to tell users than you can never have too many backups!
I smell a rat.
I sure hope that AI is not going to make this a major story. Yes, a tech support guy (or gal) screwed up. Yes, Apple is going to tighten the process. But AI is going to blow this way out of porportion. AI give it a rest......
Well to be fair - if it is true then it is a real issue, since it implies that the controls against it happening are administrative, rather than engineered. That said, I'm sure Apple will fix it, and quickly.
Quote:
Originally Posted by wizard69
ICloud as a service is extremely flawed. If nothing else the service should have a way to backup to an owners Mac OS machine. Further saving a copy of an iCloud file locally shouldn't be so damn difficult. ICloud is like 80% of the way there but Apple certainly missed important use cases and seems to have forgotten about user control.
Supposedly you just drag the file from the iCloud view wherever you want, and you have a local copy. I’m not rushing into Mountain Lion so I can’t say.
I’m approaching all cloud-based services from DropBox to iCloud cautiously and slowly. Using them strategically to solve problems (like keeping my calendars in sync) but not jumping in with both feet. This event, like that DropBox password incident, reinforces my plan! I still like DropBox and iCloud as far as I use them, but my trust for them will be growing veeeeryyyy slooowlllyyy.
And I’ll always have multiple backups of my own! If anyone somehow attacks me, I’ll be back up and running in a matter of hours with no loss. (I even do my backups in multiple different ways and store them in different places, but I know most won’t go THAT far. For most, the “cloud" is potentially a great thing in case of fire!)
In any case, I hope the attacker does some SERIOUS JAIL TIME. That’s like breaking into an artist’s house and burning his paintings, his art supplies, his family photos, and his address book. Apple’s rep needs to be looking for a new job (and Apple needs policies to make such failures impossible), but the attacker needs to be looking for a cellmate.
This story has an extremely misleading introduction. Apple are not "partly" to blame. Apple are entirely to blame.
When the hacker was unable to answer the security questions, the tech support employee should have put the hacker on hold, phoned Mat Honan's iPhone, and asked if he had just phoned Apple tech support to change his iCloud password.
Payback.
The only way Apple does resolve anything is if a big deal is made.
I doubt that would be the case this time.
Quote:
Originally Posted by Ed Steinberg
I sure hope that AI is not going to make this a major story. Yes, a tech support guy (or gal) screwed up. Yes, Apple is going to tighten the process. But AI is going to blow this way out of porportion. AI give it a rest......
Isn't this precisely the type of story that should be on this site? A whole lot more relevant to Apple customers than what Microsoft Surface is about?
Jizzmodo?
The same bottom feeding scum, short attention span whores; Jizzmodo?
Really?
There must be a lot more to this. A whole lot.
I think If it was this easy, why not someone else?. Why not a whole lot of other accounts?
It just happened to be the one Jizzmodo?
How can they? There's no software to stop social engineering.
But you can make it almost impossible.
Quote:
Originally Posted by Quadra 610
Payback.
Because some other dude got his e-life wiped?
Quote:
Originally Posted by djsherly
Because some other dude got his e-life wiped?
Gizmodo.
I only put stuff on the cloud I can get back easily or that I dont need. I do manual cloud syncs only.