Security

Mat Honan Hack Pokes Holes in Apple iCloud

The hackers that hijacked Mat Honan’s online life, took over his Twitter account(s), and wiped out his iPhone, iPad, MacBook, and Google accounts in one fell swoop showed some perseverance in achieving that goal. Not all attackers are quite that determined, but the hack still demonstrates some serious flaws in Apple’s iCloud and the iCloud security model.

My iPhone, iPad, and MacBook Air are all synced through Apple’s iCloud--just like Mat Honan. I appreciate the convenience and simplicity of the fact that I can add a contact on my iPad, and it will automatically sync to the other two devices. I can take a picture with my iPhone, and the photo will be available from the iPhone and MacBook as well. It just works.

With one username and password I can pinpoint or remotely wipe all of my Apple devices.
The Mat Honan hack is a poignant illustration of how “it just works” can be a double-edged sword. If it “just works” for you, it also “just works” for an attacker who manages to gain access to your iCloud account.

The first potential problem with the automatic syncing is that someone with possession of my iPhone or iPad could wreak havoc. If someone starts deleting contacts, calendar events, or other synced information, those changes should be automatically synced across to the other devices which would mean losing the information on all of them because it “just works”.

Then, there’s Find My iPhone. The feature is mis-named, because it finds all of your iCloud-enabled Apple devices, not just iPhones. Logged in to my iCloud account, I can pinpoint the current location of my iPhone, iPad, and MacBook Air. I can also remotely wipe the devices, and essentially return them to the factory default, out of the box state they originally came in if I need to prevent a thief from accessing my data or personal information.

In the Mat Honan hack, the attackers gained access to his iCloud credentials and remotely wiped all of his devices. Therein lies the problem--there should be an additional password or level of authentication for each device. The one iCloud password should not be sufficient to remotely wipe every device you have.

It negates some of the value of having that data synced across the devices in the first place. Part of the point is that I know I can lose my iPhone, but I’ll still have all of my data and information on my other devices. That obviously isn’t true if an attacker can take all of them out at one time.

Another problem with Find My iPhone is that it’s very accurate in pinpointing the devices it tracks. If the iCloud credentials were breached by a stalker, rather than a hacker, the iCloud Find My iPhone feature could lead them to your exact location. Look how well it worked in tracking down David Pogue’s lost iPhone.

These issues aren’t entirely unique to Apple. There are device-locating, and remote wiping features for Android, Windows Phone, and other devices as well. You can also prevent some potential security issues by making sure your devices are locked and protected by a password or PIN--but that wouldn’t have helped in Mat Honan’s case.

Apple should require an additional authentication for remote wiping a device. More importantly, the authentication should be required to be unique to each device to ensure that an attacker with access to the username and password for the iCloud account itself can’t simply erase everything you own at one time.

Subscribe to the Security Watch Newsletter

Comments