[_BB10_]

Very interesting story here:

Apple allowed a hacker to wipe user’s iOS devices

I know the typical Apple user doesn't give a single thought to device security when making their purchase, but might they if they wake up to a wiped device?

And what about those companies giving in to the BYOD movement? Perhaps RIM's security is valuable after all?

We'll see...

[_StephenBB81]

LMAO!

wow that really made me laugh,

NO it wont be the folly of Apple, it will be fixed soon enough, but I did get a chuckle about how much control they got with 1 single password

[RoseBud68]

For those that choice not to click the link.

Apple allowed a hacker to wipe user’s iOS devices

Whenever we hear the word tech support, deep down inside we know that they’d help us to fix everything. But at times helping people is the wrong thing, well, in this case the people they were trying to help were not quite the right people. The story comes from a person who’s one of us, who has been covering tech industry from quite some time now. Matt Honan, senior writer over Wired.com and former Gizmodo employee recently reported that his iCloud account got hacked. Hacker not only got into his personal email account but also wiped his iOS devices including an iPhone and iPad. The hackers also got access to his Gmail account which was linked to his for employer — Gizmodo’s Twitter accounts.

The story was vague because he himself didn’t know how hackers got into his account but when the story unfolded; it was more than just a normal hacking but we will get to that later. Matt explained how this happened in a very elaborative way:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere.
…
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.

It turns out, folks who hacked into his iCloud, Gmail and other accounts were not hackers but just some socially smart people who managed to convince Apple Support that they were actually Matt Honan. Apple Support changed the password and after that it was just a matter of minutes when they hacked everything linked to that specific iCloud account. After a little investigation Matt updated his original post and explained how this happened:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

It’s not about just Matt Honan, the point to ponder here is that whether Apple is going to do something about their security flaws or not. Today it was Matt, tomorrow it be yours or my own iCloud account.

We will keep you updated on this, stay tuned!

[hootyhoo]

This wasn't about device security. The phone was not hacked.

[qbnkelt]

OK that was a good one. Made my hair stand on end, that did...

Sure.....BYOD....in corporations where security is key....that'll be a hoot to watch....

[qbnkelt]

This wasn't about device security. The phone was not hacked.

Not device security, but iCloud and platform flaws.....

[_StephenBB81]

This wasn't about device security. The phone was not hacked.

But Apple isn't about the device it is about the ecosystem isn't it?

and this is a flaw in the system that after 1 password is accessed your iPhone/iPad/MacBook call all be wiped

there should be secondary passwords to prevent such things.
It is a Platform security issue

[Laura Knotek]

I would think that corporations would disable users' ability to access iCloud on iPhones used in enterprise.

[Roo Zilla]

But Apple isn't about the device it is about the ecosystem isn't it?

and this is a flaw in the system that after 1 password is accessed your iPhone/iPad/MacBook call all be wiped

there should be secondary passwords to prevent such things.
It is a Platform security issue

You can use separate ID/password for all your iDevices on iCloud. It's just that most people find it more convenient to just use the one.

[amazinglygraceless]

Isn't this a breakdown at the human level (Apple Support and the end user with a common p/word) as opposed to a platform security flaw? Or am I missing something?

[_StephenBB81]

You can use separate ID/password for all your iDevices on iCloud. It's just that most people find it more convenient to just use the one.

What happened here was the user got a single password, and then was able to reset all other passwords from that single password and wipe each device

because I don't use iCloud with my iProducts I'm not aware of how iCloud's remote wipe works
are you saying for each remote wipe I must enter a password for each one?

[_StephenBB81]

Isn't this a breakdown at the human level (Apple Support and the end user with a common p/word) as opposed to a platform security flaw? Or am I missing something?

YES it is the human level breakdown for the "hack" what is unnerving is that after a single password the amount of havok that could be caused from within iCloud

[_StephenBB81]

I would think that corporations would disable users' ability to access iCloud on iPhones used in enterprise.

One would HOPE!
though that doesn't seem to be the case from most iPhone users I know, nor my Company issued iPhone/iPad we are permitted to use iCloud should we choose, I chose not to.

[raino]

Here's another perspective on the same story, with a personal experience:

How Did Apple Allow Hackers to Access iCloud Account? | PCWorld Business Center

I would be really interested how the hackers got in, given the difficulty the author of my link had gaining access to his account.

[jrohland]

First, Apple, RIM, Microsoft and others should offer two-part authentication like Google and Facebook have. Second, the blogger should have activated two-part on his Gmail account. That would not have protected his Apple devices but it might have stopped the Twitter hack.

I know several people who have had their game accounts, including Xbox live account hacked the same way.

[jrohland]

I dont see how this is a "platform flaw" it just happened the con artist was good enough to convince the apple support person they were the person they were impersonating and got the password reset. Same thing could very well happen to a blackberry if it was able to be reset remotely via rims servers. If I steal your checkbook and write a bunch of checks in your name is it the banks fault for you losing the checks? You guys need to relax on the whole we are so secure crap its a pathetic thing to brag about and doesnt even matter to 99% of users. I dont care if my info is able to be stolen cause guess what? Im not dumb enough to keep stuff on my phone that is of vital importance and neither is anyone running around with top secret info.

First, this is a platform flaw. If Apple had implemented two-part authentication like Google and Facebook have, tech support should have sent a number code by TXT or voice before allowing access.

Many, many people in high security positions walk around with secrets on their devices. And many use one password for bunches of systems.

[_StephenBB81]

First, this is a platform flaw. If Apple had implemented two-part authentication like Google and Facebook have, tech support should have sent a number code by TXT or voice before allowing access.

Many, many people in high security positions walk around with secrets on their devices. And many use one password for bunches of systems.

Well the 1 password isn't really an issue

the users Never got the password, they got the password Reset, from my understanding so the users password is still protected. but access was granted

[hootyhoo]

Well the 1 password isn't really an issue

the users Never got the password, they got the password Reset, from my understanding so the users password is still protected. but access was granted

With a two part confirmation though, a confirmation text or email sent to the device itself would have prevented this problem.

[filmgirl]

Disclosure: I've met Mat socially once or twice and we work in the same space.

This is a definitely a major gaffe for Apple -- but I don't think it's a platform flaw as much as a customer service flaw.

The idea behind Find My Mac or Find My iPhone is that if enabled, you can track down your device, send a message to it and -- if necessary -- remotely wipe the device. The idea behind this is quite good; if your phone is stolen and can't get recovered (or your laptop) you can wipe your private info off the device.

The problem here was that Mat hadn't backed up in a long time (which made EVERYTHING worse) and he used that account as a recovery email account for his Gmail. It was a perfect storm.

The hacker probably called Apple, claimed to be Mat, was able to say something about how his stuff was stolen, he's a reporter has sensitive documents, etc., and he needs his password reset and he needs to wipe his devices.

The person at Apple never should have reset the password or given access to a new password to the caller -- I can see them doing this if you are in the store with ID, but not over the phone. That was the gaping vector.

After that, the remote wipe tools acted as expected. It was just socially engineered by a jackass who really should go to jail for this sort of thing.

This could happen to any company with remote wipe tools -- RIM, Google, Motorola, Microsoft, HTC, etc. A two-auth password wouldn't do anything here because the scum ball called tech supplier, probably spun some story about how he doesn't have his phone or anything else, and got a reset. When the vector us human, any company is vulnerable and the technical security measures cease to matter.

This was a major fail on a customer service agent -- who ironically was probably trying to do in his or her mind -- the right thing.

That said, this certainly doesn't make Apple look good. And I wouldn't be surprised if they institute more security precautions into user accounts for Apple Care as a result of this instance. But if you say the right thing to the right person, and this goes for basically everything in society, you can get access to almost everything.

[filmgirl]

With a two part confirmation though, a confirmation text or email sent to the device itself would have prevented this problem.

No, it wouldn't have. Because in this case, the is on the phone with Apple is saying his phone is stolen. He's saying that he can't get a text to confirm the next step. He's saying his info needs to be reset or remote wiped. As long as he can get the person on the phone to believe him, he's in. Don't think that there are no manual overrides do two-auth security. You'd be surprised at how lax the help desk at your average Fortune 100 firm is.

[_StephenBB81]

Disclosure: I've met Mat socially once or twice and we work in the same space.

This is a definitely a major gaffe for Apple -- but I don't think it's a platform flaw as much as a customer service flaw.

The idea behind Find My Mac or Find My iPhone is that if enabled, you can track down your device, send a message to it and -- if necessary -- remotely wipe the device. The idea behind this is quite good; if your phone is stolen and can't get recovered (or your laptop) you can wipe your private info off the device.

The problem here was that Mat hadn't backed up in a long time (which made EVERYTHING worse) and he used that account as a recovery email account for his Gmail. It was a perfect storm.

The hacker probably called Apple, claimed to be Mat, was able to say something about how his stuff was stolen, he's a reporter has sensitive documents, etc., and he needs his password reset and he needs to wipe his devices.

The person at Apple never should have reset the password or given access to a new password to the caller -- I can see them doing this if you are in the store with ID, but not over the phone. That was the gaping vector.

After that, the remote wipe tools acted as expected. It was just socially engineered by a jackass who really should go to jail for this sort of thing.

This could happen to any company with remote wipe tools -- RIM, Google, Motorola, Microsoft, HTC, etc. A two-auth password wouldn't do anything here because the scum ball called tech supplier, probably spun some story about how he doesn't have his phone or anything else, and got a reset. When the vector us human, any company is vulnerable and the technical security measures cease to matter.

This was a major fail on a customer service agent -- who ironically was probably trying to do in his or her mind -- the right thing.

That said, this certainly doesn't make Apple look good. And I wouldn't be surprised if they institute more security precautions into user accounts for Apple Care as a result of this instance. But if you say the right thing to the right person, and this goes for basically everything in society, you can get access to almost everything.

I disagree that this isn't a platform problem
The BIGGER problem is the Customer service problem, but the platform problem is how much can be done with a single password, once entered into ones iCloud everything can be done. a password for each remote wipe would add the secured level to the cloud system,

[madman0141]

Can't wait for the follow up story. "RIM did it because Apple is our friend and RIM needs to be punished"
I think it would be a great follow up....media makes up most of it anyway.

[filmgirl]

I disagree that this isn't a platform problem
The BIGGER problem is the Customer service problem, but the platform problem is how much can be done with a single password, once entered into ones iCloud everything can be done. a password for each remote wipe would add the secured level to the cloud system,

I don't disagree in theory, but in practice, asking for three different passwords to do a remote wipe, will for most users -- corporate or otherwise -- end up preventing people from using a service. And in this case, it still wouldn't matter because if the creep got one password reset, he could get them all.

And single password vectors aren't limited to Apple. Look at any Unix or Unix-like computer server. If I get root access, I can wreak havoc. That's why the first rule of securing your web server is disabling root. (Even then, a good hacker can crack their way in to re-enable root, but it takes more time and should set off red flags).

Multiple steps are a good idea, but I don't see users adopting them and in this case, it still wouldn't have mattered.

[_StephenBB81]

I don't disagree in theory, but in practice, asking for three different passwords to do a remote wipe, will for most users -- corporate or otherwise -- end up preventing people from using a service. And in this case, it still wouldn't matter because if the creep got one password reset, he could get them all.

And single password vectors aren't limited to Apple. Look at any Unix or Unix-like computer server. If I get root access, I can wreak havoc. That's why the first rule of securing your web server is disabling root. (Even then, a good hacker can crack their way in to re-enable root, but it takes more time and should set off red flags).

Multiple steps are a good idea, but I don't see users adopting them and in this case, it still wouldn't have mattered.

That is only IF the passwords for remote wipe are recoverable via Apple techsupport

Remote wipe is a feature that is not really used, but when used is pretty important, having an additional layer of security for the remote wipe would make sense, and the requirements for password recovery through security questions similar to ones banking requirements.

It wouldn't be unprenetrable, still, but it should not be so simple from a single password recovery to wipe out everything, because from my understanding your iCloud ALSO stores your backups, so one could effectively removed everything from a person who uses Mac/iOS for their life

[amazinglygraceless]

I disagree that this isn't a platform problem
The BIGGER problem is the Customer service problem, but the platform problem is how much can be done with a single password, once entered into ones iCloud everything can be done. a password for each remote wipe would add the secured level to the cloud system,

I still do not see this a a platform issue. Regardless of what happened ultimately, the breakdown here was one of operational controls in place in the customer service area.

That is a human failure and that human failing essentially gave away the keys to the house.

If the individual were able to execute this "hack" independent of the assistance of a person at Apple THEN and only then could this be purely considered a platform failure.