Apple allowed a hacker to remotely wipe a journalist’s iPhone, iPad, and MacBook Air

Mat Honan, a tech journalist for Wired, has had his iPhone, iPad, and MacBook Air remotely wiped. Not only that but his Gmail was hacked which eventually lead to Gizmodo‘s Twitter account being taken over for a few minutes. How did this all happen? By Apple Support giving a hacker access to Honan’s iCloud account.

Here is an expert of the timeline of events Honan posted on his personal blog:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere.[…]

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.

Honan first guessed someone had used a brute force attack to guess his password. However, he then learned brute force isn’t how a hacker gained access to his account — social engineering is. What happened is someone called Apple Support, convinced them that the hacker is Honan, and had Apple change the password on Honan’s iCloud account:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Once the hacker had access to Honan’s iCloud, he was not only able to wipe Honan’s devices (using Apple’s Find My iPhone‘s remote wiping service) but he was also able to reset Honan’s Gmail account password (since his iCloud e-mail was the recovery e-mail set in Gmail), which then allowed the hacker to access Honan’s personal Twitter and Gizmodo’s Twitter.

Of course once it was all revealed, Honan was able to reset all his passwords and restore access to his iCloud, Gmail, and Twitter. However the damage was literally already done with Honan’s data being wiped. As MacRumors rightly points out, Honan is somewhat of a public figure so guessing answers to security questions, etc. for his iCloud account to gain access probably isn’t as hard as it should be (although we would expect a tech journalist to use secure security questions to protect his very important iCloud account). However, the ball is in Apple’s court for this one; Apple needs to investigate how this happened, admit whatever mistakes were made, and clean up their act to prevent such things from happening in the future.

[via MacRumors | Image credit: curiouslee]

Related Posts

  • Zapped Sparky

    @lol768: Ah, thanks.

  • lol768

    It may be possible to brute force the password with a GPU, but add network delays and the fact that Apple should lock you out after a few attempts makes brute force infeasible.

    @Zapped Sparky: Useful for when iPhone is stolen or lost.

  • Zapped Sparky

    Erm, remote wiping service? I can’t believe such a thing exists.

  • JM

    Serves him right – he has way too many Apple Products.

  • Peter

    in Bob Dylan’s words (almost):”The data my friend is blowing in the cloud…” ;)

  • sl0j0n

    Hello, all.
    “Bruce” wrote;
    “There’s something funny about this whole thing.”
    Well, not having investigated it, I would say that the first thing to check is,
    how did Apple feel about this particular “tech journalist”?
    Was he ‘friendly’ to Apple, or was he a thorn in their side?
    Just say’n.

    Have a GREAT day, neighbors!

  • Bruce

    First of all, it’s terrible that this happened to Honan.
    However, it’s only by sheer happenstance that it wasn’t password related.
    A SEVEN CHARACTER password in today’s world is simply ludicrous.
    GPU brute force cracking makes 7 figure passwords extremely vulnerable.
    I can’t believe that a Gizmodo journalist would have such weak account security.
    Having said that, someone in Apple support is in big trouble if they “let them bypass security questions.”
    How on earth can someone socially engineer a circumstance wherein security questions are “bypassed” or ignored?
    Isn’t that what security questions are for? To prevent this exact occurence?
    It feels like there is more to this than this article covers.
    (Especially the lines about “Confirmed with both the HACKER and Apple.”)
    Why would a hacker reveal his attack vector to the victim (as well as possibly reveal his location), especially when he/she had done something as heinous as erase all the data on 3 devices?
    There’s something funny about this whole thing.

  • Stephen B. Cohen, Ph

    Apple also needs to reimburse Mr Honan with a large amount of $$ because it will take him quite a bit of time to restore what he can of the information he lost and some of it probably can never be restored.

    So much for Apple security!