How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

On Friday, I wrote about how Gizmodo's Twitter account was hacked. It turns out that this was Apple's fault.

Let's take a step back. Over the weekend, it quickly became clear that the bigger story was how the whole thing started. First, former Gizmodo employee Mat Honan's iCloud account was hacked. The hacker then remotely wiped his iPhone, iPad, and MacBook Air, got into his Gmail account, his Twitter account, and finally Gizmodo's Twitter account.

When this came to light, I updated my article with a link to Honan's blog: Emptyage. Once Honan regained access to his iCloud account, he was able to retrace the hacker's steps through password reset emails. With this new Apple tidbit, however, it's worth looking at what Honan found:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn't use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it's not. Especially given that I've been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo's they were then able to gain entry to that as well.

Honan has since updated his blog post three times. The first time was to say that the hacker contacted him, and the second was to say he has started to regain access to his accounts and devices. Here's the third:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn't password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I'm back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

The fact a hacker was able to access Honan's iCloud account with the help of AppleCare support is very worrying. Remember: the hacker then proceeded to destroy Honan's whole digital life. That's something iCloud users need to be very wary of, and something Apple should address, but knowing Cupertino, it probably won't even comment.

As a journalist, I need to point out Honan currently works for Wired. It's not clear if he was targeted for this reason, but it is clear that his work was affected by this attack. On the flipside, his connections allowed him to get the issue resolved relatively quickly. How long would it have taken for the average Apple user?

See also:

• Hacker on Apple's iOS in-app purchase fix: 'Game is over'
• Apple security blunder exposes Lion login passwords in clear text
• Apple Mac in-app purchases hacked; everything free like on iOS
• Apple iOS in-app purchases hacked; everything is free (video)
• Over 600,000 Macs infected with Flashback Trojan
• Cross-platform Trojan attacks Windows, Intel Macs, Linux