How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

Summary: Gizmodo's Twitter account was recently hacked, after a former employee's iCloud account was breached, and all his Apple devices (iPhone, iPad, MacBook Air) were remotely wiped. It turns out the hacker didn't even have to get the password: he just tricked Apple's tech support.

SHARE:
How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

On Friday, I wrote about how Gizmodo's Twitter account was hacked. It turns out that this was Apple's fault.

Let's take a step back. Over the weekend, it quickly became clear that the bigger story was how the whole thing started. First, former Gizmodo employee Mat Honan's iCloud account was hacked. The hacker then remotely wiped his iPhone, iPad, and MacBook Air, got into his Gmail account, his Twitter account, and finally Gizmodo's Twitter account.

When this came to light, I updated my article with a link to Honan's blog: Emptyage. Once Honan regained access to his iCloud account, he was able to retrace the hacker's steps through password reset emails. With this new Apple tidbit, however, it's worth looking at what Honan found:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn't use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it's not. Especially given that I've been using it for, well, years and years. My guess is they used brute force to get the password and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo's they were then able to gain entry to that as well.

Honan has since updated his blog post three times. The first time was to say that the hacker contacted him, and the second was to say he has started to regain access to his accounts and devices. Here's the third:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn't password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I'm back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

The fact a hacker was able to access Honan's iCloud account with the help of AppleCare support is very worrying. Remember: the hacker then proceeded to destroy Honan's whole digital life. That's something iCloud users need to be very wary of, and something Apple should address, but knowing Cupertino, it probably won't even comment.

As a journalist, I need to point out Honan currently works for Wired. It's not clear if he was targeted for this reason, but it is clear that his work was affected by this attack. On the flipside, his connections allowed him to get the issue resolved relatively quickly. How long would it have taken for the average Apple user?

See also:

Topics: Security, Apple, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

64 comments
Log in or register to join the discussion
  • Amateur hour at One Infinite Loop

    You just can't make this stuff up.
    toddbottom3
    • Amateur hour is exactly right.

      This isn't Apple's only offense, and not even their biggest. Here's a bigger one: forcing customers to use an E-mail address as their Apple ID. This isn't just irritating for users; it's a massive security blunder. Everyone's E-mail address is on spammers' lists, and there are lists of common passwords widely available. When you cross-reference those two, you get thousands of hacked accounts: http://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-address-as.html
      Oscar Goldman
      • You do know...

        Microsoft has required this for Hotmail for years, right? Even my ISP does this but you know what? Where's all that spam people talk about? I have 5 different email addresses and I get little to no spam most days. Btw, maybe take the hint and not worry about the email ID and change your password every 6 months!!

        p.s. I've had my Hotmail address for at least 12 years and I might get a half dozen spam emails a week.
        Arm A. Geddon
      • Security Through Obscurity

        You're basically advocating security through obscurity. The attack you describe only works if the user's password is weak and/or shared. That's a gaping big security hole no matter how obscure your user name is.
        isaac32767
        • Passwords v Social Engineering

          isaac32767, you're missing the point! The point is that Apple Tech Support allowed a person, on the phone, to bypass ALL security. It wouldn't have mattered if the password was 100 characters long; the tech support person accepted all the lies the hacker told him/her.

          BTW - irony = having to use my email address and password to log in to make comments about a story concerning email addresses and passwords.
          maudygrunch
      • Whole thing has nothing to do with Apple or "clever social engineering"

        This Wired guy probably just set up as "secret word" the name of his dog "Spiky" or something, and the evildoer just guessed it right.
        DDERSSS
        • wrong

          No fanboi, you are making up crap. It was apple support
          Everq
    • Common Sin

      Failing to train their tech support people properly is a sign pretty much every big tech company commits.
      isaac32767
      • Welcome to the world of outsourcing.

        Welcome to the world of outsourcing. Something ZDNet championed a while back, and now it's come back to haunt them.

        I still think outsourcing is a bad, bad idea.

        They're not trained because it's likely just some random person picked off the streets of India or China.
        CobraA1
    • attack

      "you just can't make this stuff up". is this your new attack line?

      as a good attack dog it's important that you maintain consistency. attack dogs usually are something like this:
      BARKBARKBARKBARK grrrr grrrr grrrr BARKBARKBARKBARK

      so i think you're doing pretty good here. nothing else required. reason? no. rational debate? no. just a relentless "sick'em boy! sick'em!".
      oneleft
  • Ya know...

    I don't blame Apple for this directly... I blame the whole tech industry!

    Everyone has been trying to dumb down the tech industry and here we are, with people not qualified to be in any kind of support role for IT. It's a shame but half the techs in the field today seem to be incompetent to resolve even the most basic issues let alone prevent this type of stuff from happening.

    At my work, we use scrambled IDs, for a more secure login, and one of the techs used the IDs for his public gmail address! I was dumbfounded that he did that and had no clue why I said it was stupid!
    slickjim
    • Apple purposefully reduces security

      "we use scrambled IDs"

      And what does Apple force people to use? An E-MAIL ADDRESS. It's just idiotic.
      Oscar Goldman
      • Your beloved Microsoft does too!!

        As I stated above Hotmail does too but you know what? So does my TechNet account!!
        Arm A. Geddon
        • So what?

          So what?
          Everq
        • Do a risk assessment

          Is someone going to remote wipe all your digital devices with your hotmail user/pass?

          The level of security should be relative to the level of risk. Additionally, technet does not require you to use a public email address, whereas Apple does.
          GreatZen
    • Bad email addresses

      Weekid, your story about dumb techs made me laugh. Also reminded me that John Deutch, head of CIA in 1995 created an AOL account with a name that was something like "cia_boss@aol.com. He wondered why people got upset with him when they found out. BTW - He was also busted for using his personal laptop for "secret" business. One of our less stellar intelligence heads!
      maudygrunch
  • In yout opinion is this a problem or not for the average user?

    or is this a sign of things to come?
    Over and Out
  • Not Apple's fault!

    Honan was just holding his accounts wrong.
    Joe Acerbic
  • So ... the guy had 100% of his accounts connected to one??

    I understand that social engineering hacks happens due to careless employees (who are just trying to do their job and don't realize they are getting conned). But what I don't understand is how breaking into an iCloud account can give a hacker access to everything the person owns.

    iCloud has no direct access to any devices. It is backwards, the device access data in the iCloud space. So how did the hacker actually managed to wipe a user's device when all he could do is wipe the data in the iCloud?? Was the user saving passwords, IPs and other sensitive information (without at least encrypting it) in a plain text file being stored on the iCloud?

    Then there is the claim that not only his work Twitter account was hacked, also his personal Twitter and Gmail accounts too. So how is that even possible? Non has anything to do with the iCloud.

    So either the story is BS, or the guy is a complete moron who write/saves his passwords everywhere he can.
    wackoae
    • Yeah, what I said but in more words.

      But seriously, if you actually read the article instead of kneejerk defense of iDiocy, it says that the hacker got the the gmail account because it had the iCloud account as secondary email used when resetting the password.
      Joe Acerbic