Wired writer Mat Honan got hacked over the weekend and lost almost everything.
His MacBook, iPad, and iPhone were all linked to Apple’s iCloud, and the hackers used that service to wipe everything on all three devices, including all the photos he’d taken of his one-year-old daughter. They also got into Honan’s Gmail account (they deleted it), his Twitter account, and Gizmodo’s Twitter account. On the latter two, the hackers posted a string of racist and homophobic messages.
Honan has described the hack in remarkable detail. He learned how it was done in the course of a long conversation with one of his hackers, who revealed many of the secrets.
The details show that the hack was only possible thanks to an appalling lack of security in iCloud — and a correspondingly bad security process at Amazon.com.
While people like Apple founder Steve Wozniak may point to this episode as an example of how our cloud-based future is going to create “horrible problems” — when everything is connected, hackers can get access to everything — the episode actually contains a few more specific lessons.
You need two-factor authentication
Cloud-based services need two-factor authentication so that a password alone is not enough to unlock your account. And you need to use it, when it’s available.
Google offers a particularly good implementation, in which you have to enter a passcode sent to your phone before you can log in on a new, untrusted computer. (Even more securely, you can install Google’s Authenticator app on your phone and let that generate the codes you enter.) A would-be hacker can only get access to your account if they know your password and have access to this code, which in most cases would require having possession of your phone. (And you did remember to set a lock code on your phone in case you lose it, right?) A well-implemented two-factor authentication process is very difficult to bypass.
“Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter,” Honan wrote. “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. ”
Apple needs to get its act together
Apple needs to offer two-factor authentication for its services, and it needs to close a gaping hole in its password recovery process. Until it does, you should not use iCloud.
Currently, the only protection offered for iCloud is a password. If you’re using iCloud, make sure it’s a secure password, not some short, stupid password. Remember, this is protecting your entire digital life (or at least, that portion of it that you’ve trusted to Mac products that work with iCloud).
Even worse, it’s trivially easy for a hacker to bypass the iCloud password. All he or she has to do is call up Apple tech support and provide the account’s email address, a billing address, and the last four digits of a credit card on file. Honan verified this twice over the weekend in calls with Apple tech support and was able to repeat the exploit in the Wired offices.
You absolutely should not use iCloud with the “Find My Mac” feature, which includes a remote-wipe capability. That might make sense for your phone, but how likely is it that you’re going to misplace your MacBook? Using this feature merely opens your computer up to a hack, the risk of which is worse than the risk of losing your MacBook in the first place.
Amazon needs to get its act together
The hackers got access to Honan’s Amazon account through an almost ridiculously easy process, which Honan describes in his article. Basically, all you need is the account holder’s name, email address, and billing address — all easily available information for many people.
Once in, Amazon’s interface let them see the last four digits of all the credit cards on file. One of those was the card Honan used with his iCloud account, which then let the hackers unlock iCloud.
“In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification,” Honan wrote. He continues:
“The disconnect exposes flaws in data management policies endemic to the entire technology industry and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
Honan is right: The lack of consistent security policies across cloud-based services, and the corresponding tight connections between many of them, open up a host of vulnerabilities. He wasn’t the only one victimized by this exploit: He notes that he’s spoken with other people who have been hacked the same way.
More problems like this are surely coming. Cloud providers’ readiness is very poor, security executive David DeWalt told me recently. But before you blame “the cloud” for these security flaws, remember that the flaws are traceable to specific companies’ security policies.
The industry needs to take this issue seriously, or all cloud services — and the people using them — will suffer.