Mat Honan Hack Pokes Holes in Apple iCloud

iCloud is awesome because it "just works", but the Mat Honan hack illustrates how that can quickly be turned against you as well.

The hackers that hijacked Mat Honans online life, took over his Twitter account(s), and wiped out his iPhone, iPad, MacBook, and Google accounts in one fell swoop showed some perseverance in achieving that goal. Not all attackers are quite that determined, but the hack still demonstrates some serious flaws in Apples iCloud and the iCloud security model.

My iPhone, iPad, and MacBook Air are all synced through Apples iCloud--just like Mat Honan. I appreciate the convenience and simplicity of the fact that I can add a contact on my iPad, and it will automatically sync to the other two devices. I can take a picture with my iPhone, and the photo will be available from the iPhone and MacBook as well. It just works.

The Mat Honan hack is a poignant illustration of how it just works can be a double-edged sword. If it just works for you, it also just works for an attacker who manages to gain access to your iCloud account.

The first potential problem with the automatic syncing is that someone with possession of my iPhone or iPad could wreak havoc. If someone starts deleting contacts, calendar events, or other synced information, those changes should be automatically synced across to the other devices which would mean losing the information on all of them because it just works.

Then, theres Find My iPhone. The feature is mis-named, because it finds all of your iCloud-enabled Apple devices, not just iPhones. Logged in to my iCloud account, I can pinpoint the current location of my iPhone, iPad, and MacBook Air. I can also remotely wipe the devices, and essentially return them to the factory default, out of the box state they originally came in if I need to prevent a thief from accessing my data or personal information.

In the Mat Honan hack, the attackers gained access to his iCloud credentials and remotely wiped all of his devices. Therein lies the problem--there should be an additional password or level of authentication for each device. The one iCloud password should not be sufficient to remotely wipe every device you have.

It negates some of the value of having that data synced across the devices in the first place. Part of the point is that I know I can lose my iPhone, but Ill still have all of my data and information on my other devices. That obviously isnt true if an attacker can take all of them out at one time.

Another problem with Find My iPhone is that its very accurate in pinpointing the devices it tracks. If the iCloud credentials were breached by a stalker, rather than a hacker, the iCloud Find My iPhone feature could lead them to your exact location. Look how well it worked in tracking down David Pogues lost iPhone.

These issues arent entirely unique to Apple. There are device-locating, and remote wiping features for Android, Windows Phone, and other devices as well. You can also prevent some potential security issues by making sure your devices are locked and protected by a password or PIN--but that wouldnt have helped in Mat Honans case.

Apple should require an additional authentication for remote wiping a device. More importantly, the authentication should be required to be unique to each device to ensure that an attacker with access to the username and password for the iCloud account itself cant simply erase everything you own at one time.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts