By James DeRuvo (doddleNEWS)
Yesterday, we serendipitously reported Apple co-founder Steve Wozniak’s prophetic vision of a world of hurt caused by over reliance on cloud computing and backup. Little did we know that within 24 hours, his warnings would become reality as a reporter for Wired Magazine found out that hackers had taken over his entire digital life and wiped it out, all with an Apple ID and the last four digits of his credit card number stored on his Amazon account.
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my Apple ID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. – Mat Honan, Wired Magazine
In what amounts to a perfect, but unfortunate coincidence, hackers exposed two vital security flaws for users who use both Amazon.com and Apple products and services. What hackers were able to do was used both companies security flaws to expose the other and get control of not only Honan’s Amazon and Apple accounts, but also his Google and Twitter accounts. And when they did, they laid waste to them, wiping out his mobile phone and his tablet, deleting all his cloud based data (including digital pictures and videos of his daughter), and embarrassing Honan with racist and homophobic comments posted to his Twitter feed. And even then, it could’ve been worse … MUCH WORSE.
Why did hackers target Honan? They contacted Honan to explain… partly because they wanted to expose security flaws for the world to see and change, and partly because they wanted to “fuck shit up, and watch it burn.” (Editor’s note: I believe the hackers posted racist comments through Gizmodo’s Twitter account.) It really wasn’t personal. But it’s hard not to think it personal when every digital picture you’ve taken of your daughter’s life has been deleted. The sad part is, that all the hackers really wanted was access to Honan’s Twitter account. But to change the password and to seize back control would be too easy, so they engaged in a scorched earth campaign to prevent Honan from taking any action.
And that’s the scary part of life in the cloud. Without a local backup strategy, which also includes an offsite option, our entire digital life is in jeopardy to hackers who want to see the world burn, knowing that they caused it. Even if it’s to teach us a lesson, that point is, we’re vulnerable.
How’d they get so far, so fast? Well, turns out that Honan had his digital life daisy-chained. He had a Twitter account, which linked to his website, which had his email address through Google Gmail. And since Google links everything from music, to videos, to even purchases via email, it’s vulnerable to simply recovering and changing the password. Google offers password recovery via a separate email address, which in this case was Honan’s MobileMe account via Apple. And that meant that hackers could get to his Apple ID.
“You honestly can get into any email associated with Apple,” the hacker told Honan an e-mail. And once he had that, all he needed was a billing address – available doing a simple WHOIS search, and the last four digits of his credit card number. And that’s where Amazon came in. The hacker was able to go to Amazon.com, call them and impersonate Honan. Amazon only required the account name, an associated e-mail address (which was also Honan’s Apple ID), and the billing address. He was then able to get them to add a phony credit card number to the account. Once he had that, he could call back, give them the phony credit card number, and Amazon gave the hacker a new password. Jackpot. Now he could access the Amazon account and see the last four digits of Honan’s real credit card.
Next, he went to Apple technical support, and armed with all the information he needed, the hacker was able to get Apple tech support to change the password to Honan’s Apple ID and then it was only a matter of using Find My iPhone, and Find my Mac to wipe his phone, his iPad, and his Mac, plus delete all his data from iCloud, thereby, erasing Honan’s digital life.
I’m mostly mad at myself. I’m mad as hell for not backing up my data. I’m sad, and shocked, and feel that I am ultimately to blame for that loss. But I’m also upset that this ecosystem that I’ve placed so much of my trust in has let me down so thoroughly.
At the end of the day, Honan really blames himself for daisy-chaining his life and not having secondary challenges in place to prevent social engineering. But he’s REALLY angry at Apple because Apple was well aware of this potential exploit and did absolutely nothing. Worse, when he contacted AppleCare to try and find out what was going on, they didn’t let him know someone had called a few hours earlier asking to change his password. He had to drag it out of them.
So what could Honan had done to prevent all this? First, back up everything locally. Peter Krogh, over at DPBestflow suggests a 3-2-1 strategy. Three back ups, with two different formats, and one off site. If you back up to the cloud, and then delete your local copy, you really don’t have a backup, do you? You’ve just moved your only copies to the cloud. So make sure you have at least three copies of everything.
Next, engage secondary challenges. Google has the ability to link a cellphone number to your email address. This is designed to send you a text message to confirm you actually want to change your email password. So unless they’ve stolen your cellphone, if someone seeks your password, you’ll know about it and can prevent it. Next, don’t daisy-chain your digital life. Keep it fragmented. Use a custom email for password recovery. And use a separate credit cards if you’re buying things from Amazon, Google and Apple. Plus, make your passwords hard to guess through a brute force attack.
And above all else, let the warnings from Steve Wozniak echo in your ears ….
“I really worry about everything going to the cloud,” Wozniak said. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”
You can read more about Honan’s Cautionary Tale here.
UPDATE: Wired reports that Amazon has acted quickly, closing the loop hole that allowed access to user accounts.