Hard-Learned Lessons from the Honan Hack
Fred Donovan - August 23rd, 2012
We have all heard by now about the hack of security journalist Matt Honan’s iCloud account, aided by Apple’s support personnel.
The hackers, who go by the name Clan Vv3 and Phobia, were able to gain access to Honan’s iCloud account by obtaining information from various public sources, including getting the last four digits of his credit card by exploiting security gaps at Amazon, to convince Apple that the hackers were in fact Honan.
Once the hackers had social engineered Apple into giving them access to Honan’s iCloud account, they proceeded to remote wipe all of his Apple devices and gain control of his online accounts, shutting him out in the process, all within the span of an hour.
The hackers deleted Honan’s Gmail account and gained control of his Twitter account, using it to claim credit for the hack and send out bogus tweets.
Honan detailed the hack on his blog: “At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash….At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed. At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter.”
Honan admitted that the hack was “my fault,” although Apple and Amazon certainly helped out. “My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter,” Honan explained in a Wired column.
Of course, Honan rightly blamed Apple and Amazon for less than secure security procedures. “The very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
Commenting on the hack, Paul Ducklin of Sophos offered readers the following advice to avoid a Honan-type breach: encrypt everything you put into the cloud, keep your online accounts separate, do not link personal and work social media accounts, make and keep backups for yourself outside the cloud, and consider an independent remote wipe service, rather than relying on one which is part of the cloud offering it aims to protect.
Whether Apple will take any steps to prevent this from happening to other users remains to be seen. According to Marko Karppinen, a Finnish Apple app developer, Apple tech support gave hackers access to his account back in 2008. “The front line tech support reps should never be able to perform a password reset like this. The fact that they still can means that Apple continues to err on the side of insecurity,” he wrote in his blog.
The bottom line is that even a tech-savvy user like Matt Honan can be hacked. While Apple and Amazon are partly to blame, it’s up to users to ensure they have implemented security best practices, because human beings, including Apple support personnel, are fallible.