This weekend played host to a twisting, turning tale of hacking woe, which captured headlines primarily because of some unpleasant tweets sent from the hacked Twitter account of tech blog Gizmodo. But at the heart of the story is something far more worrying — the deception of Apple tech support, and the subsequent access of an iCloud account.
While the story appears to start with the hacking of Gizmodo’s Twitter account, this was really a bonus for those hacking Mat Honan, a writer for Wired. Control of Gizmodo’s Twitter account was soon regained, but it was only the beginning of Honan’s problems.
Writing on his own blog, Honan describes how his iPhone, iPad and MacBook Air were systematically compromised and remote wiped using iCloud, and his Google account deleted too.
Because his Google account was linked to his Twitter account, which in turn was linked to Gizmodo’s Twitter — Honan had previously written for the site — offensive tweets were sent by the hackers. This is the point where the story went public.
Honan speculated that his iCloud account, where the problems all began, had been hacked using “brute force,” where someone systematically enters possible passwords until the correct one is discovered. However, this wasn’t the case, as both AppleCare and the hacker have said the account was breached using “social engineering.”
Trust gained using social engineering
In essence, social engineering involves a criminal lying about their identity and building trust to gain information from a third party, in this case AppleCare.
What’s interesting here is that no matter how secure you think your accounts are, or how strong your password is, it won’t matter if the person at the end of a telephone helpline is manipulated into handing it over to someone that’s not really you.
This will inevitably cause people to rethink how they use iCloud, and whether Apple’s security is good enough to protect all that important data. Before hands are thrown up in despair, Tony Bradley, writing for PCAdvisor.co.uk, has a very different story to tell concerning AppleCare. He describes a dogged refusal to handover any information at all, even with proof that he was who he said he was, indicating that either Honan’s experience is isolated, or that the criminals were really, really good.
Additionally, the attack will also — once again — highlight the importance of backing up data, encrypting data stored in the cloud, and taking care over linking online accounts together.
However, although these precautions may have limited Honan’s pain, they probably wouldn’t have prevented it happening in the first place. Infamous social engineer and hacker Kevin Mitnick said “If you want to protect your network, you cannot rely on technology alone,” and this applies here too.
Let’s see if Apple has a response to this hack, and whether it will also need to work to regain its customers trust, especially as it’s so close to providing iCloud email addresses.