Skip Links

Mat Honan Hack Pokes Holes in Apple iCloud

iCloud is awesome because it "just works", but the Mat Honan hack illustrates how that can quickly be turned against you as well.

By Tony Bradley, PC World
August 08, 2012 01:05 PM ET

PC World - The hackers that hijacked Mat Honans online life, took over his Twitter account(s), and wiped out his iPhone, iPad, MacBook, and Google accounts in one fell swoop showed some perseverance in achieving that goal. Not all attackers are quite that determined, but the hack still demonstrates some serious flaws in Apples iCloud and the iCloud security model.

12 years of Apple big-time innovations

My iPhone, iPad, and MacBook Air are all synced through Apples iCloud--just like Mat Honan. I appreciate the convenience and simplicity of the fact that I can add a contact on my iPad, and it will automatically sync to the other two devices. I can take a picture with my iPhone, and the photo will be available from the iPhone and MacBook as well. It just works.

The Mat Honan hack is a poignant illustration of how it just works can be a double-edged sword. If it just works for you, it also just works for an attacker who manages to gain access to your iCloud account.

The first potential problem with the automatic syncing is that someone with possession of my iPhone or iPad could wreak havoc. If someone starts deleting contacts, calendar events, or other synced information, those changes should be automatically synced across to the other devices which would mean losing the information on all of them because it just works.

Then, theres Find My iPhone. The feature is mis-named, because it finds all of your iCloud-enabled Apple devices, not just iPhones. Logged in to my iCloud account, I can pinpoint the current location of my iPhone, iPad, and MacBook Air. I can also remotely wipe the devices, and essentially return them to the factory default, out of the box state they originally came in if I need to prevent a thief from accessing my data or personal information.

In the Mat Honan hack, the attackers gained access to his iCloud credentials and remotely wiped all of his devices. Therein lies the problem--there should be an additional password or level of authentication for each device. The one iCloud password should not be sufficient to remotely wipe every device you have.

It negates some of the value of having that data synced across the devices in the first place. Part of the point is that I know I can lose my iPhone, but Ill still have all of my data and information on my other devices. That obviously isnt true if an attacker can take all of them out at one time.

Another problem with Find My iPhone is that its very accurate in pinpointing the devices it tracks. If the iCloud credentials were breached by a stalker, rather than a hacker, the iCloud Find My iPhone feature could lead them to your exact location. Look how well it worked in tracking down David Pogues lost iPhone.

These issues arent entirely unique to Apple. There are device-locating, and remote wiping features for Android, Windows Phone, and other devices as well. You can also prevent some potential security issues by making sure your devices are locked and protected by a password or PIN--but that wouldnt have helped in Mat Honans case.

Originally published on www.pcworld.com. Click here to read the original story.

Our Commenting Policies
Cloud computing disrupts the vendor landscape

 

Latest News
rssRss Feed
View more Latest News