Honan has maintained a running commentary on what happened and what he subsequently discovered on his blog. It was a surprisingly nasty attack. “At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air,” he wrote. But it didn’t stop there.
“I checked Twitter, and saw someone had just sent a tweet from that account. I tried to log into Gmail again, and now it told me that my Google account had been deleted. The way to restore it was to send a text message to my phone which I didn’t (and still do not) have access to.”
And still it continued. His former editor at Gizmodo called his wife’s phone to make sure he knew what was going on. Gizmodo had been drawn in because “a long time ago, I had linked my Twitter to Gizmodo’s [so] they were then able to gain entry to that as well.” Gizmodo also got hacked.
At first he thought his iCloud password had been brute forced. It was a 7-character code that he didn’t use anywhere else. But it wasn’t brute force. In his first update, he says the hacker got in touch. In his second update, he said he’d got his phone service and Google account back. And in his third update he explained what had really happened. “It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
This wasn’t some highly technical software hack, it was a simple, albeit sophisticated social engineering attack. The hacker persuaded Apple tech support to let him in. Marko Karppinen, a Finnish Apple app developer, was not surprised. He blogged, “Apple tech support gave the attacker access to the account. That may sound astonishing, but I have no trouble believing it. And that’s because the same thing happened to me in 2008.” He adds, “Simply put, the front line tech support reps should never be able to perform a password reset like this. The fact that they still can means that Apple continues to err on the side of insecurity.”
But there’s no easy solution. “Gullibility is the wetware vulnerability for which there is no patch but education,” Mac researcher David Harley told Infosecurity. Hopefully, Apple will incorporate the lessons learned from this incident into training for their support staff, he added, “though no-one is totally immune to being conned by a sufficiently clever or sufficiently lucky scammer.” Harley ads one further bit of advice. “Honan, he says, “seems to have done a pretty good job of working out how he made the attacker's job easier by not air-gapping sufficiently between his work and personal social media and messaging.”