The Cloud Gives, Takes Away, and Gives Back Again

Photo credit: Annette Shaff/
Photo credit: Annette Shaff/

What would you do if, suddenly, your iPhone screen went blank? Mat Honan was playing with his daughter when this very thing happened, and he didn’t think much of it at first – assuming it was likely a software bug. He was subsequently unable to log into his iCloud account to restore the device. Still, Honan was not overly worried.

He then attempted to restore the iPhone from his computer, but was instead greeted by a message saying his Gmail login information was incorrect. As he recalled, “the screen went gray, and asked for a four-digit pin”. The only problem was that Honan didn’t have a four-digit pin for his Gmail account.

It was at about this time the red flag was raised, and Honan quickly fetched his iPad. Different device, but the same result – his iPad had been reset. “At this point it was very clear that somebody malicious was messing with me”, Honan told me. He immediately assumed the worst and envisioned someone accessing all of his online accounts, including his banking, and then clearing them out. “I realized almost right away” that it was not a technical problem, he added.

It was late afternoon on August 3, 2012, and it soon became obvious that someone was able to lock Honan out from all of these devices – remote wiping them along the way – all within 15 minutes of gaining access to his iCloud account. The damage, however, did not stop there.

His Gmail and iCloud passwords had been altered, and his Gmail account also deleted. Honan couldn’t restore his Gmail account because it required sending a text message to his phone which, of course, he could not gain access to. At the same time, Honan noticed someone had sent homophobic tweets from his Twitter account.

In retrospect, Honan would bluntly conclude that it had “been a shitty night”. No doubt this description is a colorful understatement.

It took some time, effort, and a list of industry contacts to stop the onslaught. Yet, when Honan examined how the hack of his accounts and devices took place, the methods used were disturbingly easy and uncovered gaping holes in the customer service procedures at Apple and Amazon. Yes, Amazon as well, as the writer chronicled in great detail on his blog. The blame for this incident cannot be laid on Apple alone, or even Amazon, as Honan told me. “It’s broader than just Apple and Amazon.”

Last Four Digits, Please

Before setting off this chain of events, the hacker who remote wiped all of Honan’s devices first needed to gain access to his Apple ID account. This is where Amazon enters the story.

“A few things happened here”, as Honan recalled. Apple, at the time, was using the last four digits of a credit card number as a criterion to issue a password reset. “So if [the hacker] could get my Apple ID, my billing address, and the last four digits of my credit card, then that’s all they needed.” With Amazon, he told me, you can get those last four digits from many places, but Honan is quick to point out it’s not just Amazon that is guilty of this sin.

“Amazon is a good place to look because people tend to store multiple credit card numbers” within the service, he continued. The hacker then used a website that generated a fake card number, which he then fed though the automated system Amazon employs when adding numbers to an account – one based on a publicly available algorithm used as an industry standard.

This maneuver does not make a charge to the account, Honan said, but simply verifies its existence. The hacker then added this fake card number to Honan’s account, which only required his email and billing addresses and a call to Amazon customer support. The attacker then called Amazon customer service again, claimed to be locked out of the account, provided the last four digits of the card number and billing address, and was able to request a new email be linked to the account, which was then used to request a password reset. This was the hacker’s entrée into Honan’s Apple ID account.

“What happened to me exposes vital security flaws in several customer service systems”, Honan later wrote for Wired. “Amazon tech support gave them the ability to see a piece of information – a partial credit card number – that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

Mike Small, senior analyst with KuppingerCole and member of ISACA, readily admits he does not use an iPhone or any of Apple’s cloud-related services that made this hack possible. Nevertheless, the identity and access management specialist found the incident intriguing and cautioned about dangers stemming from the confluence of social engineering and cloud services.

“The problem was not specifically one of technology – it was about abuse of people’s natural inclination to help”, Small told me when assessing the shortcomings of customer service procedures. “It is quite galling when you consider the amount of private information you are regularly asked to divulge when calling service providers for help that – in spite of this – [allowed] the hacker to masquerade as someone that he wasn’t. I guess this shows how careful you need to be to ensure that the kind of information used as secondary authentication is closely guarded.” Perhaps Amazon should heed Small’s advice and start thinking about how even the slightest bits of information can be misused, as Honan’s story clearly illustrates.

The Official Response

Apple did not respond to my requests for comment on this story, or regarding the perceived gaps in its customer service procedures. It was something, I should add, that did not come as a surprise. For its part, an Amazon spokesperson referred me to the company’s previous statement on the incident: “We have investigated the reported exploit, and can confirm that the exploit has been closed”. No further details about what this ‘fix’ entailed were provided.

I asked Honan if he received an explanation from either Apple or Amazon about exactly what allowed the hacker to bring his digital life to a standstill. “No – none at all”, he told me, quite frankly. “Amazon would not comment, or talk with us [Wired] very much”.

Honan has spoken with people at Apple on numerous occasions since he first discovered the hack, “and they didn’t say what they were going to do other than put a temporary hold on password resets”, he shared. “They have not been even remotely transparent about it”, Honan said – a stance he fully understands “because they don’t want to make it easy for people to know how to get around [procedures] they have in place”.

Honan has been in contact with his hacker since the incident went public. Yet the journalist holds no ill feelings, and has assured the “teenager” that he will not press charges – a promise Honan said he will firmly stand by.

Both California and Federal law enforcement contacted Honan to discuss the incident, but he doubts any legal action will be pursued. Because it was not only his assets that were illegally accessed, there is still a chance that the companies involved – including Apple and Amazon – could press charges, but there is no active effort, at least to his knowledge. When I followed-up on whether there was an ongoing investigation, the same Amazon spokesperson said the company “has a long-standing practice of not discussing details about our security efforts”.

The Cloud is Your Friend

In the end, it wasn’t Honan’s data or money that the attacker was after. The trail of destruction began with Amazon , moved to Apple, jumped over to Gmail, and all with the aim of taking over his Twitter account. The group the hacker was involved with apparently takes over Twitter handles for a gag, and Honan later learned that they may have targeted him specifically to trade his handle to another person. “The whole goal the entire time was to get into my Twitter [account], which is – in a really, really weird way – sort of fortunate. Had the goal been to get into my bank account, then they would have done it.”

Honan considers himself extremely lucky. Because he quickly diagnosed the events as foul play, Apple customer service was able to halt the remote wipe of his MacBook, which had only erased about 25% of his data. His locally stored photos and the remaining parts of his hard drive were recovered by a specialist firm at a cost of $1690.

The writer is, despite this incident, still an enthusiastic supporter of cloud-based services – even if he is skeptical about some of the security safeguards. Honan began regaining his digital life by accessing Dropbox from his wife’s computer, where he had stored a password keychain from 1Password, and thus began the process of resetting his online accounts. “When my data died, it was the cloud that killed it”, Honan wrote when recapping his nightmare. “Yet just as the cloud enabled my disaster, so too was it my salvation”.

John Howie, COO of the Cloud Security Alliance, asserted the problem was not with inherent dangers with cloud computing, but rather a more human element. “Hackers found two social engineering weaknesses in two providers and combined them together”, he observed, adding that “it was really a failure of customer service procedures, and not the [cloud] technology. It’s when you start bringing the pieces together that the flaws were exposed.”

Despite still being a strong believer in cloud services, Honan said they need better security mechanisms in place, because the data stored by these services are often easier to access than data stored locally on a device. “When you’re being hacked in the cloud”, he reminded me, “you’re probably not even aware of it”.

Honan admitted that being the center of a story, for a change, was a bit strange. “But once I began discovering how it was done”, he said to me, “I felt it was important to tell the story”. By sharing his rather uncomfortable tale, Honan believes he can help raise awareness about the issues.

His personal hack has also brought about a few behavioral changes. Honan now employs what he considers a “very robust” if not redundant backup system, and has turned on two-factor authentication for any account that provides the option. “There is always a tension between security and ease of use”, he said, noting that oftentimes he opted to make things easier instead of more secure. “This has changed my attitude”, Honan revealed, “and I hope it changes other peoples’ as well”.

What’s hot on Infosecurity Magazine?