The cloud is making us insecure

Keeping local information is a thing of the past. Nowadays everything is in the cloud, haven’t you heard? From Dropbox to Google Drive we keep our files stored in some nameless data farm in Iowa, and any Apple user will have lots of information stored in the iCloud. While these usually mean very sensitive data such as your calendar, email, contacts, and pictures, iCloud does something more dangerous. With Find my Mac, iCloud keeps a record of your current location, but most importantly, it can remotely shut down your device. Yes, this includes your iPhone and iPad too.

According to Apple’s iCloud site, if you have turned on the “Find your Mac” turned on, you can use it to find your device on a map. Surely, this is very handy if you lost it. But what if someone was to get a hold of your Apple ID and was able to log into your iCloud? Then they could know where you are. Even worse than that, they can send a command to remotely lock the device, or even to wipe all information on it. You read correctly, it is possible to completely erase your shiny MacBook remotely.

Moreover, with Mountain Lion, Apple has been going for seamless integration between the operating system and social media. This means that if a hacker was to gain access to your iCloud, they could also have access to your Gmail, Twitter, Yahoo, Vimeo, and soon Facebook accounts.

Are you frightened? Not nearly frightened enough… Sit around and listen to what happened to former Gizmodo writer Mat Honan. In what must be one of the most spectacular cases of iCloud hacking post-Mountain Lion, Mr Honan had all of his devices locked and wiped when someone was able to gain access to his iCloud account through “Apple tech support and some clever social engineering that let them bypass  security questions”. According to Honan:

“At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.”

I cannot think of anything more terrifying than that, particularly because the hacker used the chance of having access to the Gizmodo Twitter account to distribute racist abuse.

Computer security has become a balancing act between convenience and robustness, and we are usually guilty of letting our guard down because keeping our accounts always secure is hard. But what is really scary about the above incident is how one single account can have so much power over your life. I’ve made this comment before, but with the cloud we are placing all of our digital eggs in one basket.

Apple should review their tech support policies immediately. For the time being, if you have an Apple device, I recommend that you turn off the location services ASAP.

Leave a Reply