I don’t use iCloud for much. I did use the iCloud remote wipe to clean the data on a lost/stolen iPhone. I was grateful that the service was available to me even though I had a PIN screen lock on my iPhone. It was nice to have a peace of mind that my data was safely out of the hands of new owners. I just learned today that if you are a Mac user you can use this feature to remote wipe your actual Mac. This can be a great feature if you lose a computer with sensitive data. But as it turns out the ability to remote wipe a machine using iCloud is too easy.
Matt Honan, previously of Gizomdo.com, had his iCloud account hacked via social engineering. Because his .mac e-mail address was tied to his Gmail and Twitter accounts the intruder was able to obtain access to those accounts as well. The intruded deleted his Gmail account and used the Twitter account to hack Gizmodo’s Tweeter feed. Even more nefarious the intruder remote wiped all of his devices. He lost all of his data on his iPad, iPhone and MacBook Air. The MacBook Air lost is probably the most intrusive as he hadn’t backed up in over a year. iCloud isn’t a backup service for MacBooks as it is for iOS devices.
I don’t understand why Apple makes remote wipe so simple. In this case Matt actually had a pretty tough password for his iCloud account but the intruder called Apple support and convinced the tech to reset Matt’s password which allowed the intruder to gain access. At that point it’s pretty straight forward to wipe the devices. Blackberry and Windows phones have similar features that are controlled from the enterprise administrator. Google has a similar feature but allows you the option to setup two factor authentications for actions such as wiping your device.
I’m sorry for what Matt is currently experiencing. I don’t know him but doubt he did anything to deserve the pain of having to recover from this event. I am grateful for him sharing his experience for us to learn lessons. The most important is making sure you backup your own data locally. Not just your PC but your Smartphones as well. I still keep local backups for my iPad and iPhone. This social engineering issue is something you can learn from as well. I’ve learned to not give standard answers to challenge questions. For example, if a service asks me “What is your mother’s maiden name?” I give a response like “BirdsLoveToSing.” It’s too easy to actually find my mother’s maiden name.
A good question is now that Mac OS 10.8 has the ability to allow applications to store to iCloud could an intruder wipe all of my data and it is unrecoverable? Therefore, is there a method for getting my data out of iCloud to backup locally?
What are some of the lessons you’ve learned from this experience?