Apple to review cloud identity protocols after journalist hacked

August 13, 2012

The issue of data security in the cloud has come under increased scrutiny after a writer working for Wired magazine watched hackers systematically wipe his personal data and family memories from a number of interconnected devices.

According to CNN, Mat Horan, a technology journalist, first became aware of a problem on August 3, when his iPhone powered down unexpectedly. Horan, who admits that he initially thought it was a glitch in the software, spent valuable minutes trying to log in to his iCloud account before told by his laptop that his Gmail account information was wrong, and that to proceed, he would need to input a four-digit PIN. This was the moment when Horan realized that he was being hacked.

Over the next few hours, he became aware that his Twitter account had become compromised, and that all the data on his mobile devices had been erased. Horan spoke to an Apple representative who informed him that the company had received a call earlier from an individual who was able to verify certain information that Apple requires to initiate a password change.

Loopholes in the cloud
Horan said that he hadn't called, but discovered that the intruder had not only used the remote wipe service offered by Apple to prevent details such as credit card and social security numbers being used to perpetrate identity theft, but that he or she had also reset every password associated with accounts that used Gmail. By exploiting loopholes in the cloud data security system, in this case by finding Horan's email and home address online, the intruders were able to confirm his identity with the tech support representative at the company.

"My experience leads me to believe that cloud-based systems need fundamentally different security measures," said Honan. "Password-based security mechanisms - which can be cracked, reset and socially engineered - no longer suffice in the era of cloud computing."

Since the incident, Apple has temporarily disabled the ability of iCloud account holders to change any details over the phone, and customers who need to modify any details will need to use the company's iForgot service. The company has not confirmed how long this arrangement will be in place, but it appears that this high-profile breach in cloud security, albeit on a personal level, has forced Apple to look at its protocols.

"We found that our own internal policies were not followed completely," said an Apple representative. "We are reviewing all of our processes for resetting account passwords to ensure our customers' data is protected."

-McAfee Cloud Security