A week ago, Wired writer Mat Honan’s Google, iCloud, Twitter and Amazon accounts were hacked. His personal data from iPhone and MacBook was erased - as well as backups from iCloud. I don’t go in details here, if you are interested, read the entire story by Mat Honan himself. However, this made me re-thinking the security of cloud services.
The reason for this personal disaster was security flaws in cloud services. Why this interests me is that a year and half ago I wrote my Bachelor’s thesis about “Security in public cloud services” (available only in Finnish). In the thesis, I made a case study about security of Amazon Web Services. I ended up to claim something like “for personal and private use Amazon Web Services is pretty safe”. Obviously I was wrong.
As Mr. Honan admits, in addition to Apple and Amazon, he can also blame himself for the security breach, especially for the lost personal data. He had the accounts for all the services stupidly chained together - as most of us do - so that one successful hacking led to another and eventually to the Twitter account, which was the ultimate goal of the hacker. Also, he relied on iCloud so that he did not have any other local back-up system. However, if the cloud services had been trustworthy, nothing of this would had happened. So I suggest that only thing that Mat Honan can blame himself of is too high trust on these cloud services.
The fact that I am not surprised about is that there were no security vulnerabilities in software, computer systems or protocols involved. It was all about stalking, social engineering and failures in security policies. All the hacker needed was some publicly available personal information about the victim and couple of convincing phone calls to Apple and Amazon customer services. According to Mat Honan’s story, all you need to access someone’s AppleID (and iCloud) is:
- Email address
- Billing address
- Last four digits of credit card number
For me, this does not look very trustworthy. Dozens of people know my email address and home address (billing address). Last four digits of my credit card are not that easily available, but still possible to steal e.g. in restaurant when I’m paying a bill.
Actually, another way to find out four last digits of my credit card is to eavesdrop my personal email. For example, in beginning of this month I got following e-mail from Amazon:
Greetings from Amazon Web Services, This e-mail confirms that your latest billing statement, for the account ending in ****XXXX, is available on the AWS web site. Your account will be charged the following: Total: ****
Here, the part XXXX was four last digits of my credit card. And this was unencrypted email sent over public Internet using SMTP protocol.
Moreover, there was much more critical security failure in Amazon’s system that Mat Honan explained:
- You can add a new credit card to any account via phone call, only by providing name, email address and the billing address.
- You can add a new email address to any account by providing a credit card bound to that account.
- Once you have done previous steps, you can send password reset to the email address you provided.
Essentially this means that you can reset password of any Amazon account provided that you already know the name, email address and billing address of the account holder. However, this requires at least two phone calls to Amazon customer service as well as some background research to find out the information about the victim. Still, I’d call this a severe vulnerability in security policy. Luckily, after the publicity of this case, Amazon won’t no longer add new credit cards to accounts over the phone.
Although this was a sad case for Mat Honan, I think this was a good lesson for everyone of us. The computer systems are increasingly dependent on cloud services. Actually, I guess that big companies such as Apple and Google would really love to possess all of our private data. My suggestion is that do not trust cloud services too much. I’m not saying that you should not use them, but be prepared to a possible huge disaster such as iCloud or Google being completely hacked. Again, I’m not saying that is going to happen, but everything is possible. This epic hacking case does not make me feel very confiding.