iCloud flaw exposed but Apple remains silent
For anyone who has bought a second-hand Apple device probably needs to be very careful about turning on Find my Device because potentially the person they bought it from may have access to their whereabouts and access to their machine.
This morning it was reported that a US technology journalist Mat Honan, who saw his entire digital world come crashing down around him after an attacker convinced Apple to hand over access to his iCloud account.
Recently a flaw was discovered which allows owners of second-hand Apple devices to be tracked by the original owner, who can also remotely wipe all the data off the device. It comes after similar revelations last month that owners of second-hand iPhones can still access the previous owners’ accounts on apps like iMessage and Grindr.
Cloud computing has been a boon for consumers and businesses as it allows them to access their files anywhere and on any device. But the downside is that your data is stored online in the “cloud” and can be accessed remotely by determined attackers.
A tech-savvy Sydney Apple user, who does not want to be named, contacted Fairfax Media after selling his MacBook Air only to find that he was still able to track the device using Apple’s “Find My Mac” feature, even though he erased the laptop’s hard drive before selling it.
Find My Mac / iPhone / iPad, part of iCloud, lets users track their Apple devices over the web if they have been lost or stolen. In addition to plotting the location of the device on a map it can also be used to remotely wipe the device of all data.
But it appears that if you erase the data from your Apple device or remove the iCloud account when the device is not connected to the internet, it doesn’t de-link the device from your account on Apple’s servers.
When the new owner logs in to the device with their own Apple ID and switches on iCloud / Find My Device, the previous owner is still able to track the device and wipe the data using their own iCloud account, without knowing the Apple ID details of the new owner.
An item buried on Apple’s support pages instructs users on how to remove iCloud before selling their device, but the affected Apple user said this was far from clear to most people, who wouldn’t realise they had to do anything more than erase the hard drive of the device before selling it.
“When I did the factory reset [on the Macbook Air] it doesn’t appear to de-link my Apple ID to the device serial number and so when this guy turned on … Find My Mac I was able to see his location of his device and track it without his knowledge,” said the user, who claims to have replicated the issue on an iPhone set to flight mode.
“Anyone who’s bought a second-hand Apple device probably needs to be very careful about turning on Find my Device because potentially the person they bought it from may have access to their whereabouts and access to their machine.”
Several threads on Apple’s support discussion boards outline the same issues.
Last month Fairfax Media reported on a similar issue. Applications such as Grindr and iMessage identify you and sign you in to their service using your device’s unique ID – meaning if you sold your iPhone, the new owner could still access your accounts if they use the same apps as you.
Apple has since said it would reject apps that rely solely on the device’s unique ID for in-app identification, while developers have also pledged to fix the flaw.
But Apple has yet to acknowledge the new iCloud issue identified by the Sydney Apple user. Apple Australia declined to comment on the matter but late this afternoon said it was trying to replicate the issues.
The Sydney user who discovered the new flaw said he contacted Apple Support, which said he needed to get the new owner of the Macbook Air to contact Apple and advise it to de-link the serial number from any previous Apple IDs.
Apple has also refused to comment on Honan’s issue, which involved attackers “social engineering” or tricking Apple into handing over access to Honan’s iCloud account. The attacker then proceeded to use Find my Device to wipe the data off Honan’s Macbook, iPhone and iPad and, because they had access to his Apple email account, were also able to take over his Gmail and Twitter accounts.
Apple has yet to specify any changes it is making to its internal security protocols to ensure that Apple support does not continue to hand out customer details to attackers.
“It’s amazing. I think as a company it is so accustomed to positive press that it thinks it doesn’t have to deal with criticism at all,” Honan said in an email interview.
Chris Gatford, of Sydney security firm HackLabs, advised people using cloud services to follow the “321 rule”. That means keep three back-up copies of your data, on two different types of media, including one backup stored off-site.
- Apple Responds To Journalist Victim of “Epic” Apple ID Hack (cultofmac.com)
- Mat Honan on the Apple and Amazon security flaws that led to his hack (wired.com)
- Apple tech support gave hacker access to reporter’s iCloud account: Reports (todayonline.com)
- Apple iCloud attack deletes data (bbc.co.uk)
- Mat Honan details the Amazon and Apple security flaws that let hackers wipe his MacBook (tuaw.com)