Apple iCloud breach proves Wozniak's point about cloud risks

Not even a complex, 16-character password guarantees that your cloud-based data and devices are secure

This past weekend, Apple co-founder Steve Wozniak predicted that cloud computing would yield "horrible problems" in coming years. By extraordinary coincidence, Wired reporter Mat Honan experienced firsthand a series of horrible, cloud-related problems, all of which reportedly started when an unnamed Apple employee reset his iCloud password at the request of a hacker posing as Honan.

This marks the second high-profile cloud-related snafu in the past week, the first being the the Dropbox fiasco where hackers pulled a list of Dropbox customer email addresses from a Dropbox employee's Dropbox account. The incidents almost render moot the raging debate over on Sophos' Naked Security blog as to whether Microsoft's newly rebooted Outlook.com should support more than a 16-character limit on passwords. Evidently even the strongest, most complex password is no match for the formidable combination of hacker perseverance and resourcefulness and end user naiveté (or ignorance) about best security practices.

Let's start with what happened to Wired's Honan. By his account, a malicious hacker gained entry to his iCloud account and used it to remote wipe all of his devices, including his iPhone, iPad, and MacBook Air. The initial mystery: How did the hacker get his or her hands on Honan's password? "My password was a 7-digit alphanumeric that I didn't use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time," Honan wrote.

Honan's first guess was that hacker employed brute force techniques to crack the password. While that might have been feasible, it wasn't the case. "They got in via Apple tech support and some clever social engineering that let them bypass security questions," Honan wrote in an update.

Once the hacker got into Honan's iCloud account, it was matter of time before he or she was able to wipe Honan's iDevices, as well as wreaking other havoc, such as changing his Gmail account password and purging that account.

Was this the kind of nightmare Wozniak was contemplating this past weekend when he told an audience that he "really worries about everything going into the cloud"?

"I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years," Wozniak said, according to AFP. "With the cloud, you don't own anything. You already signed it away," he added, along with, "The more we transfer everything onto the Web, onto the cloud, the less we're going to have control over it."

It's entirely plausible Wozniak was thinking in broader terms about data ownership and the prospect of cloud providers treating customer data and files as their own. For example, an unethical company might hide terms in cloud contracts that permit it to mine customer data in the name of research or for more nefarious purposes. A cloud company might also try to shackle customers in how they can use, say, e-books, videos, or software they legally bought and paid for. Heck, a cloud company could go rogue and hold a customer's data hostage or sell it to the highest bidder.

Those are potential threats pertaining to how much control one has over his or her cloud-stored data, but they aren't the only issues. Part of the threat lies in just how interconnected data and devices and identities become in the cloud, all of which can become breached by bypassing a single password.

Consider for a moment the fact that, thanks to one gullible Apple employee giving up a customer's iCloud password, said customer lost all the contents of his cloud-connected devices (hopefully not permanently). Consider that thanks to an ignorant Dropbox employee's actions of reusing passwords and storing sensitive, unencrypted customer info in the cloud, a bunch of Dropbox customers became victims of massive spam attacks, which easily could have been more dangerous phishing attacks.

For all the benefits of the cloud, it creates new weaknesses in a company's security infrastructure. Both Dropbox and Apple have failed at embracing and enforcing necessary security measures to protect users. Cloud users, both customers and employees, meanwhile, continue to ignore or underestimate cloud-related risks. Yes, we can rail at the Apple employee for letting a hacker bypass Honan's security questions, but then, a resourceful hacker could potentially dig up the correct answers to security questions through some research on Facebook, targeted phishing, and the like.

This story, "Apple iCloud breach proves Wozniak's point about cloud risks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies