Apple continues to err on the side of insecurity
News about Mat Honan’s hacked Apple ID spread all over the web this weekend, but something about the story didn’t seem right to me. Mat was guessing that the hacker had found his password with a brute force search, but that sounded impractical: Apple is pretty aggressive about locking down accounts that get too many failed login attempts.
Now we know the real reason: Apple tech support gave the attacker access to the account. That may sound astonishing, but I have no trouble believing it. And that’s because the same thing happened to me in 2008.
The fact that the same attack vector works in 2012 proves that Apple still doesn’t take Apple ID account security seriously. Simply put, the front line tech support reps should never be able to perform a password reset like this. The fact that they still can means that Apple continues to err on the side of insecurity. What was crazy in 2008 is completely, utterly insane in 2012. Between then and now, here are some things that have happened:
- The App Store. The growth of the iOS platform has driven iTunes to 400 million credit-card enabled accounts. That means that the average monetary value of an Apple ID is a lot greater than it was in 2008. It also means that there are crazy outliers: Imagine a tech support rep giving out the password to a Rovio employee’s Apple ID. The bank account information for the multimillion dollar wire transfers Apple sends them for Angry Birds revenue could be reset in seconds.
- OS X. The security model of OS X is now based on the assumption that Apple IDs are more reliable than a Mac’s local accounts. This means that a social engineering attack on a tech support rep, quite possibly on a different continent, can be used to reset the password to the admin account on your MacBook. Or, like Mat experienced, to wipe all your data.
- iCloud. Back in 2008, the information I had on my .Mac account was largely stuff that I had knowingly stored there. Today, sharing and syncing of content is more seamless, and it would be exceedingly hard to know all the information that would be exposed in a security breach.
If Apple’s ecosystem is to succeed, Apple IDs can only grow in importance. The impact of an Apple ID breach is now much greater than it was in 2008. I can’t even imagine what it could be four years from now.