Saturday, August 4, 2012

Find My Mac and Remote Wipe

Mat Honan (via Hacker News):

In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.

It seems way too dangerous to allow anyone with access to your iCloud account to remote wipe your Mac. (Plus, is remote wiping really necessary if you have FileVault enabled?) It looks like the only way to disable remote wipe is to disable the entire Find My Mac feature in the iCloud pane of System Preferences.

Secondly, the new Allow my Apple ID to reset this user’s password is potentially dangerous. Or, if you’re using File Vault 2, there’s the similar option to store your recovery key with Apple.

Backing up to the cloud is great, but those backups are only as safe as your password, so they shouldn’t be your only backups.

Update (2012-08-04): Daniel Jalkut:

One way to protect yourself is by declining to delegate authentication to third parties. When enrolling in a new service that offers Twitter or Facebook authentication, I usually go through the nuisance of creating a new account instead. That way I can choose a unique passphrase, and store that in my keychain. I prefer this to allowing numerous items to be implicitly added to my Twitter or Facebook “keychain.” Don’t put all your eggs in one basket, as they say. (Well, that’s what I’m doing with my keychain, but I am empowered to personally protect it and to back it up as I see fit.)

Update (2012-08-05): Mat Honan:

I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Update (2012-08-05): Jonathan Grynspan reports that there’s a bug that can allow anyone with access to your Apple ID (which obviously includes Apple itself) to access your FileVault-encrypted drive, even if you’ve not shared your FileVault recovery key with Apple.

Update (2012-08-06): Mat Honan:

At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn’t get into his .Me email — which, of course was my .me email.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an Internet connection and a phone can discover.

Update (2012-08-17): Mat Honan:

My data came back to me on an external hard drive, organized by file types. The thing I cared most about, above all else, was my photo library. And there, in a folder full of JPGs, was photo after photo after photo that I had feared were gone forever. Subfolders were organized by the year, month and day files were created. I went immediately to the folder that bore the date my daughter was born. They were there. Everything was there. We were floored. I nearly cried.

Update (2017-09-20): Juli Clover:

Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.

11 Comments RSS · Twitter

That's a pretty remarkable story on so many levels.

How does remote wipe work reliably without system encryption? With system encryption, a remote wipe equals the deletion of the encryption key … without encryption, however, a simple wipe takes some time and it is easily recoverable.

@Martin The dialog for remote-wiping the Mac says that it can take up to a day. So I presume that it boots from the recovery partition and, if there’s no encryption, spends a lot of time overwriting the main partition with random data.

"Jonathan Grynspan reports that there’s a bug that can allow anyone with access to your Apple ID (which obviously includes Apple itself) to access your FileVault-encrypted drive, even if you’ve not shared your FileVault recovery key with Apple."

Good god, if true. I believe I've previously mentioned once or twice that I'm still lovin' Snowy, but this is ridiculous.

(AppleID worming its way into OS X is at the core of what has moved me over the past couple of years from being an Apple Fanboy to being a Cupertino Dissident. I'd love to switch to Microsoft, but their direction for Windows 8 doesn't exactly inspire confidence that that would be a sensible path to take. Maybe I'd just better stock up on replacement pre-2011 Macs.)

[...] An Apple ID is pretty much required these days, but you can at least limit the potential damage. Don’t use iCloud’s e-mail account, even as a backup address supplied to other services. Honan’s Gmail was compromised because the password recovery e-mail went to his address. And don’t enable Find My Mac. [...]

[...] is a guest post by Jonathan Grynspan. I followed his reporting of this issue on Twitter with interest. Far more than 140 characters were needed to [...]

Great blog, excellent issue. Oh, and you don't trust Apple?
Do you know anyone but a kid in their retail store that does?

[...] note, it does not appear that two-step verification is needed to remote wipe or to access FileVault-encrypted files on a locked but powered-on Mac. It seems more likely that [...]

[...] ID is the master key to all sorts of personal information and privileges, including the ability to remote wipe iOS devices and access your Mac, even if you didn’t share your FileVault 2 recovery key with Apple. It [...]

[…] I still think Find My Mac is not worth the risks. […]

Leave a Comment