Apple's Activation Lock Website Played Key Role in Hack, Perhaps Explaining its Removal

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jan 30, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Apple recently removed the Activation Lock status checker from its website, giving no explanation as to why a seemingly useful tool was eliminated. The Activation Lock website was designed to make sure a used device being purchased wasn't locked with Activation Lock, rendering it unusable.

    As it turns out, the Activation Lock website was a vital part of a bypass hack used to unlock devices bricked by Activation Lock, perhaps hinting at why Apple shelved it.

    The process is demonstrated in the video below. By changing one or two characters of an invalid serial number, hackers are able to generate a valid serial number, using the Activation Lock tool for verification purposes to make sure it's functional. That valid number, which belongs to a legitimate device owner, can then be used to unlock a previously non-functional iPhone or iPad.

    Activation Lock website verification starts at 5:25 in the video

    The Activation Lock scheme that steals valid serial numbers from existing iOS users potentially explains a mysterious Apple ID bug that's been plaguing iPhone owners for months.

    When attempting to activate a new or recently restored device, some iPhone owners have found their devices inexplicably locked to another Apple ID account - one with an unknown name and password. The problem has been affecting iPhone 6s, 6s Plus, 7, and 7 Plus models since September and can only be fixed by Apple.

    Apple has not confirmed that the hack shown in the video is related to the Apple ID Activation Lock bug, but as the hack uses valid serial numbers from existing owners, it's a plausible theory. If the two are linked, it explains why the Activation Lock website was shut down so suddenly, and it should put an end to the Apple ID issue.

    Introduced alongside iOS 7, Activation Lock has proven to be a successful theft deterrent. It effectively locks an iOS device to a user's Apple ID account and even when wiped, the device will continue to require an original Apple ID and password. Activation Lock is extremely difficult to bypass and has led to complicated hacks like the one in the video above to attempt to get around it.

    It's not clear if Apple will provide a new Activation Lock website for customers who used it legitimately, but unless the company comes up with a method to prevent it from being misused, it seems unlikely.

    Article Link: Apple's Activation Lock Website Played Key Role in Hack, Perhaps Explaining its Removal
     
  2. Mlrollin91 macrumors G5

    Mlrollin91

    Joined:
    Nov 20, 2008
    Location:
    Ventura County
    #2
    Well, if this was the case, then that makes perfect sense. But now thats kind of frightening if true.
     
  3. usersince86 macrumors 6502

    usersince86

    Joined:
    Oct 24, 2002
    Location:
    Columbus, Ohio
    #3
    When a security feature becomes a security issue... that's how things are in today's world
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    That makes sense, I figured there had to be a simple reason.
     
  5. Amacfa, Jan 30, 2017
    Last edited by a moderator: Jan 30, 2017

    Amacfa macrumors 68000

    Amacfa

    Joined:
    May 22, 2009
    Location:
    D.C.
    #5
    Funny how far people will go just to bypass activation lock - to the point of soldering and basically reverse engineering
     
  6. OldSchoolMacGuy Suspended

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #6
    LIES! MacRumors members were positive Apple did this ONLY to make more money. That is the only explanation which MR members could find at the time so it must be the only truth and nothing else can explain why it was removed!
     
  7. SBlue1 macrumors 65816

    SBlue1

    Joined:
    Oct 17, 2008
    #7
    Alternative facts?
     
  8. zaaach48 macrumors regular

    zaaach48

    Joined:
    Nov 2, 2016
    Location:
    Philadelphia
    #8
    well of course...that, and to just piss off the users the company was built upon
     
  9. Pentium macrumors 6502

    Pentium

    Joined:
    Sep 2, 2015
    Location:
    Los Angeles
    #9
    That makes perfect sense! but man that took 4 months to address? that's scary if true!
     
  10. MacsRgr8 macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #10
    Yeah... if these kind of features become more and more of an issue, people will start to distrust their devices more and more.
    Everything is "hackable". Even Apple's activation sequence.
     
  11. ElRojito macrumors regular

    Joined:
    May 6, 2012
    #11
    VERY UNFAIR !!!
     
  12. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #12
    perhaps Apple will move the sn to the secure enclave so the ID can be retrieved but not changed (or else brick the device).
     
  13. TheShadowKnows! macrumors 6502a

    TheShadowKnows!

    Joined:
    Sep 30, 2014
    Location:
    National Capital Region
    #13
    As someone already mentioned, correctly, on the earlier thread, the solution would be for Apple to digitally sign the serial id of each iPhone, and introduce such changes on the new iOS releases.

    [And, yes, if you do not, or cannot, update to newer firmware, the validation tool may continue to produce false negatives.]
     
  14. Jefe's MacAir macrumors 6502

    Joined:
    Nov 21, 2010
    #14
    Nobody saw this all along? I thought it was obvious what was happening. And I'd assume that very few phones were hacked, just serial numbers found and given to confirm for secondary sales.
     
  15. mi7chy macrumors 603

    mi7chy

    Joined:
    Oct 24, 2014
    #15
    BS. That method to iCloud unlock is for the less than 1% since it requires expensive specialized equipment and skills to accomplish. The only reason iCloud lock exists is Apple greed to limit used equipment market.
     
  16. zaaach48, Jan 30, 2017
    Last edited by a moderator: Jan 30, 2017

    zaaach48 macrumors regular

    zaaach48

    Joined:
    Nov 2, 2016
    Location:
    Philadelphia
    #16
    It seems like a lot of work, but if you work for organized crime, you pay kids to do it for a few bucks on a large scale and make a lot of profit.

    The black market for iDevices is insane. Working at Apple, we saw many resellers every day. Same guy would come in every day with 2 phones that don't turn on, are registered to someone on the other side of the country, and they don't care about the data on the device. Usually they tell some ridiculous story (in very broken english) about how it's their sister's phone and she can't be here, and it got hot and doesn't turn on, yada yada yada...They come in looking to get them swapped for new phones. Somewhere down the line I am convinced that organized crime is involved.

    My theory:

    Phones are stolen by petty thieves on the street and out of cars...The thieves sell the phones cheap to people involved in organized crime. The phones are activation locked of course, so they can't just be resold. So they tamper with them and either switch the serial number (shown in this video) or make them unable to power on (usually by damaging certain logic board components.) Bring them to Apple, get them swapped for good new phones, and then re-sell...or better yet, illegally smuggle them back into China without paying taxes and sell them for massive profit. basically iPhone laundering
     
  17. keysofanxiety macrumors G3

    keysofanxiety

    Joined:
    Nov 23, 2011
    #17
    Yeah, all those pesky iOS users in the late '70s and early '80s. ;)
     
  18. zaaach48 macrumors regular

    zaaach48

    Joined:
    Nov 2, 2016
    Location:
    Philadelphia
    #18
    you are ridiculous...Apple provides instructions on how to remove activation lock before selling your phone. Apple offers high trade-in value for used phones. Activation lock is to help deter theft.

    and yea, the video was not meant to be something the average user can do. But the devices could pay for themselves if say, a wealthy criminal made the initial investment and could easily re-coup with the hundreds of stolen devices he launders
     
  19. nburwell macrumors 601

    nburwell

    Joined:
    May 6, 2008
    Location:
    DE
    #19
    That now makes sense why myself and a lot others experienced our 6s devices being activation locked after we restored the phone even though many of us were the original owners. Scary stuff.
     
  20. zaaach48 macrumors regular

    zaaach48

    Joined:
    Nov 2, 2016
    Location:
    Philadelphia
    #20
    was it an email that was a long string of numbers, or perhaps ending in @qq.com?
     
  21. oneMadRssn macrumors 601

    oneMadRssn

    Joined:
    Sep 8, 2011
    Location:
    New England
    #21
    Holly cow that video is awesome. iFixit should revise their repairability score for the iPad - clearly their score of 2/10 is way too low.

    Seriously though. I'm not a fan of the black-market selling stolen iPads and iPhones, but I'd be lying if I said I was more angry than impressed.
     
  22. jent macrumors 6502a

    jent

    Joined:
    Mar 31, 2010
    #22
    Wouldn't a simple solution relatively simple for Apple to implement be to require that a user type in the serial number, the IMEI, and the CAPTCHA text? Each serial number only has one corresponding IMEI, so you couldn't just guess your way both through as the article explained people did with the serial number.
     
  23. Relentless Power macrumors Penryn

    Relentless Power

    Joined:
    Jul 12, 2016
    #23
    Interesting post. But true. It shows how security has to be constantly dynamic and changing to meet the different conundrums posed by criminals.
     
  24. nburwell macrumors 601

    nburwell

    Joined:
    May 6, 2008
    Location:
    DE
    #24
    To be honest, I can't even recollect the email my 6s was "registered" to once I factory restored it. All I know is that is was a very odd email address. So it quite possibly could have ended in"@qq.com"
     
  25. macTW Suspended

    Joined:
    Oct 17, 2016
    #25
    This explains a lot. Not only the random locks on phones but the lack of frequency of them - serial numbers are hard to guess.
     

Share This Page