Apple's Activation Lock Website Played Key Role in Hack, Perhaps Explaining its Removal

[Jvanleuvan]

BS. That method to iCloud unlock is for the less than 1% since it requires expensive specialized equipment and skills to accomplish. The only reason iCloud lock exists is Apple greed to limit used equipment market.

Actually, I believe a solution at least markedly similar to Activation Lock is REQUIRED by law in at least California

http://www.techrepublic.com/article...i-theft-law-iphone-appears-to-already-comply/


I do agree that Apple should digitally sign their Serial #'s.
Just encrypt it on the device, as long as the key is not compromised then only apple could ever decrypt it.

The issue is HOW to encrypt them; especially ones already out in the wild; any software update that would encrypt the Serial# could be decompiled to expose any encryption key.

But for new devices, they could be encrypted at the factory; Apple could provide their manufacturers with a list of already encrypted Serial #'s

 

[CharlesShaw]

On top of everything else, I can now worry about whether or not it's ever going to be safe to log out of my iPhone 7.

 

[Morac]

How does removing the activation lock "put an end to the Apple ID issue"? It doesn't fix the underlying problem of hackers being able to change the Serial number. It just prevents them from checking that the number is not locked. It makes it harder to do, but considering the thieves were willing to spend the time dismantling who knows how many iOS devices, I still think it would be worth it to them to try changing the serial number and see if it worked.

 

[RogerWilco]

Wouldn't a simple solution relatively simple for Apple to implement be to require that a user type in the serial number, the IMEI, and the CAPTCHA text? Each serial number only has one corresponding IMEI, so you couldn't just guess your way both through as the article explained people did with the serial number.

You expect Apple to use multi-factor authentication? Pshaw, only computer geeks know about that kind of stuff.

 

[avanpelt]

There is nothing especially sinister about the video or other aspects of the company that produced it. They are not necessarily in business just to help theives. In fact the video is very technical in nature and not many people would have the skills to successfully change the serials.

You're kidding, right? Why in the world would anyone have any legitimate reason for altering the serial number of an iOS device?

Some people who stand to make a pile of money from the sale of iOS devices will definitely do what they need to do in order to obtain the knowledge and skills necessary to pull this off. There are plenty of people out there whose sole career revolves around the sale of iOS devices.

I recall reading an article not long ago about someone who grosses upwards of 1M a year selling used iOS devices online. I wish I could remember where I read that article. While I'm not suggesting that that person is resorting to nefarious tactics like this in order to make a living, I'm sure some people are.

 

[ChazSch]

On top of everything else, I can now worry about whether or not it's ever going to be safe to log out of my iPhone 7.

what do you mean "log out" of your phone?

I restart mine, but I never "Log Out".

 

[dimplemonkey]

Nice soundtrack on that video! I tried to Shazaam it with Siri and now my phone has been hacked. Thanks, guys!

 

[Morac]

Wouldn't a simple solution relatively simple for Apple to implement be to require that a user type in the serial number, the IMEI, and the CAPTCHA text? Each serial number only has one corresponding IMEI, so you couldn't just guess your way both through as the article explained people did with the serial number.

What about WiFi only devices that don't have an IMEI?
[doublepost=1485814674][/doublepost]

probably needs a hardware redesign, change the chip so that the serial number can't be changed.

I'm pretty sure there's a reason that it can be changed. Apple changing the numbers of refurbished devices. I don't think they were expected third party people to have the equipment to change the numbers.

The real solution, which has already been mentioned, is that the serial number needs to be encrypted. I believe that could use the secure enclave to store the encryption key so it's not impossible to do. The problem is that I don't think existing devices could be updated to do that, so it would only work for newer devices.

 

[alphaq_up]

I think you can - but - you need to show proof of purchase - because they can undo an activation lock in the store. Alternatively, you can do it through AppleCare - but, it takes longer.

*Spelling correction

I'm aware that if they bring proof of purchase and photo ID, through iCloud Support Tool, the device can be activation unlocked; as long as it's not in Lost Mode. What I was referring to, was the previous reply's assumption that customers can just bring in activation locked devices and get Apple to replace them.

Systematically, repairs through the Genius Bar cannot be saved if Find My iPhone cannot be turned off. So.. there's no money laundering here through the Genius Bar.

Source: Apple Technical Specialist (me)

 

[Carnegie]

what do you mean "log out" of your phone?

I restart mine, but I never "Log Out".

I think he means log out of his iCloud account on his iPhone, thus turning off activation lock. The worry he refers to would, I think, be that someone might then be able to put his iPhone's serial number on a different device and then effectively lock him out of his own iPhone.

 

[tywebb13]

I have been watching REWA video's for months now. They just feel so damn therapeutic to watch, and the amount of ingenuity to essentially bypass an activation lock. I understand that Apple implements activation locks to prevent theft, but the theft still occurs, I assume they just get parted out to repair other phones. Anyway, main point, REWA videos are great and you should check out some more.

Edit;
I should point out that I not condone by-passing these sort of security measures but companies like REWA exist because of apples strict policies and the need for these solutions to exist in countries in which apple stores and authorised repairers are not readily available. In our countries, we can just approach an apple store and get out phones swapped or fixed. In countries like Turkey, India and Pakistan etc these easy solutions are not available and fall on the greater service industry to provide solutions to the benefit of the consumer. I am sure when this company first designed this activation lock work around they had no idea that it was locking other consumers out of their devices.

Yeah. I agree.

There is no evidence that rewa have any sinister intentions. Quite the opposite actually.

If new serials coincide with other devices then this is a problem for apple to fix, not rewa. They could easily do this by creating a large number of dummy serials so as to allow the serials to continue to be changed as well as not impacting on other devices.

 

[Nunyabinez]

i watched the video.

and i couldn't help thinking how cold and evil it was.
- google allowing this video to be on YouTube
- the BGM (background music)
- the cool, precision and cleanliness of the operation as shown
- the time that it takes to do this entire process: to make money you would need to actually have 1 person do each operation and set up an assembly line process in order to do scores of iPads per day

it shows an industrial tool that supports unethical actions.

There are plenty of dishonest things that people can do, but what amazes me is the lack of empathy that it must take for crimes like this.

Anyone who has had something of value stolen from them remembers that sick feeling of violation and the pain of realizing that another person doesn't care that they inflicted that suffering on you.

While I would like to consider myself a person who tries to do the right thing, the truth is that when I'm confronted with the temptation to take something that is not mine, all I can think about is how it would feel to have that done to me and I can't do it.

 

[M2M]

Simple fix. Make a lookup only possible with iTunes ID login first. Limit lookup to one per hour.

 

[blacktape242]

what a process

 

[PaulRustad007]

no matter your opinion on what is right and what is wrong, the whole video was pretty interesting to watch.

 

[DJLAXL]

Last week, someone changed the CC on my acct and bought two in app purchases for some Chinese game. It wasnt my CC, and I had no idea how it happened. I immediately changed the password and changed the CC back. I also turned on TFA. I immediately got a sign in attempt from Sacramento so I denied it. On Friday, I was in Vegas and BOOM! "Your Apple ID is disabled" The owner of the CC probably questioned the charges. Sucks man. Can't download or update anything and emails and phone calls to Apple have not helped. First time in 11 years that I've had a problem with Apple

 

[krrose27]

Nvm....

 

[SuperMarioKart]

I remember the last time I was at the Apple store getting a bent iPhone 6 replaced, the Genius had erased my phone(even though no data was on the phone, just a fresh iOS install) and the phone asked for an Apple ID & password to activate. I knew for certain nothing was linked to the phone since it had just been erased. I had to wait about 20 minutes for the supervisor to approve the replacement order. I think this was back in June or July. I just thought it was a glitch that a random iCloud wasn't shown in the settings but attached on the server.

 

[tentales]

How does removing the activation lock "put an end to the Apple ID issue"? It doesn't fix the underlying problem of hackers being able to change the Serial number. It just prevents them from checking that the number is not locked. It makes it harder to do, but considering the thieves were willing to spend the time dismantling who knows how many iOS devices, I still think it would be worth it to them to try changing the serial number and see if it worked.

Exactly, just one small hurdle added for the thieves and one giant step to overcome for legit users.
Isn't that always the case with security ? The "pros" can get around anything, but the honest users have to deal with increasing security complexities.

On a related note, I've filed a case with Apple for frequently getting locked out of my Apple ID.
15+ years with no issues and since November I've been forced to reset my password 9 times, because of "security locked" by Apple.

 

[djdrah]

perhaps Apple will move the sn to the secure enclave so the ID can be retrieved but not changed (or else brick the device).

I agree. Don't leave an un-encrypted chip behind to be hacked...

 

[thespacekid]

What was bizarre was when my iPhone 4 I used for listening to music without the phone activated and without FindMyPhone activated nor any lock code nor any iCloud account associated with it for years get locked up when I erased it to fix an iTunes problem. No idea what the iCloud account was used until working with Apple. Turns out it was an apple ID I had used as a mail account, not an iCloud account.

 

[zantafio]

May be a solution: Apple could keep in its database a pair Serianl Number + MAC address for each device produced.

 

[BootsWalking]

I think I called it back in October:

https://forums.macrumors.com/thread...-wrong-apple-ids.2004550/page-2#post-23671727

 

[avanpelt]

How does removing the activation lock "put an end to the Apple ID issue"? It doesn't fix the underlying problem of hackers being able to change the Serial number. It just prevents them from checking that the number is not locked. It makes it harder to do, but considering the thieves were willing to spend the time dismantling who knows how many iOS devices, I still think it would be worth it to them to try changing the serial number and see if it worked.

They don't just plug the iPhone into a computer that's running special software to alter the serial number. They have to disassemble the phone and place the phone's hard disk chip into a special device in order to change the serial number. Then, after the serial number is changed, they have to reassemble the phone. That's hardly a process I would want to have to do more than once per phone.

 

[raghu8912]

BS. That method to iCloud unlock is for the less than 1% since it requires expensive specialized equipment and skills to accomplish. The only reason iCloud lock exists is Apple greed to limit used equipment market.

The only reason iCloud lock exists is Apple greed to limit used equipment market.
Don't understand, Apple doesn't control how many times you sell your iPhone, you can always reset iPhone to factory settings & sell it, how is apple controlling how many times, what price, to whom you are selling your iPhone ? Locking iPhone to iCloud will make sure that lost/stolen phones can't be used.