Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

[DaveN]

Do you really believe the sincerity of these guys?

They claim:
1) They spent 5 months hacking the system
2) They were successful.
3) They told Apple. Why? Is there a reward?
4) Hearing nothing, the find 30,000 stolen iPhones just lying around to apply the hack to.
5) Out of the kindness of their hearts, after doing all the above, they go public with it. Why?

It doesn't pass the sniff test.

 

[2984839]

Do you really believe the sincerity of these guys?

They claim:
1) They spent 5 months hacking the system
2) They were successful.
3) They told Apple. Why? Is there a reward?
4) Hearing nothing, the find 30,000 stolen iPhones just lying around to apply the hack to.
5) Out of the kindness of their hearts, after doing all the above, they go public with it. Why?

It doesn't pass the sniff test.

Yes it does because that's how the white/gray hat community works.

 

[PusherRobot]

These hackers had 30,000 stolen iPhones at their disposal to unlock? That's amazing! I had no idea any thief could be that prolific.

I'm not sure if you know this but there is an entire phone recycling industry that is saddled with tons of iCloud locked devices.
Apple isn't even unlocking them for carriers.
There are a bunch of people that are looking forward to this to keep iPhones out of landfills.

 

[charlieroberts]

These hackers had 30,000 stolen iPhones at their disposal to unlock? That's amazing! I had no idea any thief could be that prolific.

Looking at their twitter it seems they made a "spoof" Apple Server and let people all over the world connect to unlock their devices.

Thats how they got to 30'000 devices. To think that many thieves got away with unlocking iphones makes me so angry. Having had my iphone stolen recently, I'm seriously rooting for apple to fix this asap

 

[mcdspncr]

Couldn't figure out how to quote a quote, so bear with me:

"The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes."

After learning more and more about the state of digital security over the past few months, I'm finding it harder and harder to fault Apple. When exploitable holes are deliberately left open, it seems to me that there is usually a certain government agency forcing the company to leave them open (to make their job easier). After all, the NSA has a well documented habit of trying to undermine security on the internet, and bully pretty much everyone into leaving backdoors open. Even the biggest tech giants can't directly disobey the NSA at this point.

 

[UncleSchnitty]

Apple will use this excuse to deny giving NSA access to there servers but looks like apple did it intentionally to let them in. Funny how folks beleive apple is trustworthy when they leave back doors open. Google, Microsoft, apple and the rest of them, minus BB seem to be leaving holes so governments can access. But now the other bad guys found the hole and exploit it. Way to go Apple.

So this means the NSA now knows I once downloaded the Rebeca Black "its friday" soundboard?!? Do you think they now know I have a love of unicorns?

Hmm whats a secure way for me to send information if not the internet? I cant use the post office, they are too smart for that and they will Xray my mail. Telegram? No thats still over a wire easily hacked... Ahh carrier pidgin! That can be intercepted and switched. Well before smartphones I used dead drops maybe that will work again, crap they are probably reading this...

My point is I guarantee nothing you have even peaks the NSA's interests so don't worry about it, or get a blackberry and don't sign onto forums because then the man knows what your interests are.

 

[Sphyrnidus]

They're in the UK, right? Well, the Telegraph is. Who cares?

No they are in the Netherlands and Morocco. The paper is named De Telegraaf. And repeat they did not claim to have unlocked all these iPhones. That is not what the article says..

 

[dysamoria]

This is why iCloud is useless for sensitive data. This will always be a problem. Until these companies stop trying to sell cloud services and embrace letting users create their own network services with ease, this will continue to be the case. At the very least, Apple lets you use any other IMAP server for notes, mail, calendar, etc, and that's good. But it should be that they provide the functionality of complete private cloud servers to users. Same for all these other subscription obsessed computer tech companies.

 

[rhett7660]

Either way, I hope Apple is doing the right thing and patching the hole. If the hackers did or didn't notify Apple, there appears to be a hole and if it is indeed a hole, the news is out so Apple can't say they did not know anything about it after this story broke.

So Apple fix it and be done with it. Until the next go around.

 

[C DM]

I may be alone but I really don't see the big deal even IF this is true. If my phone was stolen and I remote wiped it and activation locked it I feel I have done my best and Apple has provided me with the tools to do my best.

This is like if someone broke into my house stole my safe with all my valuables and then used a plasma torch to open it. Do I run to my safe company and say how dare you make a safe so easy to break into? No I don't.

This is going to turn into a thing where people over react and demand we have security like a Mission Impossible self destructing phone that can be enabled through iCloud (sad that Im joking and at the same time not)

So basically I think this will be patched if its a real vulnerability and in the end keep an eye on your stuff so it doesn't get stolen, have some personal responsibility because in the end if your phone or anything else gets stolen you're already beat. thats my 2cents

I like the safe analogy, it’s a pretty sound comparison.

Except that what apparently has happened (although still unconfirmed perhaps) is that some flaw that Apple has has been used to do all of this. If you are really going to go with a safe analogy of some sort, it's not that some brute force torch was used to open it, but some weird manufacturer flaw was used to crack it open--are you truly saying that the manufacturer shouldn't be looked down upon for having such a flaw and not fixing it in a case like that?

----------

This is why iCloud is useless for sensitive data. This will always be a problem. Until these companies stop trying to sell cloud services and embrace letting users create their own network services with ease, this will continue to be the case. At the very least, Apple lets you use any other IMAP server for notes, mail, calendar, etc, and that's good. But it should be that they provide the functionality of complete private cloud servers to users. Same for all these other subscription obsessed computer tech companies.

Well, other services can be hacked, even private cloud solutions can be hacked. Nothing is perfect.

 

[bearcatrp]

This is why iCloud is useless for sensitive data.

Any cloud service is useless and unsecure. I knew this when cloud computing was proposed. Why would anyone trust your personal files to a stranger. Your best bet is do it yourself. Not that hard to do.

 

[UncleSchnitty]

Except that what apparently has happened (although still unconfirmed perhaps) is that some flaw that Apple has has been used to do all of this. If you are really going to go with a safe analogy of some sort, it's not that some brute force torch was used to open it, but some weird manufacturer flaw was used to crack it open--are you truly saying that the manufacturer shouldn't be looked down upon for having such a flaw and not fixing it in a case like that?

Well we don't know how they did it but if they set up a spoofed iCloud server and ran a unlock from there I say thats pretty close to a jackhammer of technology. its not like they ran "unlock locked iPhone" in terminal and all of a sudden its unlocked.

Whatever it was if real will be found and patched soon. Hold your phone close to the chest till then. Im really not all that worried about it.

 

[mcdspncr]

Apple will use this excuse to deny giving NSA access to there servers but looks like apple did it intentionally to let them in. Funny how folks beleive apple is trustworthy when they leave back doors open. Google, Microsoft, apple and the rest of them, minus BB seem to be leaving holes so governments can access. But now the other bad guys found the hole and exploit it. Way to go Apple.

You seriously blame Apple for (possibly) being blackmailed into leaving backdoors open?? The options are literally shut-up and do as we say without telling the public, or go to jail. Other companies have completely shut themselves down to avoid this situation, basically losing everything in the process. And even they are facing possible obstruction of justice type allegations. At least put the blame where blame is due - the people jeopardizing the security of users worldwide in order to make their jobs easier. I didn't realize intelligence had simply become a euphemism for legislated bullying followed by essentially just mindlessly scanning through some key phrases or something. Too bad the NSA can't convince the bad guys to use hashtags...

 

[C DM]

Well we don't know how they did it but if they set up a spoofed iCloud server and ran a unlock from there I say thats pretty close to a jackhammer of technology. its not like they ran "unlock locked iPhone" in terminal and all of a sudden its unlocked.

Whatever it was if real will be found and patched soon. Hold your phone close to the chest till then. Im really not all that worried about it.

It's still mostly on Apple then for not having enough checks/security to make sure that their servers in general, and especially for something like this, can't be spoofed.

 

[SeattleMoose]

Hate to say it to the defenders of "the cloud", but "YOU WERE WARNED".

Not only is "the cloud" just a euphemism for your data on someone else's hard drive, it is an unsecure hard drive that will ALWAYS be a target for hackers, snoopers, and of course, the NSA.

 

[2984839]

Well we don't know how they did it but if they set up a spoofed iCloud server and ran a unlock from there I say thats pretty close to a jackhammer of technology. its not like they ran "unlock locked iPhone" in terminal and all of a sudden its unlocked.

Whatever it was if real will be found and patched soon. Hold your phone close to the chest till then. Im really not all that worried about it.

Here's what I think happened:

My guess is that Apple never built in a mechanism for verifying the SSL certificates from the iCloud servers. They probably hard coded the fingerprints into the code on the phone, but either forgot to make the software actually verify that the cert being presented matched one of the stored fingerprints, or implemented it incorrectly and it simply didn't do so.

Thus, any SSL cert presented to the phone and claiming to be the iCloud server is accepted by the phone as valid, since the phone is not verifying it against its list of known iCloud cert fingerprints.

This is not an SSL bug; it's an implementation problem on the part of Apple. Storing known cert fingerprints is OK as long as you can verify that the one you're presented with is one of the known good guys. If that mechanism does not exist or fails, then any certificate can be used to spoof the iCloud server and the phone would never know it.

 

[UncleSchnitty]

It's still mostly on Apple then for not having enough checks/security to make sure that their servers in general, and especially for something like this, can't be spoofed.

What does this article tell us? That hackers were able to unlock activation locked iPhones. Ok... so they don't get my info they just now can use a phone they stole off me.

Most companies are fighting to NOT have activation locks mandatory. The point of this is to make it hard for people to use a phone after its stolen. No one said "its now impossible for anyone ever to use this phone" its a deterrent and if you need something more the only real option is my joke earlier the self destructing phone... but you probably cant bring that on an airplane.

 

[linuxcooldude]

Considering the article relies so heavily on a SSL exploit which the hackers deny, I find it questionable along with the 30K unlocks.

Apple along with some other entities typically don't reply back on software bugs, security exploits. Not unless the developers need more information. I usually consider such hackers looking for fame in connection with Apple who give them a timetable.

Was also talked about in the jailbreak community which also makes me wonder if this was also about jailbroken iPhones.

 

[UncleSchnitty]

Considering the article relies so heavily on a SSL exploit which the hackers deny, I find it questionable along with the 30K unlocks.

Apple along with some other entities typically don't reply back on software bugs, security exploits. Not unless the developers need more information. I usually consider such hackers looking for fame in connection with Apple who give them a timetable.

I also find this whole thing questionable. Its about as credible as all the mockups of the new iPhone

 

[Stella]

Is this the same community that informed Google of a major flaw that allowed phones to be taken over 8 months before going public.

Ok… i see your taking this personally because you seem to think that Apple is being dumped upon?

 

[coolfactor]

These billion dollar companies really need to stay on top of all this. They're happy to take your money but not so quick to safeguard your details.

And now there's trouble at eBay.

It's easy for someone without intimate knowledge of just how complex it is to keep ahead of the hackers, and how complex it is to run a billion dollar company to dumb it down and claim that the company doesn't care or is incompetent.

 

[Nunyabinez]

I'm surprised at the level of ignorance here about "hacking." The assumption seems to be that hacking is an illegal activity and that hackers are all thieves.

There is a large community of hackers that either for a job or as a hobby are trying to identify security holes in systems (White Hats). When they find one, they let the company know privately to give them time to patch it before they go public with the information. For many of these people, it's their moment of fame and they are quite proud that they have been able to find these. For some they are doing it as their duty to try to make important systems more secure.

Companies that are smart simply thank the hackers and ask them to wait until the patch is out, then allow them to take credit. Sometimes companies ignore the hackers and when sufficient time has passed the hackers make it public, because they want their fame, or they may be more altruistic and simply want the hole closed so that people don't get hurt.

So, there is no indication that these are malevolent hackers (Black Hats) and if as claimed, Apple knew about this, they did the right thing to demonstrate that it really exists to force Apple to close it, and most likely to get their props.

 

[ChrisA]

Anyone who claims Apple doesn't take security of its products and services seriously, and doesn't care passionately about protecting our personal information - put simply they don't know Apple. There is no company on earth who has a better track record in this arena than Apple.

Are kidding? It took apple years to add remote lock on their phone. Apple was making money off stolen iPhones and had no incentive to fix the problem until it looked like the government would force them too.

 

[CEmajr]

They probably made money too by charging people to bypass activation lock on their devices.

 

[ChrisA]

Given simple math, if this process takes 3 minutes at least, they would need 5 computers working 24/7 non-stop for 12.5 days to do 30,000 phones...

Cool so for an investment of $2,500 for five PCs and assuming you can sell an unlocked stolen phone for $50 more than a locked one you can make $5,000 per hour. Beats the heck out of working at most jobs