Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

2010mini said:
They claimed they unlocked 30,000 iPhones??? I'm to believe that many iPhones' activation lock was bypassed and the internet community was not ablazed with that info???
Click to expand...

Well, it's typical hackers who are clever and stupid at the same time. This will give them a massive charge for handling stolen goods - if true.
 
ChrisA said:
Are kidding? It took apple years to add remote lock on their phone. Apple was making money off stolen iPhones and had no incentive to fix the problem until it looked like the government would force them too.
Click to expand...

Apple is not responsible for stolen iPhones. Its up to the users to ensure they take the proper measures to ensure their valuables are secure. While the Remote Lock is a nice feature to have, lets put the blame on where the problem really lies....thieves and keeping track of your own phone.
 
UncleSchnitty said:
What does this article tell us? That hackers were able to unlock activation locked iPhones. Ok... so they don't get my info they just now can use a phone they stole off me.

Most companies are fighting to NOT have activation locks mandatory. The point of this is to make it hard for people to use a phone after its stolen. No one said "its now impossible for anyone ever to use this phone" its a deterrent and if you need something more the only real option is my joke earlier the self destructing phone... but you probably cant bring that on an airplane.
Click to expand...
What does that have to do with Apple providing and essentially advertising a service that can be bypassed due to something lacking or being lax as far as some security related to that service goes? If they don't wan to provide it, then they shouldn't. But if they do decide to provide it they should make sure it's as secure as possible--that doesn't mean there won't be security issues, but they would be on the lookout for them and address them as soon as possible.

Furthermore, the article seems to also reference getting into iCloud in general and/or getting other data, beyond being able to bypass Activation Lock, which makes it that much worse. Again, assuming all of this is confirmed.
 
Not only that, but ....

Many times, the original owner isn't all that techno-savvy and he/she doesn't even understand why there should be a need to take steps to unlink the device from a personal iCloud account.

I run into people, all the time, who aren't even aware their phone is configured with an iCloud login, because someone else (a family member or friend or relative) did the initial setup for them. They may have no idea what the saved iCloud password is on the device.


stiligFox said:
Not 100% of the time -- I've seen phones where the original owner forgot to unlock the phone before selling it, but Apple doesn't provide a way to contact/email the original owner :(

But aye, they are mostly stolen.
Click to expand...
 
bearcatrp said:
Any cloud service is useless and unsecure. I knew this when cloud computing was proposed. Why would anyone trust your personal files to a stranger. Your best bet is do it yourself. Not that hard to do.
Click to expand...
I'd like to set up a private "cloud" on a NAS at home for our Apple devices. Do you have a quick suggestion for software or for a set-up guide? Thanks!
 
There IS a solution to this whole mess that does not involve remote locking.

1) Apple burns a serial number into each CPU chip. I mean really burns into memory that can never be changed. This kind of memory is made with actually fuses. Bit of metal that vaporize. The unique is burned in at the factory and never changes even when a phone is sold. It is like the VIN number on your car.

When ever the phone is activated to connect the phone to a new phone service contract the "VIN number" in the CPU chip is sent to Apple.

Apple then checks the number against a database of owners and if there is no match Apple says "It appears that there is a new owner." and charges the new owner $1 to update the database. They accept only credit cards for payment.

In most cases where some one just bought a used phone or gave the old phone to a relative the $1 is no big deal and the name is changed.

BUT if the phone is reported stolen, they accept the credit card info, and notify the police. Likely the poor guy trying to activate his eBay iPhone was not the thief but none the less the cops show up and want to recover the stolen property.

The key is the ID number that can never be changed because it used fuses for memory. This is not a new technology. It's way-old, one of the first kind invented.
 
ChrisA said:
There IS a solution to this whole mess that does not involve remote locking.

1) Apple burns a serial number into each CPU chip. I mean really burns into memory that can never be changed. This kind of memory is made with actually fuses. Bit of metal that vaporize. The unique is burned in at the factory and never changes even when a phone is sold. It is like the VIN number on your car.

When ever the phone is activated to connect the phone to a new phone service contract the "VIN number" in the CPU chip is sent to Apple.

Apple then checks the number against a database of owners and if there is no match Apple says "It appears that there is a new owner." and charges the new owner $1 to update the database. They accept only credit cards for payment.

In most cases where some one just bought a used phone or gave the old phone to a relative the $1 is no big deal and the name is changed.

BUT if the phone is reported stolen, they accept the credit card info, and notify the police. Likely the poor guy trying to activate his eBay iPhone was not the thief but none the less the cops show up and want to recover the stolen property.

The key is the ID number that can never be changed because it used fuses for memory. This is not a new technology. It's way-old, one of the first kind invented.
Click to expand...

Unless you build a mock server that emulates what Apples does so you can bypass the whole thing.

Kind of like what just happened.
 
ChrisA said:
There IS a solution to this whole mess that does not involve remote locking.

1) Apple burns a serial number into each CPU chip. I mean really burns into memory that can never be changed. This kind of memory is made with actually fuses. Bit of metal that vaporize. The unique is burned in at the factory and never changes even when a phone is sold. It is like the VIN number on your car.

When ever the phone is activated to connect the phone to a new phone service contract the "VIN number" in the CPU chip is sent to Apple.

Apple then checks the number against a database of owners and if there is no match Apple says "It appears that there is a new owner." and charges the new owner $1 to update the database. They accept only credit cards for payment.

In most cases where some one just bought a used phone or gave the old phone to a relative the $1 is no big deal and the name is changed.

BUT if the phone is reported stolen, they accept the credit card info, and notify the police. Likely the poor guy trying to activate his eBay iPhone was not the thief but none the less the cops show up and want to recover the stolen property.

The key is the ID number that can never be changed because it used fuses for memory. This is not a new technology. It's way-old, one of the first kind invented.
Click to expand...
Just like people who do that would have or know of access to stolen credit card numbers they could use. Furthermore, unless we are talking about some high capacity outfit that is doing a ton of this and can actually be traced to it somehow (again think stolen credit cards which pretty much obscures all of that), cops will more than likely not go after single cases like in most situations--plenty of reports of people taken phones that they have found to cops and cops just turning them away as they won't do anything about it or care about that.

----------
bit density said:
Ok, the scary bug is not unlocking locked phones... The scary bug is LOCKING phones.
Click to expand...
How exactly?
 
I guess Apple was to worried about the ongoing lawsuit with Samsung at the time. Well, there is no need to change my Apple password as of yet considering there is no fix. Just need to keep a close eye on all my info
 
stiligFox said:
I imagine this will be solved with a simple iOS update and a change of Apple's server.

That being said -- on a similar topic - Now that Activation Lock exists, it is astonishing to me the sheer amount of iCloud locked iPhones on eBay that are pretty much only good for parts/trash. On the one hand, yes it might keep phones in the owners possession, but on the other hand, it creates a lot of garbage that will end up in the landfill.

Possibly even more surprising to me is that people are paying almost full price for these locked phones :(
Click to expand...

There will always be a resale market for these locked phones anyways to be used for parts which still brings a good price. I actually had to buy a locked phone for parts to fix mine which required swapping the main board and touch sensor since Apple locks the home touch censor to the main chip. Still a heck of a lot cheaper than buying a new phone or paying Apple to fix it.
 
C DM said:
What does that have to do with Apple providing and essentially advertising a service that can be bypassed due to something lacking or being lax as far as some security related to that service goes? If they don't wan to provide it, then they shouldn't. But if they do decide to provide it they should make sure it's as secure as possible--that doesn't mean there won't be security issues, but they would be on the lookout for them and address them as soon as possible.

Furthermore, the article seems to also reference getting into iCloud in general and/or getting other data, beyond being able to bypass Activation Lock, which makes it that much worse. Again, assuming all of this is confirmed.
Click to expand...

Everything you just said is purely speculation on your part. the only thing the article said was "The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also MAY provide hackers with access to Apple ID passwords and other personal information stored in Apple's iCloud service."

Not really your fault because the writer of the article is adding their own speculation to make the article more interesting and shocking. That is media hype. The only thing that they claim to be fact is that it can unlock a locked phone. The rest is speculation of the writer. Everything even discussed here says that its basically using a computer to pretend to be icloud and saying its ok to unlock. To sum up in 2 points
1. No personal information on the phone because it was activation locked there fore wipped.
2. iCloud has not been hacked.

This speculation is absurd and unwarranted with the information this article gave us. The original article should have said "hackers allegedly find way to bypass activation lock" thats it because really thats the only fact in there
 
556fmjoe said:
Apple didn't patch it in a week. They haven't done a thing about it since March. The point is to get Apple to secure their products, and publicly releasing vulnerabilities is the only way to do that.
Click to expand...

Can you confirm a few things for me please:
1. This story is true
2. Apple is aware
3. Apple isn't working on a fix

----------
deadshift said:
clearly you don't understand security. If a lock is pickable, you get a better lock. This was a discovery that a lock was able to be bypassed. So Apple can and should build a better lock, even if it's only 5 minutes worth of work.

Yeah, it smells of SSL GoToFail and Man-in-the-middle. A bummer of a time SSL has had lately.
Click to expand...

If it took these guys 5 months to pick a lock, I'm not too worried. I'd imagine Apple is working on it now if they weren't already. When is the last time you saw any major vulnerability that Apple was like, "oh well we can't do anything about it"?
 
UncleSchnitty said:
Everything you just said is purely speculation on your part. the only thing the article said was "The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also MAY provide hackers with access to Apple ID passwords and other personal information stored in Apple's iCloud service."

Not really your fault because the writer of the article is adding their own speculation to make the article more interesting and shocking. That is media hype. The only thing that they claim to be fact is that it can unlock a locked phone. The rest is speculation of the writer. Everything even discussed here says that its basically using a computer to pretend to be icloud and saying its ok to unlock. To sum up in 2 points
1. No personal information on the phone because it was activation locked there fore wipped.
2. iCloud has not been hacked.

This speculation is absurd and unwarranted with the information this article gave us. The original article should have said "hackers allegedly find way to bypass activation lock" thats it because really thats the only fact in there
Click to expand...
Nice job of either not reading my whole post or willfully ignoring the last sentence of it: "Again, assuming all of this is confirmed."

----------
CosmoFox said:
Can you confirm a few things for me please:
1. This story is true
2. Apple is aware
3. Apple isn't working on a fix

----------



If it took these guys 5 months to pick a lock, I'm not too worried. I'd imagine Apple is working on it now if they weren't already. When is the last time you saw any major vulnerability that Apple was like, "oh well we can't do anything about it"?
Click to expand...
We saw a simple but really bad SSL bug in the wild for at least a year if not more before it was actually fixed. That's not to say that Apple knew about for that long but didn't fix it during all that time, but it is to say that who knows who knew about it and for long actually before Apple found out about it and did something. And the bug itself was just plain stupid, yet made by Apple, certainly putting it well in their court even if they didn't know about it until way down the road.
 
Just went and read the twitter handle and the guy behind it seems like a complete *******...

Apple apparently sent him an email asking him not to go online with his fake certification server, but he refused to do anything of the kind and boasts about deleting the email. When you look at his feed it's damn full of obvious thieves with up to more than half a dozen iPhones and iPads. So he's basically intentionally going around helping thieves unlock devices they've stolen so that they can sell them on.

Zero sympathies from me if Apple ether has it's lawyers or local law enforcement **** this guy over badly. I'm not against finding security holes and making functional exploits using them, but in my eyes you lose all respect when you act like a child and start helping thieves.
 
I haven't read all of the posts, so the activation lock is affected only? Should we change our iTunes/iCloud passwords?
 
it can't be SSL because Apple don't use that system, they think it is too fragile.
 
viizi said:
it can't be SSL because Apple don't use that system, they think it is too fragile.
Click to expand...
Since when does Apple not use pretty much universally used and standardized technology like SSL?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back