Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

[SarcasticJoe]

I haven't read all of the posts, so the activation lock is affected only? Should we change our iTunes/iCloud passwords?

Nope, this means just that they can reset a locked and wiped device so that it's no longer just a paperweight or source of spare parts. Literally what they did was find a way to make the devices call up their server instead of Apple's for the authorization to unlock without the password.

In other words: Thieves can now once again wipe your device and sell it on to some unscrupulous bargain hunter. The fix for this is obviously move the host list into some kind of protected memory space anything except the device itself can access.

 

[MaSx]

Well, don't be surprise if it becomes a norm. Any popular platform is bound to have these kind of vulnerabilities popping up becuase they are targeted specifically for it, also that's what some people do and specialize in. All Apple can do is patch, which they're rather quick about, except iMessage bug. I consider iOS 7 to be the most buggy iOS ever created, I even found a funny app icon bug where you can have empty page without any apps.

 

[MH01]

So they say. Has Apple confirmed any of this?

ROLF. Come on mate, you know Apple better than that.

 

[phoenixsan]

Very bad.....

news for Apple and law enforcement that wants to get down on stolen smartphones....

I suppose, if the hackers claim is legit, Apple in some way dont take them seriously. Or seems that way, hence, the hackers go public with the information.
If the ways to implement this hack goes public, merchants for stolen goods will be happy....

But what if the hackers demand Apple a "fee" for their info and Apple refuses?....Is a loss-loss situation for the Cupertino powerhouse.........

 

[Mercifull]

I'm a little confused perhaps someone here can enlighten me as I am unable to access the duolCi website.

If this is a man-in-the-middle attack then that means the locked iPhone has to be connected to the same wifi as the "hosts file" modified computer. If a phone is on the lockscreen how can a new wifi connection be added? Surely this means the potential for attack is actually quite small and only related to people that have no pinlock but have pet up find my iphone? Maybe I'm missing something.

 

[viizi]

Since when does Apple not use pretty much universally used and standardized technology like SSL?

Phil Schiller commented on the heartbleed virus and said Apple products/services were not affected because they don't use a fragile system like SSL.

 

[zipa]

Phil Schiller commented on the heartbleed virus and said Apple products/services were not affected because they don't use a fragile system like SSL.

Well, they do. Probably not OpenSSL, then.

 

[flappah]

I'm a little confused perhaps someone here can enlighten me as I am unable to access the duolCi website.

If this is a man-in-the-middle attack then that means the locked iPhone has to be connected to the same wifi as the "hosts file" modified computer. If a phone is on the lockscreen how can a new wifi connection be added? Surely this means the potential for attack is actually quite small and only related to people that have no pinlock but have pet up find my iphone? Maybe I'm missing something.

Agreed. From the moment I read that they were two Dutch hackers of Moroccan origin I became a bit suspicious. For now I'm living by the assumption that these two are trying to claim their 15 minutes of fame based on some "vulnerability" that doesn't really exist.

 

[AndyK]

Onslaught of media hype and over exaggeration in 3....2....1....

 

[thekeyring]

To think that many thieves got away with unlocking iphones makes me so angry. Having had my iphone stolen recently, I'm seriously rooting for apple to fix this asap

I feel for you. If people want iPhones they should actually earn the money to buy one, not steal someone else's.

----------

I even found a funny app icon bug where you can have empty page without any apps.

How?!

 

[DELLsFan]

Hackers are as Hackers do

... and considering the US Government has certainly had this capability for years, I'm thinking someone at the NSA will be pretty pissed once Apple is forced to patch this latest "exploit".

 

[samcraig]

So they wasted 5 months of work so Apple can patch it in a week? I don't see the point

They didn't waste anything. Are you suggesting that independent parties shouldn't try to better security by finding ways to exploit it and then reporting it so it can be fixed. The fact that you don't see the point baffles me.

 

[maflynn]

I wonder about the real world consequences for this. I think the idea behind the lock is solid enough, i.e., thieves stealing phones can't enable them.

I think its also possible for Apple to tighten things up with iOS8

 

[C DM]

Phil Schiller commented on the heartbleed virus and said Apple products/services were not affected because they don't use a fragile system like SSL.

Of course they do, just perhaps not the particular version that was affected.

----------

Agreed. From the moment I read that they were two Dutch hackers of Moroccan origin I became a bit suspicious. For now I'm living by the assumption that these two are trying to claim their 15 minutes of fame based on some "vulnerability" that doesn't really exist.

Yes, their origin totally means something. Any other stereotypical generalizations?

 

[Amazing Iceman]

Nope, this means just that they can reset a locked and wiped device so that it's no longer just a paperweight or source of spare parts. Literally what they did was find a way to make the devices call up their server instead of Apple's for the authorization to unlock without the password.

In other words: Thieves can now once again wipe your device and sell it on to some unscrupulous bargain hunter. The fix for this is obviously move the host list into some kind of protected memory space anything except the device itself can access.

What's so complicated about it? All you need to do is point your device to a specially prepared DNS Server, so your device will access their fake "Apple Server".

This technique has been used for ages.

The bad news is that there's hardly anything that is not vulnerable to a man-in-the-middle tap. These hackers have studied the whole communications protocol between an iOS device and Apple's servers, so they know how to give the correct reply that would unlock the device.

The best protection: Keep your iDevices well protected.

If I would have lost my iDevice, I would immediately access FindMyPhone and make it beep.
Still, there are two flaws that would allow a thief to get away unnoticed. I hope Apple fixes these soon:
- Control Center access when the device is locked, allows the thief to place the device in Airplane Mode to avoid being tracked (It can be manually disabled in settings)
- Power OFF should be disabled when the device is locked. A thief could easily turn it OFF and get away without being tracked.

 

[C DM]

What's so complicated about it? All you need to do is point your device to a specially prepared DNS Server, so your device will access their fake "Apple Server".

This technique has been used for ages.

The bad news is that there's hardly anything that is not vulnerable to a man-in-the-middle tap. These hackers have studied the whole communications protocol between an iOS device and Apple's servers, so they know how to give the correct reply that would unlock the device.

The best protection: Keep your iDevices well protected.

If I would have lost my iDevice, I would immediately access FindMyPhone and make it beep.
Still, there are two flaws that would allow a thief to get away unnoticed. I hope Apple fixes these soon:
- Control Center access when the device is locked, allows the thief to place the device in Airplane Mode to avoid being tracked (It can be manually disabled in settings)
- Power OFF should be disabled when the device is locked. A thief could easily turn it OFF and get away without being tracked.

Just like a thief can easily pull the SIM and not even hassle with any of that.

 

[kd5jos]

Just a thought

So anyone can claim anything they want and people instantly believe them without a shadow of doubt? When did the public become so easily gullible?

I'm not saying its not true. I'm saying none of us know. Just because some hackers claim something doesn't make it true. And how exactly are they trustworthy to begin with? These are people hacking into places they shouldn't be, unlocking stolen phones, and you don't even have a sliver of doubt about their honesty?

Something to consider. What you just described is what I do for a living. I even teach it. So does this automatically remove me from being honest?

I get what you are saying about automatically believing someone without proof. I am an ardent defender of scientific method. However, you used a stereotype to defend your point.

What I'd like to point out is, what does "a group of hackers" mean? You used your definition of hacker. You didn't even use a definition that is "always" used by news outlets (they change their definition as they see fit). I hang out with a group of hackers on weekends. We try and figure out ways to improve 3D printing. Real nefarious stuff.

I'm just asking you to consider the intentional slant of words used in the media.

----------

Just like a thief can easily pull the SIM and not even hassle with any of that.

So someone steals an iPhone to own an iPod they can't get into?

You are correct, you can pull the SIM. But the second someone inserts a SIM to see if the phone service works, gotcha.

And if the phone is locked, what can you do to make it a useful iPod?

Not much.

So really, the list that was presented was not unreasonable. And although you are correct about pulling the SIM, this is short term. You can't sell the phone as a locked brick, and you can't use it....

So what then?

 

[C DM]

Something to consider. What you just described is what I do for a living. I even teach it. So does this automatically remove me from being honest?

I get what you are saying about automatically believing someone without proof. I am an ardent defender of scientific method. However, you used a stereotype to defend your point.

What I'd like to point out is, what does "a group of hackers" mean? You used your definition of hacker. You didn't even use a definition that is "always" used by news outlets (they change their definition as they see fit). I hang out with a group of hackers on weekends. We try and figure out ways to improve 3D printing. Real nefarious stuff.

I'm just asking you to consider the intentional slant of words used in the media.

----------



So someone steals an iPhone to own an iPod they can't get into?

You are correct, you can pull the SIM. But the second someone inserts a SIM to see if the phone service works, gotcha.

And if the phone is locked, what can you do to make it a useful iPod?

Not much.

So really, the list that was presented was not unreasonable. And although you are correct about pulling the SIM, this is short term. You can't sell the phone as a locked brick, and you can't use it....

So what then?

I was simply saying that not having a way to put the phone into airplane mode or to have a passcode for powering off won't really change the ability to disable the phone from communicating when the SIM can easily be pulled out.

 

[Amazing Iceman]

Just like a thief can easily pull the SIM and not even hassle with any of that.

True, but that may take some time to do.
Still, good point. Maybe it's time to get rid of external SIM Cards, or to disable ejecting the SIM while the device is ON.

----------

Something to consider. What you just described is what I do for a living. I even teach it. So does this automatically remove me from being honest?

I get what you are saying about automatically believing someone without proof. I am an ardent defender of scientific method. However, you used a stereotype to defend your point.

What I'd like to point out is, what does "a group of hackers" mean? You used your definition of hacker. You didn't even use a definition that is "always" used by news outlets (they change their definition as they see fit). I hang out with a group of hackers on weekends. We try and figure out ways to improve 3D printing. Real nefarious stuff.

I'm just asking you to consider the intentional slant of words used in the media.

----------

Most people don't understand the meaning of the term 'hacker'. Most instantly associate it with Cybercrime.
This shows how much does ignorance rules in today's society.

 

[dyn]

Well, they do. Probably not OpenSSL, then.

They don't use it for their services (those probably run on operating systems like Linux, Solaris, etc. anyway) but they do include it in the base install of OS X (for Mavericks this is version 0.9.8y which does not have the heartbleed bug btw). OS X has OpenSSL because it is used for creating keys (most will use it for ssh or for checking md5 and/or sha1 digests).

 

[StyxMaker]

How do we, or anyone else, know that Apple INTENTIONALLY left this open?

 

[C DM]

How do we, or anyone else, know that Apple INTENTIONALLY left this open?

We don't, as we don't really know if many things might be intentional or not. Until there's some proof to suggest something, there's really nothing to go on then.

 

[CosmoFox]

They didn't waste anything. Are you suggesting that independent parties shouldn't try to better security by finding ways to exploit it and then reporting it so it can be fixed. The fact that you don't see the point baffles me.

They spent 5 months doing this. Unless they were getting paid, I'd say that's a waste of time. If it took them a day, or a few days, It would be worth it at least for the publicity. The fact that you don't see this as a waste of time is mind boggling.

 

[C DM]

They spent 5 months doing this. Unless they were getting paid, I'd say that's a waste of time. If it took them a day, or a few days, It would be worth it at least for the publicity. The fact that you don't see this as a waste of time is mind boggling.

And if it just took them a few hours on some days over those 5 months--which most would refer to as taking 5 months--that shouldn't seem strange. People have all kinds of hobbies that they often spend even more time on even on a daily basis.

 

[CosmoFox]

And if it just took them a few hours on some days over those 5 months--which most would refer to as taking 5 months--that shouldn't seem strange. People have all kinds of hobbies that they often spend even more time on even on a daily basis.

That's not spending 5 months, that would be "a few hours" so you're making up your own story now.