or Connect
AppleInsider › Forums › Mobile › iPhone › Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
New Posts  All Forums:Forum Nav:

Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock

post #1 of 60
Thread Starter 
A group of hackers calling themselves "Team DoulCi" say that they have figured out a way to execute a man-in-the-middle attack that gives them the ability to intercept users' Apple ID credentials as well as unlock iOS devices that have been made unusable by Activation Lock.




The attack is made possible because the Windows version of iTunes does not properly verify security certificates, according to security researcher Mark Loman of SurfRight. The disclosure was first made on Dutch technology website Tweakers.net.

The hackers, who are not affiliated with Loman, have demonstrated the attack's efficacy by sharing screenshots of what they say are calls to Apple's iCloud activation service. A number of others have chimed in on social media with similar success stories.

Apple recently patched a similar vulnerability in OS X and iOS, but iTunes on Windows remains susceptible. Loman believes that the issue is "either a beginner's mistake, or it was done on purpose" and alleges that it may have been designed to allow intelligence agencies access to iCloud.

Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.
post #2 of 60

Does this only apply if you are using the Windows version of iTunes?

post #3 of 60
Insane if that really is a basic development mistake. Why would Apple patch the Mac version, but leave the Windows version vulnerable?
post #4 of 60
Quote:
Originally Posted by AppleInsider View Post

Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.

 

You mean *will* not be patched. 

post #5 of 60
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #6 of 60
Quote:
Originally Posted by Arlor View Post

You mean *will* not be patched. 

No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.

Daniel Swanson

Reply

Daniel Swanson

Reply
post #7 of 60
Quote:
Originally Posted by AppleInsider View Post

Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. 

I'm a little puzzled. Does this mean Apple is not using SSL when the iOS device connects to iCloud. The iCloud web interface requires SSL.

 

Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #8 of 60
Quote:
Originally Posted by Arlor View Post
 

 

You mean *will* not be patched. 

 

If I remember correctly Apple did patch older iOS versions in the past. I don't know why the article says "cannot be patched".

post #9 of 60
Quote:
Originally Posted by AppleInsider View Post

Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks.

In other words don't use a public WiFI network because iCloud services are constantly working in the background.

The list of services tied to your iCloud ID is much more extensive than people realize.


Quote:
Originally Posted by mstone View Post

Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.

I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #10 of 60
Quote:
Originally Posted by mstone View Post

I'm a little puzzled. Does this mean Apple is not using SSL when the iOS device connects to iCloud. The iCloud web interface requires SSL.

Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required. 

I don't think iOS and Mac are affected.

It sounds like iTunes Windows client doesn't check server cert. So the hackers were able to spoof a MITM server to steal credential. Once the credential is stolen this way, they can use it to unlock the right phone.

As long as you stick to iOS and Mac, you should be fine. Or rather, don't use iTunes on Windows in the mean time.
post #11 of 60
Quote:
Originally Posted by patsu View Post

I don't think iOS and Mac are affected.

It sounds like iTunes Windows client doesn't check server cert. So the hackers were able to spoof a MITM server to steal credential. Once the credential is stolen this way, they can use it to unlock the right phone.

As long as you stick to iOS and Mac, you should be fine. Or rather, don't use iTunes on Windows in the mean time.
The hackers were able to unlock locked (stolen) devices, it seems that in that case it doesn't matter if you at home used iTunes on OSX or Windows. But the vulnerable Windows version presents an opportunity in that case (for that the device needs to be in the possession of the hacker of course).

Edit: Read the original article. Basically they let the phone communicate with a fake server, which sits between the phone and Apple's iCloud (which allows for the phone to be unlocked) and the phone.
This should also be possible when a user is using an iPhone on an unencrypted WiFi access point.
So it is not only Windows it seems. The hackers claim that more than 30000 stolen iPhones have been unlocked and sold for profit this way.

So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates, but being vulnerable while using a computer seems Windows only (I.e. direct password interception).
Edited by Chipsy - 5/21/14 at 4:54pm
post #12 of 60
Quote:
Originally Posted by SolipsismX View Post

In other words don't use a public WiFI network because iCloud services are constantly working in the background.

The list of services tied to your iCloud ID is much more extensive than people realize.

Wow. I wouldn't have guessed at that many to iCloud.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #13 of 60
Quote:
Originally Posted by Chipsy View Post

The hackers were able to unlock locked (stolen) devices, it seems that in that case it doesn't matter if you at home used iTunes on OSX or Windows. But the vulnerable Windows version presents an opportunity in that case (for that the device needs to be in the possession of the hacker of course).

Edit: Read the original article. Basically they let the phone communicate with a fake server, which sits between the phone and Apple's iCloud which allows for the phone to be unlocked and the phone.
This should also be possible for when a user is using an iPhone on an unencrypted WiFi access point.
So it is not only Windows it seems. The hackers claim that more than 30000 stolen iPhones have been unlocked and sold for profit this way.

It is possible that there are 2 different hacks. The iTunes for Windows hole only allows limited activation. You need (to steal) the user's ID and password to activate the phone.

The bulk activation one may exploit something else. May not be SSL related. It may allow someone to bulk activate any phone without user credentials.

In any case, Apple have full info for the mechanisms now. Probably will have a drop soon.

There is no proof of user data compromise yet. These sound like activation utility issues.
In all cases, the communication channels are encrypted. But the iTunes for Windows activation line does not verify server cert.
Edited by patsu - 5/21/14 at 4:58pm
post #14 of 60
Quote:
Originally Posted by patsu View Post

It is possible that there are 2 different hacks. The iTunes for Windows hole only allows limited activation. You need (to steal) the user's ID and password to activate the phone.

The bulk activation one may exploit something else. May not be SSL related. It may allow someone to bulk activate any phone.

In any case, Apple have full info for the mechanisms now. Probably will have a drop soon.

There is no proof of user data compromise yet. These sound like activation utility issues.

Yeah I think so too, but they are related. I edited my post just a moment ago to clarify that (while you were responding).

"So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates (and after unlocking maybe credentials), but being vulnerable while using a computer seems Windows only (I.e. direct password interception)."

I have no doubt that Apple will fix this. Hacks/security issues unfortunately are going to pop up every now and then, its pretty much unavoidable. The important thing is that they are fixed. The iTunes one is a bit of a coding blunder though...oh well.
post #15 of 60
Quote:
Originally Posted by Chipsy View Post

Yeah I think so to, but they are related. I edited my post just a moment ago to clarify that (while you were responding).

"So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates, but being vulnerable while using a computer seems Windows only (I.e. direct password interception)."

I have no doubt that Apple will fix this. Hacks/security issues unfortunately are going to pop up every now and then, its pretty much unavoidable. The important thing is that they are fixed. The iTunes one is a bit of a coding blunder though...oh well.

If these are the exploits, then I think Apple and partners may already know about them a long time.

They allow third parties to deactivate locked phones, enabling resale, support servicing, ... with some checks.

If they fix these, those third parties will need to find other means.


They may not be user data threatening. We'll see.

The iTunes for Windows activation server cert check should be fixed though. That one is user facing.
Edited by patsu - 5/21/14 at 5:12pm
post #16 of 60
Quote:
Originally Posted by SolipsismX View Post
 
Quote:
Originally Posted by mstone View Post

Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.

I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.

I hate those splash screen ones. I don't use them. I was thinking about the coffee shop, restaurant, carwash, car dealership etc. where you ask for the password. It is public as in free for customers.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 60
Catch 22.. Ok.. you need to intercept the credentials(username/pass) to unlock the device..

Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?


Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?

You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..
post #18 of 60
Quote:
Originally Posted by DanielSW View Post


No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.

I hope when you grow up and donate your car to one of your offspring, you don't tell them that they probably can't keep up with the herd, and that they're easy prey for the jackals.

I purchase every new iPhone as soon as released, and I have offspring that also get new ones, and some that get the old ones, and then sometimes they donate the previous to a friend. A 3GS, 4, 4S, and 5 are still in circulation.

If its possible, Apple should make an attempt to patch a serious flaw like this on all recent products. After all - once you know the fix - how many person hours can it really take to update older IOS's?

post #19 of 60
Quote:
Originally Posted by patsu View Post
 
They may not be user data threatening. We'll see.

The iTunes for Windows activation server cert check should be fixed though. That one is user facing.

According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #20 of 60
Quote:
Originally Posted by Adrayven View Post

Catch 22.. Ok.. you need to intercept the credentials(username/pass) to unlock the device..

Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?


Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?

You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..

Two separate issues. They said they can intercept the login credentials, i.e sitting in a coffee shop watching packets, and two, they can also unlock bricked phones. Two different hacks.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #21 of 60
Quote:
Originally Posted by mstone View Post

According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.

That's the MITM activation server attack.

They have to set up a fake activation server to do so when the phone is powered up (to check activation status).

It doesn't say other iTunes for Windows usage such as regular logins and music playback are affected. They may or may not be.

iPhone/Mac to iCloud servers communication are not affected by this iTunes Win issue.
post #22 of 60
Quote:
Originally Posted by mstone View Post

I hate those splash screen ones. I don't use them. I was thinking about the coffee shop, restaurant, carwash, car dealership etc. where you ask for the password. It is public as in free for customers.

Only the lowest, individually-owned eatabliahments, save for some hotel chains give the same password for everyone using their network, but I don't think it's common to encrypt the data, but even if they did the fact that they give access to any wouldbe customers means that the encryption becomes moot to anyone 'on' the network grabbing data.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #23 of 60
Quote:
Originally Posted by SolipsismX View Post
 
Only the lowest, individually-owned eatabliahments, save for some hotel chains give the same password for everyone using their network, but I don't think it's common to encrypt the data, but even if they did the fact that they give access to any wouldbe customers means that the encryption becomes moot to anyone 'on' the network grabbing data.

If the packets are encrypted how is anyone going to be able decrypt it? They don't have the private key.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #24 of 60
Quote:
Originally Posted by mstone View Post

If the packets are encrypted how is anyone going to be able decrypt it? They don't have the private key.

It would be encrypted using the fake server's SSL cert.

Remember, the security researchers can set these up easily beforehand,
post #25 of 60
Quote:
Originally Posted by mstone View Post

If the packets are encrypted how is anyone going to be able decrypt it? They don't have the private key.

Based on your comment about a single password for the entire network I'd think that the encryption keys would also be usable for all devices connected to the network.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #26 of 60
Quote:
Originally Posted by patsu View Post
 
Quote:
Originally Posted by mstone View Post

According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.

That's the MITM activation server attack.

They have to set up a fake activation server to do so when the phone is powered up (to check activation status).

It doesn't say other iTunes for Windows usage such as regular logins and music playback are affected. They may or may not be.

iPhone/Mac to iCloud servers communication are not affected by this iTunes Win issue.

They say stay away from public wifi, If the wifi is encrypted the hack doesn't work, right? The fake activation server is one thing which should be using SSL but it is apparently not. The second issue is being able to intercept users' Apple ID, which should be using SSL but apparently is not.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #27 of 60
Quote:
Originally Posted by mstone View Post

If the packets are encrypted how is anyone going to be able decrypt it? They don't have the private key.
Quote:
Originally Posted by mstone View Post

They say stay away from public wifi, If the wifi is encrypted the hack doesn't work, right? The fake activation server is one thing which should be using SSL but it is apparently not. The second issue is being able to intercept users' Apple ID, which should be using SSL but apparently is not.

They are afraid of hackers poisoning the DNS on the WiFi router to route you to the fake activation server.

Even if the Wifi channel is encrypted, it can still serve you bad data from the wrong server in this scenario. The hackers will decrypt your requests on this fake server.

This is possible because allegedly, iTunes for Windows doesn't verify the activation server cert. iOS and Mac do, and so will call out the fake servers.
post #28 of 60
Quote:
Originally Posted by SolipsismX View Post
 
Quote:
Originally Posted by mstone View Post

If the packets are encrypted how is anyone going to be able decrypt it? They don't have the private key.

Based on your comment about a single password for the entire network I'd think that the encryption keys would also be usable for all devices connected to the network.

No, I don't think so. I have learned that you are much more knowledgable than I am in regard to network protocols, but from my understanding having a password to a WiFi does not enable you to defeat the encryption of the connection because you would need the private key which is inaccessible to people who simply have the password to login. In fact it is inaccessible to people who have administrative permissions on the WiFi. Please clear this up for me because I'm confused how you think the encryption is somehow crackable simply knowing the WiFi access password. 

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #29 of 60
Quote:
Originally Posted by patsu View Post
 
They are afraid of hackers poisoning the DNS on the WiFi router to route you to the fake activation server.

If it is using SSL and the cert is not authoritative that should end the connection. I am probably missing something but activation is for new users and is not the same as accessing iCloud as a regular user. Two separate issue, right?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #30 of 60
Quote:
Originally Posted by mstone View Post

If it is using SSL and the cert is not authoritative that should end the connection. I am probably missing something but activation is for new users and is not the same as accessing iCloud as a regular user. Two separate issue, right?

Yap. 2 separate issues unless iTunes Windows does not verify *all* server certs. I haven't heard anyone say that yet. Only activation server cert so far.

iTunes Win doesn't know if the activation server cert is authoritative because it skipped the check for whatever reason, so the connection stays up.
post #31 of 60
Quote:
Originally Posted by patsu View Post
 
 
Yap. 2 separate issues unless iTunes Windows does not verify *all* server certs. I haven't heard anyone say that yet. Only activation server cert so far.

iTunes Win doesn't know if the activation server cert is authoritative because it skipped the check for whatever reason, so the connection stays up.

The reason I'm confused is they recommend that users not access iCloud on public wifi. This does not seem like it has anything to do with activation. iPhones should be using SSL all the time when connecting to Apple back end. How is it possible for someone in a coffee shop to get their Apple ID stolen out of the air when using SSL?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #32 of 60
Quote:
Originally Posted by mstone View Post
 

If it is using SSL and the cert is not authoritative that should end the connection. I am probably missing something but activation is for new users and is not the same as accessing iCloud as a regular user. Two separate issue, right?

Like patsu already replied as far as we know the unlock hack only allows the unlocking of the phone. The Surfright security researcher told De Telegraaf (original publisher of the Story) that it was unknown if they (the hackers) could have access to other data as well with that hack, he described it as a possibility that they could have further access.

The Windows password interception clearly presents a danger to user data security.

post #33 of 60
Quote:
Originally Posted by mstone View Post

The reason I'm confused is they recommend that users not access iCloud on public wifi. This does not seem like it has anything to do with activation. iPhones should be using SSL all the time when connecting to Apple back end. How is it possible for someone in a coffee shop to get their Apple ID stolen out of the air when using SSL?

Probably Ill-advised ?

The iTunes for Windows vulnerability has nothing to do with iOS and Mac.

They can steal your credentials if you're using iTunes for Windows activation, by setting up a fake activation server and tricking the router to send you to the fake server.
post #34 of 60
Quote:
Originally Posted by patsu View Post
 
 
Probably Ill-advised ?

The iTunes for Windows vulnerability has nothing to do with iOS and Mac.

They can steal your credentials if you're using iTunes for Windows activation, by setting up a fake activation server and tricking the router to send you to the fake server.

If this is all about activation why bother to steal someone's legitimate Apple ID? The hackers have a stolen phone and a fake activation server, why do they need to steal my Apple ID?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #35 of 60
Quote:
Originally Posted by mstone View Post

If this is all about activation why bother to steal someone's legitimate Apple ID? The hackers have a stolen phone and a fake activation server, why do they need to steal my Apple ID?

It's not a functioning activation server. They just use it to gather your ID and password, then hit the real activation server with your phone to activate it. Not very useful in this regard but still harmful since they can use your iTunes credentials for follow-up attacks.

This is why I suspect there may be 2 different hacks. The other one is more "useful" for bulk activation since they may not need your credentials to do so (I don't know yet).
post #36 of 60
Quote:
Originally Posted by patsu View Post
 
I don't know yet

Thanks. That was the answer I needed.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #37 of 60
Who uses windows anymore anyway?
post #38 of 60
F-ing WINDOWS!
post #39 of 60
Quote:
Originally Posted by DanielSW View Post

No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.

That's a great analogy. I can just imagine all the XP users being dragged down and devoured ... sooner the better IMHO! 1smoking.gif
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #40 of 60

From what I can gather from the limited information that's presented, it looks to me like someone would need to snoop around a public wifi for unsuspecting iphone victims. Capture their Apple ID and PW (which is yet to be proven, it's only "claimed"), then steal that person's iphone.

 

What happens if the device was stolen first, and remote wiped? How would they get the user's Apple ID and PW then?

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
AppleInsider › Forums › Mobile › iPhone › Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock