Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
A group of hackers calling themselves "Team DoulCi" say that they have figured out a way to execute a man-in-the-middle attack that gives them the ability to intercept users' Apple ID credentials as well as unlock iOS devices that have been made unusable by Activation Lock.
The attack is made possible because the Windows version of iTunes does not properly verify security certificates, according to security researcher Mark Loman of SurfRight. The disclosure was first made on Dutch technology website Tweakers.net.
The hackers, who are not affiliated with Loman, have demonstrated the attack's efficacy by sharing screenshots of what they say are calls to Apple's iCloud activation service. A number of others have chimed in on social media with similar success stories.
Apple recently patched a similar vulnerability in OS X and iOS, but iTunes on Windows remains susceptible. Loman believes that the issue is "either a beginner's mistake, or it was done on purpose" and alleges that it may have been designed to allow intelligence agencies access to iCloud.
Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.
The attack is made possible because the Windows version of iTunes does not properly verify security certificates, according to security researcher Mark Loman of SurfRight. The disclosure was first made on Dutch technology website Tweakers.net.
The hackers, who are not affiliated with Loman, have demonstrated the attack's efficacy by sharing screenshots of what they say are calls to Apple's iCloud activation service. A number of others have chimed in on social media with similar success stories.
Apple recently patched a similar vulnerability in OS X and iOS, but iTunes on Windows remains susceptible. Loman believes that the issue is "either a beginner's mistake, or it was done on purpose" and alleges that it may have been designed to allow intelligence agencies access to iCloud.
Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.
Comments
Does this only apply if you are using the Windows version of iTunes?
Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.
You mean *will* not be patched.
No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.
Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks.
I'm a little puzzled. Does this mean Apple is not using SSL when the iOS device connects to iCloud. The iCloud web interface requires SSL.
Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.
You mean *will* not be patched.
If I remember correctly Apple did patch older iOS versions in the past. I don't know why the article says "cannot be patched".
In other words don't use a public WiFI network because iCloud services are constantly working in the background.
The list of services tied to your iCloud ID is much more extensive than people realize.
I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.
I don't think iOS and Mac are affected.
It sounds like iTunes Windows client doesn't check server cert. So the hackers were able to spoof a MITM server to steal credential. Once the credential is stolen this way, they can use it to unlock the right phone.
As long as you stick to iOS and Mac, you should be fine. Or rather, don't use iTunes on Windows in the mean time.
Edit: Read the original article. Basically they let the phone communicate with a fake server, which sits between the phone and Apple's iCloud (which allows for the phone to be unlocked) and the phone.
This should also be possible when a user is using an iPhone on an unencrypted WiFi access point.
So it is not only Windows it seems. The hackers claim that more than 30000 stolen iPhones have been unlocked and sold for profit this way.
So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates, but being vulnerable while using a computer seems Windows only (I.e. direct password interception).
Wow. I wouldn't have guessed at that many to iCloud.
It is possible that there are 2 different hacks. The iTunes for Windows hole only allows limited activation. You need (to steal) the user's ID and password to activate the phone.
The bulk activation one may exploit something else. May not be SSL related. It may allow someone to bulk activate any phone without user credentials.
In any case, Apple have full info for the mechanisms now. Probably will have a drop soon.
There is no proof of user data compromise yet. These sound like activation utility issues.
In all cases, the communication channels are encrypted. But the iTunes for Windows activation line does not verify server cert.
Yeah I think so too, but they are related. I edited my post just a moment ago to clarify that (while you were responding).
"So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates (and after unlocking maybe credentials), but being vulnerable while using a computer seems Windows only (I.e. direct password interception)."
I have no doubt that Apple will fix this. Hacks/security issues unfortunately are going to pop up every now and then, its pretty much unavoidable. The important thing is that they are fixed. The iTunes one is a bit of a coding blunder though...oh well.
If these are the exploits, then I think Apple and partners may already know about them a long time.
They allow third parties to deactivate locked phones, enabling resale, support servicing, ... with some checks.
If they fix these, those third parties will need to find other means.
They may not be user data threatening. We'll see.
The iTunes for Windows activation server cert check should be fixed though. That one is user facing.
Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.
I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.
I hate those splash screen ones. I don't use them. I was thinking about the coffee shop, restaurant, carwash, car dealership etc. where you ask for the password. It is public as in free for customers.
Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?
Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?
You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..
No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.
I hope when you grow up and donate your car to one of your offspring, you don't tell them that they probably can't keep up with the herd, and that they're easy prey for the jackals.
I purchase every new iPhone as soon as released, and I have offspring that also get new ones, and some that get the old ones, and then sometimes they donate the previous to a friend. A 3GS, 4, 4S, and 5 are still in circulation.
If its possible, Apple should make an attempt to patch a serious flaw like this on all recent products. After all - once you know the fix - how many person hours can it really take to update older IOS's?
The iTunes for Windows activation server cert check should be fixed though. That one is user facing.
According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.
Catch 22.. Ok.. you need to intercept the credentials(username/pass) to unlock the device..
Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?
Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?
You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..
Two separate issues. They said they can intercept the login credentials, i.e sitting in a coffee shop watching packets, and two, they can also unlock bricked phones. Two different hacks.
That's the MITM activation server attack.
They have to set up a fake activation server to do so when the phone is powered up (to check activation status).
It doesn't say other iTunes for Windows usage such as regular logins and music playback are affected. They may or may not be.
iPhone/Mac to iCloud servers communication are not affected by this iTunes Win issue.