Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock

Posted:
in iPhone edited September 2014
A group of hackers calling themselves "Team DoulCi" say that they have figured out a way to execute a man-in-the-middle attack that gives them the ability to intercept users' Apple ID credentials as well as unlock iOS devices that have been made unusable by Activation Lock.




The attack is made possible because the Windows version of iTunes does not properly verify security certificates, according to security researcher Mark Loman of SurfRight. The disclosure was first made on Dutch technology website Tweakers.net.

The hackers, who are not affiliated with Loman, have demonstrated the attack's efficacy by sharing screenshots of what they say are calls to Apple's iCloud activation service. A number of others have chimed in on social media with similar success stories.

Apple recently patched a similar vulnerability in OS X and iOS, but iTunes on Windows remains susceptible. Loman believes that the issue is "either a beginner's mistake, or it was done on purpose" and alleges that it may have been designed to allow intelligence agencies access to iCloud.

Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.
«134

Comments

  • Reply 1 of 62

    Does this only apply if you are using the Windows version of iTunes?

  • Reply 2 of 62
    ttollertonttollerton Posts: 178member
    Insane if that really is a basic development mistake. Why would Apple patch the Mac version, but leave the Windows version vulnerable?
  • Reply 3 of 62
    arlorarlor Posts: 490member
    Quote:

    Originally Posted by AppleInsider View Post



    Users of older iOS devices that no longer receive software updates, such as the first-generation iPad and iPhone 3GS, should exercise particular caution as the vulnerability cannot be patched in those devices.

     

    You mean *will* not be patched. 

  • Reply 5 of 62
    danielswdanielsw Posts: 905member
    arlor wrote: »
    You mean *will* not be patched. 

    No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.
  • Reply 6 of 62
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by AppleInsider View Post



    Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks. 

    I'm a little puzzled. Does this mean Apple is not using SSL when the iOS device connects to iCloud. The iCloud web interface requires SSL.

     

    Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required. 

  • Reply 7 of 62
    nasseraenasserae Posts: 3,153member
    Quote:

    Originally Posted by Arlor View Post

     

     

    You mean *will* not be patched. 


     

    If I remember correctly Apple did patch older iOS versions in the past. I don't know why the article says "cannot be patched".

  • Reply 8 of 62
    solipsismxsolipsismx Posts: 19,566member
    Until Apple issues a fix, users are advised not to use iCloud services over public Wi-Fi networks.

    In other words don't use a public WiFI network because iCloud services are constantly working in the background.

    The list of services tied to your iCloud ID is much more extensive than people realize.


    mstone wrote: »
    Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.

    I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.
  • Reply 9 of 62
    patsupatsu Posts: 429member
    mstone wrote: »
    I'm a little puzzled. Does this mean Apple is not using SSL when the iOS device connects to iCloud. The iCloud web interface requires SSL.

    Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required. 

    I don't think iOS and Mac are affected.

    It sounds like iTunes Windows client doesn't check server cert. So the hackers were able to spoof a MITM server to steal credential. Once the credential is stolen this way, they can use it to unlock the right phone.

    As long as you stick to iOS and Mac, you should be fine. Or rather, don't use iTunes on Windows in the mean time.
  • Reply 10 of 62
    chipsychipsy Posts: 287member
    patsu wrote: »
    I don't think iOS and Mac are affected.

    It sounds like iTunes Windows client doesn't check server cert. So the hackers were able to spoof a MITM server to steal credential. Once the credential is stolen this way, they can use it to unlock the right phone.

    As long as you stick to iOS and Mac, you should be fine. Or rather, don't use iTunes on Windows in the mean time.
    The hackers were able to unlock locked (stolen) devices, it seems that in that case it doesn't matter if you at home used iTunes on OSX or Windows. But the vulnerable Windows version presents an opportunity in that case (for that the device needs to be in the possession of the hacker of course).

    Edit: Read the original article. Basically they let the phone communicate with a fake server, which sits between the phone and Apple's iCloud (which allows for the phone to be unlocked) and the phone.
    This should also be possible when a user is using an iPhone on an unencrypted WiFi access point.
    So it is not only Windows it seems. The hackers claim that more than 30000 stolen iPhones have been unlocked and sold for profit this way.

    So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates, but being vulnerable while using a computer seems Windows only (I.e. direct password interception).
  • Reply 11 of 62
    gatorguygatorguy Posts: 20,267member
    solipsismx wrote: »
    In other words don't use a public WiFI network because iCloud services are constantly working in the background.

    The list of services tied to your iCloud ID is much more extensive than people realize.

    Wow. I wouldn't have guessed at that many to iCloud.
  • Reply 12 of 62
    patsupatsu Posts: 429member
    chipsy wrote: »
    The hackers were able to unlock locked (stolen) devices, it seems that in that case it doesn't matter if you at home used iTunes on OSX or Windows. But the vulnerable Windows version presents an opportunity in that case (for that the device needs to be in the possession of the hacker of course).

    Edit: Read the original article. Basically they let the phone communicate with a fake server, which sits between the phone and Apple's iCloud which allows for the phone to be unlocked and the phone.
    This should also be possible for when a user is using an iPhone on an unencrypted WiFi access point.
    So it is not only Windows it seems. The hackers claim that more than 30000 stolen iPhones have been unlocked and sold for profit this way.

    It is possible that there are 2 different hacks. The iTunes for Windows hole only allows limited activation. You need (to steal) the user's ID and password to activate the phone.

    The bulk activation one may exploit something else. May not be SSL related. It may allow someone to bulk activate any phone without user credentials.

    In any case, Apple have full info for the mechanisms now. Probably will have a drop soon.

    There is no proof of user data compromise yet. These sound like activation utility issues.
    In all cases, the communication channels are encrypted. But the iTunes for Windows activation line does not verify server cert.
  • Reply 13 of 62
    chipsychipsy Posts: 287member
    patsu wrote: »
    It is possible that there are 2 different hacks. The iTunes for Windows hole only allows limited activation. You need (to steal) the user's ID and password to activate the phone.

    The bulk activation one may exploit something else. May not be SSL related. It may allow someone to bulk activate any phone.

    In any case, Apple have full info for the mechanisms now. Probably will have a drop soon.

    There is no proof of user data compromise yet. These sound like activation utility issues.

    Yeah I think so too, but they are related. I edited my post just a moment ago to clarify that (while you were responding).

    "So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates (and after unlocking maybe credentials), but being vulnerable while using a computer seems Windows only (I.e. direct password interception)."

    I have no doubt that Apple will fix this. Hacks/security issues unfortunately are going to pop up every now and then, its pretty much unavoidable. The important thing is that they are fixed. The iTunes one is a bit of a coding blunder though...oh well.
  • Reply 14 of 62
    patsupatsu Posts: 429member
    chipsy wrote: »
    Yeah I think so to, but they are related. I edited my post just a moment ago to clarify that (while you were responding).

    "So the unlocking of the phones uses the iTunes vulnerability that it doesn't verify server certificates, but being vulnerable while using a computer seems Windows only (I.e. direct password interception)."

    I have no doubt that Apple will fix this. Hacks/security issues unfortunately are going to pop up every now and then, its pretty much unavoidable. The important thing is that they are fixed. The iTunes one is a bit of a coding blunder though...oh well.

    If these are the exploits, then I think Apple and partners may already know about them a long time.

    They allow third parties to deactivate locked phones, enabling resale, support servicing, ... with some checks.

    If they fix these, those third parties will need to find other means.


    They may not be user data threatening. We'll see.

    The iTunes for Windows activation server cert check should be fixed though. That one is user facing.
  • Reply 15 of 62
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by SolipsismX View Post

     
    Quote:



    Originally Posted by mstone View Post



    Anyway it should be noted that pubic wifis that are encrypted properly, as most are, are not vulnerable to this attack. Just stay away from the wifis where no password is required.




    I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.

    I hate those splash screen ones. I don't use them. I was thinking about the coffee shop, restaurant, carwash, car dealership etc. where you ask for the password. It is public as in free for customers.

  • Reply 16 of 62
    adrayvenadrayven Posts: 460member
    Catch 22.. Ok.. you need to intercept the credentials(username/pass) to unlock the device..

    Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?


    Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?

    You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..
  • Reply 17 of 62
    Quote:
    Originally Posted by DanielSW View Post





    No matter the wording, those who don't upgrade are like animals who can't keep up with the herd and become easy prey to jackals and the like.

    I hope when you grow up and donate your car to one of your offspring, you don't tell them that they probably can't keep up with the herd, and that they're easy prey for the jackals.

    I purchase every new iPhone as soon as released, and I have offspring that also get new ones, and some that get the old ones, and then sometimes they donate the previous to a friend. A 3GS, 4, 4S, and 5 are still in circulation.

    If its possible, Apple should make an attempt to patch a serious flaw like this on all recent products. After all - once you know the fix - how many person hours can it really take to update older IOS's?

  • Reply 18 of 62
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by patsu View Post

     
    They may not be user data threatening. We'll see.



    The iTunes for Windows activation server cert check should be fixed though. That one is user facing.

    According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.

  • Reply 19 of 62
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by Adrayven View Post



    Catch 22.. Ok.. you need to intercept the credentials(username/pass) to unlock the device..



    Problem.. if you've ALREADY stolen the device you're not going to have the credentials to enter to intercept them.. and if you HAVE the creds, why would you need to intercept them?? b b b because you don't need to?





    Duh?.. umm.. how the F is that useful or relevant to activation unlock? Bueller? Bueller? anyone? anyone else seeing the stupidity of this claim?



    You literally need to catch them entering their creds / syncing to cloud THEN steal the correct device. Thats some fast'n foot loose work there..

    Two separate issues. They said they can intercept the login credentials, i.e sitting in a coffee shop watching packets, and two, they can also unlock bricked phones. Two different hacks.

  • Reply 20 of 62
    patsupatsu Posts: 429member
    mstone wrote: »
    According to the article it says they can snag the Apple ID login credentials, which I still don't understand because that should be using SSL even on non-encrypted WiFi. I would consider that data threatening.

    That's the MITM activation server attack.

    They have to set up a fake activation server to do so when the phone is powered up (to check activation status).

    It doesn't say other iTunes for Windows usage such as regular logins and music playback are affected. They may or may not be.

    iPhone/Mac to iCloud servers communication are not affected by this iTunes Win issue.
Sign In or Register to comment.