Removal of Apple's iCloud Activation Lock check page may be linked to hacks relying on sto...
Apple's removal of the iCloud Activation Lock status page last week was likely connected to hacks letting people bypass the Activation Lock system, a report noted on Monday.
By changing one or two characters in an invalid serial number, it becomes possible to stumble across a value that will crack a bricked Apple device. The status check page made this a realistic option, since hackers could simply keep plugging in new characters there until they found something that worked.
The flaw, first pointed out by MacRumors might also explain some glitches encountered since September, in which people suddenly find their devices locked to an unknown Apple ID and can't regain control without Apple's help.
Complaints along those lines have revolved around the iPhone 6s, 7, and their Plus equivalents, but could conceivably apply to any device with Activation Lock, such as an iPad, iPod touch, or Apple Watch.
Online Activation Lock checks previously made buying a used Apple device more reliable, since shoppers could ask for an IMEI or serial number and verify it before sending any money. Without that system, the only way of checking is in person, which probably isn't an option if the seller is in another city or a buyer is worried about being robbed.
The black market could take advantage of the new situation, since thieves can more easily unload stolen goods.
Other Activation Lock vulnerabilities have been exposed in the past. In November, a researcher showed that it was possible to bypass the system on an iPad by flooding Wi-Fi logins with long character strings and repeatedly opening and closing a Smart Cover.
By changing one or two characters in an invalid serial number, it becomes possible to stumble across a value that will crack a bricked Apple device. The status check page made this a realistic option, since hackers could simply keep plugging in new characters there until they found something that worked.
The flaw, first pointed out by MacRumors might also explain some glitches encountered since September, in which people suddenly find their devices locked to an unknown Apple ID and can't regain control without Apple's help.
Complaints along those lines have revolved around the iPhone 6s, 7, and their Plus equivalents, but could conceivably apply to any device with Activation Lock, such as an iPad, iPod touch, or Apple Watch.
Online Activation Lock checks previously made buying a used Apple device more reliable, since shoppers could ask for an IMEI or serial number and verify it before sending any money. Without that system, the only way of checking is in person, which probably isn't an option if the seller is in another city or a buyer is worried about being robbed.
The black market could take advantage of the new situation, since thieves can more easily unload stolen goods.
Other Activation Lock vulnerabilities have been exposed in the past. In November, a researcher showed that it was possible to bypass the system on an iPad by flooding Wi-Fi logins with long character strings and repeatedly opening and closing a Smart Cover.
Comments
okay, this is the feature Apple put because the Police were complaining that iphone got stolen more time than any other phone and the Authorities what a way that could local a phone to make it worthless to the person who stole it. So know the thieve are using it against the people the police thought they were protecting. With the new phone with touch ID, you do not need this, is some steals your phone it is worthless if you have touch ID.
See what happen when the Police and Authorities come up with a solution to their so called problem, they make it less safe for the rust of us.
You do not remember the whole outrage from police departments around the country about Apple making the phone too easy to steal and an not way to disable the phone, This was Apple fix prior to them introducing the touch ID. Where have you been the last 10 yrs.
What I've been really surprised and disappointed by in the last couple of days is the discovery that Apple stores some devices' serial numbers in plain text form in a re-writable location on the devices' SSDs! This means people have been able to remove the SSD chip, use the iCloud lock status page to find a serial number that isn't locked, then write that serial number to the SSD, and replace the SSD in the device. If the serial number was stored in encrypted format using a private key none of this would have happened! This is entirely Apple's fault for poorly implementing this feature.
Yeah, that's a bad thing./s
No it wasn't. Activation Lock was the feature that resulted from the request. The website was never requested. That was something Apple did on their own, and they decided to take it down.
Given the gear needed to accomplish the change, I have to wonder how many stolen phones were actually reactivated.