Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

icloud_iconA pair of hackers from the Netherlands and Morocco, identifying themselves as AquaXetine and MerrukTechnolog, claim to have compromised the security of Apple's iCloud system for locking iOS devices.

The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple's iCloud service.

The hackers reportedly worked on the vulnerability for five months, studying the transmission of data between iPhone handsets and Apple's iCloud services. The pair claim to be able to unlock a locked iPhone by placing a computer between the iPhone and Apple's servers. In this configuration, the iPhone mistakenly identifies the hacker's computer as one of Apple's servers and follows instructions provided by the nefarious computer to reverse activation lock on the handset.

While the hackers did not reveal precise information on how their intercepting computer can spoof Apple's iCloud activation servers, it appears that they may be taking advantage of an SSL bug that is present in iTunes for Windows, as noted by iPhone in Canada, who spoke to security researcher Mark Loman about the issue. The previously disclosed issue was fixed in iOS 7.0.6 and OS X 10.9.2, but it appears that iTunes for Windows is still affected.

After looking into some claims of the jailbreak community, Mark Loman decided to do some investigating of his own and made a shocking discovery. SSL has two tasks: one, to verify communication with the intended server; and two, to prevent manipulation.

“The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it — which is how I figured it out.”

The vulnerability reportedly allows hackers to intercept Apple ID credentials, which can then be used to unlock iOS devices that have been locked after having been lost or stolen.

Actually, the data IS encrypted. But when an attacker strips SSL during a so-called man-in-the-middle attack the AppleID account name and password can be extracted as they are sent in plain text inside SSL, Mark Loman said in an email sent to iPhone in Canada.

Using this technique, the hackers claim to have unlocked 30,000 iPhones in the past few days. The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.

Update 10:43 AM: One of the hackers has denied that the bypass involves an SSL bug.

Top Rated Comments

Yvan256 Avatar
85 months ago

The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.


In my opinion, that's the proper way to do it.

[LIST=1]
* Contact the manufacturer to inform them of the problem.
* Give them some time to fix it.
* If they haven't fixed it after a few months, go public to force them to react.
Score: 32 Votes (Like | Disagree)
Sky Blue Avatar
85 months ago
"The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information."

lol, Apple
Score: 27 Votes (Like | Disagree)
ehmjay Avatar
85 months ago
Annnnnnd cue the tech press over-reacting and blowing this way out of proportion.

Not that this isn't a serious flaw; it is. But because it's Apple it will be presented as the end of the world, and covered by every major news outlet where-as a similar bug in Android is barely mentioned by anyone at all.
Score: 10 Votes (Like | Disagree)
dannyyankou Avatar
85 months ago

The NSA new this all along.


*knew

Sorry, couldn't resist.
Score: 8 Votes (Like | Disagree)
Millah Avatar
85 months ago

They did, in March. Still not fixed.

So anyone can claim anything they want and people instantly believe them without a shadow of doubt? When did the public become so easily gullible?

I'm not saying its not true. I'm saying none of us know. Just because some hackers claim something doesn't make it true. And how exactly are they trustworthy to begin with? These are people hacking into places they shouldn't be, unlocking stolen phones, and you don't even have a sliver of doubt about their honesty?
Score: 8 Votes (Like | Disagree)
fumi2014 Avatar
85 months ago
These billion dollar companies really need to stay on top of all this. They're happy to take your money but not so quick to safeguard your details.

And now there's trouble at eBay.
Score: 8 Votes (Like | Disagree)

Top Stories

2020 apple shopping event

Apple Offering Up to $150 Gift Card With Select Products on Black Friday Through Cyber Monday

Monday November 23, 2020 2:53 am PST by
Apple has announced its annual four-day shopping event, offering customers up to a $150 Apple Store gift card with the purchase of select products between Black Friday and Cyber Monday in the United States. The gift card values in the United States are as follows: $150 for 16-inch MacBook Pro $150 for 21.5-inch iMac $50 for 13-inch MacBook Pro $50 for MacBook Air $50 for iPhone SE,...
0 Deals Hero

Black Friday 2020: Best Apple Deals to Plan For

Saturday November 21, 2020 10:00 am PST by
In the lead-up to Black Friday next week, we've been putting a spotlight on the best deals coming from various retailers like Best Buy and Walmart. In an effort to further prepare our readers for the best Black Friday deals, we're breaking down what we think should be on your radar for Black Friday in 2020. Note: MacRumors is an affiliate partner with some of these vendors. When you click a...
app store christmas icon

Apple Shutting Down App Store Connect From December 23 to December 27

Monday November 23, 2020 10:14 am PST by
Apple shuts down App Store Connect for a week around the holidays each year in an effort to give App Store staff time off from work. This year, App Store Connect will be unavailable from December 23 to December 27. With App Store Connect unavailable, Apple will not accept new apps or app updates, so all pricing changes and new app submissions need to be locked in before those dates for...
Target November Deals 1

Black Friday Spotlight: Target Begins Week-Long Sale With Deals on iPhone 12, Powerbeats Pro, and More

Monday November 23, 2020 8:07 am PST by
We've been tracking early Black Friday deals in our dedicated Black Friday Roundup, and in an effort to prepare our readers for the big shopping event we're highlighting sales store-by-store in the lead-up to November 27. Note: MacRumors is an affiliate partner with Target. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running....
ipad pro 2020 display

Black Friday Week Kicks Off With Up to $150 Savings on 2020 iPad Pro

Sunday November 22, 2020 2:37 pm PST by
As we head into Black Friday week, we're seeing some of the best deals of the season so far, with Amazon and Best Buy today discounting the latest iPad Pro models by up to $150 at the lowest prices we've ever tracked on these models. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep ...
mac mini macbook pro macbook air

Apple M1 Hands-On Comparison: MacBook Air vs. MacBook Pro vs. Mac Mini

Monday November 23, 2020 3:40 pm PST by
Apple's M1 Macs are out in the wild now, but ahead of the holidays, you might still be trying to figure out which one to pick up, either for yourself or as a gift for someone else. We've got all three of the new Macs available, so we thought we'd give MacRumors readers a hands-on overview of each machine in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. ...
macos big sur m1 macs restore issue

Apple Provides Instructions to Fix macOS Reinstallation Errors on M1 Macs

Sunday November 22, 2020 3:30 pm PST by
Shortly after the launch of Apple's new M1 Macs, we saw reports that attempts to restore and reinstall macOS on those machines right away could result in an installation error that would leave your Mac non-functional. Specifically, the error message would read: "An error occurred preparing the update. Failed to personalize the software update. Please try again." Over the weekend, Apple p...
max tech xcode benchmark m1 macbook

Video Demos Performance Differences Between 8GB and 16GB Apple M1 MacBook Pro

Monday November 23, 2020 2:54 pm PST by
All of the M1 Mac models use the same M1 chip, so the upgrade options are limited to SSD storage space and RAM. We haven't seen many comparisons that demonstrate the difference between a machine with 8GB RAM and the upgraded 16GB RAM option, but Max Tech today shared a video highlighting the performance between an 8GB MacBook Pro and a 16GB MacBook Pro. The video includes a series of...
iPhone 6s main

Rumor Claims iOS 15 to Drop Support for iPhone 6s and Original iPhone SE

Sunday November 22, 2020 9:25 am PST by
Apple will drop support for the iPhone SE, iPhone 6s, and iPhone 6s Plus in next year's release of iOS 15, according to a rumor shared today by Israeli site The Verifier. If the rumor is accurate, that would mean iOS 15 will be compatible with the following Apple devices: 2021 iPhone series iPhone 12 Pro Max iPhone 12 Pro iPhone 12 mini iPhone 12 iPhone 11 iPhone 11 Pro iPhone 11 Pro ...
new mac mini logicpro screen

M1 Macs Able to Run Up to Six External Displays Using DisplayLink

Tuesday November 24, 2020 6:53 am PST by
It is possible to run up to six external displays from the M1 Mac mini, and five external displays from the M1 MacBook Air and MacBook Pro, with the aid of DisplayPort adapters, according to YouTuber Ruslan Tulupov. This far exceeds Apple's specified limits on external displays with the M1 Macs. Apple's host of new M1 Macs are not capable of supporting as many external displays as their...