Two hackers from the Netherlands and Morocco, claim to have compromised the security of Apple’s iCloud based Activation Lock system to lock iOS devices. The pair, who identify themselves as AquaXetine and MerrukTechnolog, may make it possible to unlock stolen iPhones.
The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple’s iCloud service.
The hackers reportedly worked on exploiting the vulnerability for five months by studying the transmission of data between iPhone handsets and Apple’s iCloud services. They claim to be able to unlock a previously locked iPhone by placing a computer between Apple’s servers and the device. The iPhone then misidentifies the computer in the middle as an Apple server, and follows instructions from it to defeat the activation lock on the handset.
While the hackers did not go into detail as to how their process works, it is possible they may be exploiting an SSL bug that is present in iTunes for Windows, which was discovered by security researcher Mark Loman.
The vulnerability reportedly allow hackers to intercept Apple ID credentials, allowing them to be used to unlock iOS device that have been locked.
The hackers claim to have unlocked 30,000 iPhones in just the last few days. The group claims to have contacted Apple about the vulnerability back in March, but the company never responded, so the hackers went public with the information.