Incident Response, TDR, Vulnerability Management

Hackers claim MitM attack enables iCloud security feature bypass

Two hackers claim to have discovered a way to bypass Apple's "Activation Lock," an iCloud security feature that locks ill-intentioned individuals out of lost or stolen iOS devices.

On Wednesday, Dutch newspaper De Telegraaf first broke the news about the Activation Lock bypass, which was accomplished by two individuals who go by the handles “AquaXetine” and “MerrukTechnolog” on Twitter.

In Thursday email correspondence with SCMagazine.com, AquaXetine confirmed that, via a man-in-the-middle (MitM) attack, the duo was able to unlock an iPhone 4 by getting the device to communicate with their server, as opposed to Apple's servers. From there, the two claimed to have replicated the bypass on thousands more Apple devices.

Throughout the week, Apple users took to Twitter to post about their own successful attempts at unlocking devices using the technique.

According to an Apple support page, Activation Lock is a relatively new feature included in “Find My iPhone,” which requires users to login with their Apple ID and password before allowing them to erase and reactivate the device, sign out of iCloud on the device, or disable “Find my iPhone.”

AquaXetine later told SCMagazine.com that the Activation Lock bypass could open users to a myriad of data security concerns, if an intruder was able to get into a device that hadn't yet been wiped.

“If the device is not wiped, and someone has physical access to it, they can do more than [bypass the lock],” AquaXetine wrote. “[They] can take your [Apple] ID, very important information, and make purchases with your [stored] credit card information. All your data would will be in the wrong hands.”

The two hackers reached out to Apple in late March about the security issue, according to the De Telegraaf article, but received no response from the company.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.