Hacker Team Claims Compromise of Apple's iCloud and Activation Lock, Possibly via SSL Bug [Updated]

by

icloud_iconA pair of hackers from the Netherlands and Morocco, identifying themselves as AquaXetine and MerrukTechnolog, claim to have compromised the security of Apple's iCloud system for locking iOS devices.

The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf [Google Translate]. It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple's iCloud service.

The hackers reportedly worked on the vulnerability for five months, studying the transmission of data between iPhone handsets and Apple's iCloud services. The pair claim to be able to unlock a locked iPhone by placing a computer between the iPhone and Apple's servers. In this configuration, the iPhone mistakenly identifies the hacker's computer as one of Apple's servers and follows instructions provided by the nefarious computer to reverse activation lock on the handset.

While the hackers did not reveal precise information on how their intercepting computer can spoof Apple's iCloud activation servers, it appears that they may be taking advantage of an SSL bug that is present in iTunes for Windows, as noted by iPhone in Canada, who spoke to security researcher Mark Loman about the issue. The previously disclosed issue was fixed in iOS 7.0.6 and OS X 10.9.2, but it appears that iTunes for Windows is still affected.

After looking into some claims of the jailbreak community, Mark Loman decided to do some investigating of his own and made a shocking discovery. SSL has two tasks: one, to verify communication with the intended server; and two, to prevent manipulation.

“The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it — which is how I figured it out.”

The vulnerability reportedly allows hackers to intercept Apple ID credentials, which can then be used to unlock iOS devices that have been locked after having been lost or stolen.

Actually, the data IS encrypted. But when an attacker strips SSL during a so-called man-in-the-middle attack the AppleID account name and password can be extracted as they are sent in plain text inside SSL, Mark Loman said in an email sent to iPhone in Canada.

Using this technique, the hackers claim to have unlocked 30,000 iPhones in the past few days. The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.

Update 10:43 AM: One of the hackers has denied that the bypass involves an SSL bug.

Tag: Activation Lock

Popular Stories

maxresdefault

Five Features Coming to AirPods Pro 3

Friday June 27, 2025 10:52 am PDT by
Apple hasn't updated the AirPods Pro since 2022, and the earbuds are due for a refresh. We're counting on a new model this year, and we've seen several hints of new AirPods tucked away in Apple's code. Rumors suggest that Apple has some exciting new features planned that will make it worthwhile to upgrade to the latest model. Subscribe to the MacRumors YouTube channel for more videos. Heal...
Read Full Article57 comments
Chase Sapphire Reserve Apple Perk Feature

Chase Sapphire Reserve Card Introduces New Perk for Apple Customers

Wednesday June 25, 2025 2:08 pm PDT by
Chase this week announced a series of new perks for its premium Sapphire Reserve credit card, and one of them is for a pair of Apple services. Specifically, the credit card now offers complimentary annual subscriptions to Apple TV+ and Apple Music, a value of up to $250 per year. If you are already paying for Apple TV+ and/or Apple Music directly through Apple, those subscriptions will...
Read Full Article75 comments
anker power bank recall

PSA: Anker Recalls Multiple Power Banks Due to Fire Risk

Friday June 27, 2025 4:16 pm PDT by
Popular accessory maker Anker this month launched two separate recalls for its power banks, some of which may be a fire risk. The first recall affects Anker PowerCore 10000 Power Banks sold between June 1, 2016 and December 31, 2022 in the United States. Anker says that these power banks have a "potential issue" with the battery inside, which can lead to overheating, melting of plastic...
Read Full Article92 comments
iPhone Car Key WWDC 2025

Apple Announces 13 Automakers Planning to Offer iPhone Car Keys

Friday June 27, 2025 11:42 am PDT by
In 2020, Apple added a digital car key feature to its Wallet app, allowing users to lock, unlock, and start a compatible vehicle with an iPhone or Apple Watch. The feature is currently offered by select automakers, including Audi, BMW, Hyundai, Kia, Genesis, Mercedes-Benz, Volvo, and a handful of others, and it is set to expand further. During its WWDC 2025 keynote, Apple said that 13...
Read Full Article
iPhone 17 Pro Blue Feature Tighter Crop

iPhone 17 Pro Launching in a Few Months With These 12 New Features

Thursday June 26, 2025 2:00 am PDT by
Apple's next-generation iPhone 17 Pro and iPhone 17 Pro Max are around three months away, and there are plenty of rumors about the devices. Apple is expected to launch the iPhone 17, iPhone 17 Air, iPhone 17 Pro, and iPhone 17 Pro Max in September this year. Below, we recap key changes rumored for the iPhone 17 Pro models:Aluminum frame: iPhone 17 Pro models are rumored to have an...
Read Full Article21 comments
CarPlay Ultra Climate Controls

Here's Which Vehicle Brands Will and Won't Offer Apple's CarPlay Ultra

Friday June 27, 2025 9:52 am PDT by
Apple last month announced the launch of CarPlay Ultra, the long-awaited next-generation version of its CarPlay software system for vehicles. There was news this week about which automakers will and won't offer CarPlay Ultra, and we have provided an updated list below. CarPlay Ultra is currently limited to newer Aston Martin vehicles in the U.S. and Canada. Fortunately, if you cannot...
Read Full Article137 comments
apple watch ultra 2 new black

Apple Watch Ultra 3 Finally Coming After Two-Year Hiatus

Tuesday June 24, 2025 3:40 am PDT by
Apple will finally deliver the Apple Watch Ultra 3 sometime this year, according to analyst Jeff Pu of GF Securities Hong Kong (via @jukanlosreve). The analyst expects both the Apple Watch Series 11 and Apple Watch Ultra 3 to arrive this year (likely alongside the new iPhone 17 lineup, if previous launches are anything to go by), according to his latest product roadmap shared with...
Read Full Article131 comments
macbook air spacegray purple

Apple Planning to Launch Low-Cost MacBook Powered By iPhone Chip

Monday June 30, 2025 3:20 am PDT by
Apple is planning to launch a low-cost MacBook powered by an iPhone chip, according to Apple analyst Ming-Chi Kuo. In an article published on X, Kuo explained that the device will feature a 13-inch display and the A18 Pro chip, making it the first Mac powered by an iPhone chip. The A18 Pro chip debuted in the iPhone 16 Pro last year. To date, all Apple silicon Macs have contained M-series...
Read Full Article226 comments

Top Rated Comments

Yvan256 Avatar
Yvan256
145 months ago
The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information.

In my opinion, that's the proper way to do it.

[LIST=1]
* Contact the manufacturer to inform them of the problem.
* Give them some time to fix it.
* If they haven't fixed it after a few months, go public to force them to react.
Score: 32 Votes (Like | Disagree)
Sky Blue Avatar
Sky Blue
145 months ago
"The group allegedly contacted Apple about this vulnerability in March, but Apple never responded, prompting the hackers to go public with the information."

lol, Apple
Score: 27 Votes (Like | Disagree)
ehmjay Avatar
ehmjay
145 months ago
Annnnnnd cue the tech press over-reacting and blowing this way out of proportion.

Not that this isn't a serious flaw; it is. But because it's Apple it will be presented as the end of the world, and covered by every major news outlet where-as a similar bug in Android is barely mentioned by anyone at all.
Score: 10 Votes (Like | Disagree)
dannyyankou Avatar
dannyyankou
145 months ago
The NSA new this all along.

*knew

Sorry, couldn't resist.
Score: 8 Votes (Like | Disagree)
Millah Avatar
Millah
145 months ago
They did, in March. Still not fixed.
So anyone can claim anything they want and people instantly believe them without a shadow of doubt? When did the public become so easily gullible?

I'm not saying its not true. I'm saying none of us know. Just because some hackers claim something doesn't make it true. And how exactly are they trustworthy to begin with? These are people hacking into places they shouldn't be, unlocking stolen phones, and you don't even have a sliver of doubt about their honesty?
Score: 8 Votes (Like | Disagree)
fumi2014 Avatar
fumi2014
145 months ago
These billion dollar companies really need to stay on top of all this. They're happy to take your money but not so quick to safeguard your details.

And now there's trouble at eBay.
Score: 8 Votes (Like | Disagree)
Read All Comments