Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud IOS Iphone Privacy Security Apple Hardware Technology

How Hackers and Scammers Break Into iCloud-Locked iPhones (vice.com) 73

Motherboard's Joseph Cox and Jason Koebler report of the underground industry where thieves, coders, and hackers work to remove a user's iCloud account from a phone so that they can then be resold. They reportedly are able to do this by phishing the phone's original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. The other method (that is very labor intensive and rare) involves removing the iPhone's CPU from the Logic Board and reprogramming it to create what is essentially a "new" device. It is generally done in Chinese refurbishing labs and involves stealing a "clean" phone identification number called an IMEI. Here's an excerpt from their report: Making matters more complicated is the fact that not all iCloud-locked phones are stolen devices -- some of them are phones that are returned to telecom companies as part of phone upgrade and insurance programs. The large number of legitimately obtained, iCloud-locked iPhones helps supply the independent phone repair industry with replacement parts that cannot be obtained directly from Apple. But naturally, repair companies know that a phone is worth more unlocked than it is locked, and so some of them have waded into the hacking underground to become customers of illegal iCloud unlocking companies.

In practice, "iCloud unlock" as it's often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they're the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone's original owner. [...] There are many listings on eBay, Craigslist, and wholesale sites for phones billed as "iCloud-locked," or "for parts" or something similar. While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones -- including some iCloud-locked devices -- are sold in bulk at private "carrier auctions" where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)

This discussion has been archived. No new comments can be posted.

How Hackers and Scammers Break Into iCloud-Locked iPhones

Comments Filter:
  • Stolen iPhone (Score:5, Interesting)

    by Dan East ( 318230 ) on Sunday February 10, 2019 @10:30AM (#58098876) Journal

    Very interesting timing on this story. Friday my son's iPhone 7 was stolen at school around 11 AM. Before he made it home at 3 PM his iPhone had been taken over - he had emails between 2:42 and 2:45 showing where someone had changed his gmail password, logged into his gmail account on a different phone, changed the password on his Apple account (which used the gmail account for the Apple ID), and disabled Find My Phone on his stolen phone (and the email from Apple helpfully indicated that now the device could be reset and logged into without the Apple ID credentials). The IP address that was done from was at his high school (the phone did not have cellular service - he used it with WiFi only).

    I'm still trying to wrap my head around the fact that someone at this relatively small school knew how to take over an iPhone locked with a 6 digit passcode. It appears that gmail was the weak link here. My guess is to what happened is that since the google apps were installed on the iPhone, when a "lost password" was triggered from a different phone, Google sent a reset code to the stolen phone. I haven't bothered to try and test this, but my hunch is that the reset code that Google sent to his phone was a notification accessible while the phone was locked.

    The lesson I have learned here (in any case, since the first step that occurred was his Google account password was changed and logged into from a different phone) is NEVER use gmail addresses for your Apple ID. That was the attack vector, and if it is too easy for someone to change your gmail password, then it's too easy for them to take over your hardware devices as well.

    • Re: (Score:2, Insightful)

      by b0s0z0ku ( 752509 )
      Why does your kid need a $500 plus phone to bring to school? Get him a used Moto for $50, a voice/text/wifi only plan (no data) and teach him that he doesn't need to be on an e-leash 24/7/365 to be happy.
      • by sessamoid ( 165542 ) on Sunday February 10, 2019 @11:25AM (#58099030)
        Always nice to have random strangers on the internet giving unsolicited parenting advice.
        • Always nice to have random strangers on the internet giving unsolicited parenting advice.

          If Florida Man/Woman has taught me anything then it's that there are a lot of people out there that could use all the advice they can get.

        • It isn't really unsolicited advice if it is an answer to whatever you are bitching about voluntarily in a public forum. Kids lose things, that's been a fact since long before my crusty old ass was a kid, and it will never change. Maybe letting them walk around all day, every day with expensive items that other people are unlikely to return if found isn't a great idea.

          A coworker of mine just let her young teenager get his first phone, but he had to buy it with his own money - so he got a $100 Android phon
      • Re:Stolen iPhone (Score:5, Informative)

        by Dan East ( 318230 ) on Sunday February 10, 2019 @12:51PM (#58099444) Journal

        My son worked as a dishwasher and saved up for it. He bought it for $100 from a friend that upgraded their phone. But thank you for your parenting advice. Actually yesterday I went to the local pawn shop and bought a ZTE phone for $10 that he's using for snapchat, etc, for now.

      • by Anonymous Coward

        Wow, when I graduated HS, NOBODY had a cell phone, and they were worried about pagers which would be confiscated on site. (makes sense, because a teen with a pager was most likely a drug dealer)

          This was in 1995.

      • Why does your kid need a $500 plus phone to bring to school?

        A quick check of Swappa [swappa.com] reveals a used iPhone 7 is worth about $200. Adjusted for inflation (I'm 40), that would've been like me having a $120 gadget at school, when I was 16.

        Doesn't sound too unreasonable to me. Sorry grandpa, you're just getting old like the rest of us.

        • No, I'm just not rich -- frankly, I can't imagine spending more than $100 on a phone for myself, let alone for family.
    • Re:Stolen iPhone (Score:4, Informative)

      by Mortimer82 ( 746766 ) on Sunday February 10, 2019 @11:40AM (#58099132)
      That sucks, clearly a well planned theft by someone in the know. Did you not have 2FA enabled on your Gmail? I personally use their Authenticator app.

      Having at one point in my life having done customer service for World of Warcraft, I cannot recommend enough that everyone use Authenticator options wherever available for online accounts, especially high value ones such as Gmail. While in your case it was clearly someone based at the school, in general there is a enormous industry in the business of compromising accounts of all types.
    • Is it possible that your son was bullied into "giving" the phone to an older colleague?
    • Perhaps the simplest answer is most likely: someone watched him enter his passcode and/or GMail password BEFORE they stole the phone.
      Or, as someone else suggested, the mean kid in school made him give it up.

    • I'm still trying to wrap my head around the fact that someone at this relatively small school knew how to take over an iPhone locked with a 6 digit passcode. It appears that gmail was the weak link here.

      My guess would be the 6 digit passcode was the weak link. It's pretty easy to watch someone entering it, especially in a crowded place like a school. Once they're in, if the phone has gmail loaded, they can access the gmail account without knowing the password.

      Gmail normally prevents someone from chan

    • by rworne ( 538610 )

      I'm still trying to wrap my head around the fact that someone at this relatively small school knew how to take over an iPhone locked with a 6 digit passcode. It appears that gmail was the weak link here. My guess is to what happened is that since the google apps were installed on the iPhone, when a "lost password" was triggered from a different phone, Google sent a reset code to the stolen phone. I haven't bothered to try and test this, but my hunch is that the reset code that Google sent to his phone was a notification accessible while the phone was locked.

      Having owned several generations of iPhone I can see how:

      On my older iPhone 6+, text message, alerts, and their contents are readily visible on the lock screen. On the newer iPhone X, the notifications are visible, but the contents of these notifications are not displayed until FaceID recognizes the owner. Odd, because TouchID could work in a similar manner. That could possibly be the way this happened. I don't use Google's apps on the iPhone and just use the built-in mail application - which do not not

    • I am not saying that your kid lied to you.... But consider that if he "gave" the phone to bullies, then all is very simply explained.
    • by pnutjam ( 523990 )
      My kids have google accounts that are custom domains. I can reset the password essentially at will.
  • Erasing a phone should be as easy as erasing a computer -- storage module should be removable, and you should be able to reinstall the OS. Encrypt the thing, of course, to prevent data theft. It's terrible that usage of a device that you own (or possess, anyway) is at Apple, Google, or another company's whim...

    Yeah, yeah, thieves. Know what? I'm not a coward. And frankly, if my phone is stolen, I'd still rather have it be useful to someone than end up polluting a landfill somewhere in Africa. Gaia fir

    • by berj ( 754323 )

      Personally I'd rather that my phone is less likely to be attractive to a thief and thus less likely to be stolen. Activation lock (and the like from other manufacturers) have caused phone thefts to drop. People still steal them but it's a less attractive target since they know all the work that has to go into unlocking them. That's good enough for me.

      As for ending up in a landfill.. the article shows that that doesn't happen. They end up getting sold off for parts or for people who for some reason are w

      • I'm not sure that you CAN have passcode lock turned on and the theft-prevention features turned off. I'd rather a code-locked phone simply wipe if the code is entered wrong too many times -- the thief can do what they want with the actual phone. As I said, I'm not a coward.
        • by berj ( 754323 )

          Yes.. you definitely can, at least on an iPhone. They're two completely separate features. And you can set the phone to wipe after 10 failed passcode attempts.

          I've been wracking my brains since I read your first post.. what does not being a coward have anything to do with whether or not a phone has an anti theft lock?

  • Does the school log access to websites? If so, the police could ask the It staff to check the logs.

    At the school I worked in we logged all web access using a Squid Proxy Server. This would have allowed us to look up who on that day at that time had accessed both Googlemail and Apple iCloud.

    Highly likely then to have the login name of the kid or staff member who did it. Unless their password was stolen too.

    They may also be able to see what access point the phone was connected to. In fact, they m
  • My brother-in-law has an old iPhone 5c which he can't get into - the iCloud account is clearly still set to one of his Email addresses (he owns hisname.com and even the obfuscated version with first and last letters are the right ones) but password reset emails never arrive. I've encouraged him for a year now to come with me to the nearest Apple store and get their help but could not promise they'd manage it, and he's never had the spare time between work and kids. But if they can definitely do it (once c

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...