How Do iCloud Activation Unlocks Work

So you bought an iPad – and it’s iCloud locked. Chances are you either got scammed by the seller, or you have bought a stolen device. If you are lucky, maybe the seller has just forgotten to remove his iCloud account from the device and in that case you’re safe.

So let’s say you have an iCloud locked iPad. What can you do with it? Well… Nothing. iCloud locked devices will show you the following screen:

Find My iPhone Activate iPad

If you don’t have access to the iCloud account in question, the only way you can get your iPad unlocked is by visiting an Apple store and showing proof of purchase. They will then check your credentials against their iCloud servers and if it matches, they can override the iCloud lock for you.

However, low-skill hackers have devised a very simple method of removing the iCloud activation from devices. A quick search on Twitter brings up hundreds of users that offer iCloud activation unlocking services for $150USD. Though I don’t understand the entire process, and there are possibly multiple ways of doing this, I have done some research and will outline the process an iCloud Activation Unlock works.

Below you can see just a small sample of Twitter accounts set up to sell an iCloud Activation Unlock:

So how are they doing it?

iCloud Email Address

The first step involves identifying the iCloud email address locked to the device.

The device display shows an obfuscated iCloud username which can be targeted using a mass mailing attack. I will illustrate this in a simplified example below.

Let’s say (for simplicity) that an iCloud email address can only contain binary characters (1s and 0s). The iPad screenshot above would show us something like 1*** Hackers can then create an automated program or mailing list which sends an email to all possibilities of that email address.

So, we know that the device belongs to one of the following email addresses:

  •, or
  •, or
  •, or
  •, or
  •, or
  •, or

This is a simplified example, but in a real-case scenario we would need to try all possible combinations for a-z and 0-9. Therefore, it is likely an automated program is used. It is important to note that this is not the only way a hacker can find the email address of the iCloud account associated with the locked device. Some hackers are able to retrieve this information with the IMEI number of an iPhone. This suggests there may be a database, or service, somewhere that allows a lookup of registered iCloud email addresses against IMEI numbers.

Once a list of emails has been made, the hacker can send out a phishing email.

Phishing Emails

Browsing the timeline of the above Twitter accounts you can find tweets such as the following:

This suggests that email templates are used to fool users in handing over their iCloud details. These emails look something like this:

Apple Spoof iCloud Email

The idea is fool the user in to thinking it is a genuine email from Apple. These templates are very easily duplicated or crafted using HTML and CSS, and unfortunately many users do fall in to the trap.

Imagine having lost your iPhone with all your personal information and precious photos. And then and email pops up from ‘Apple’ saying that your phone has been found. After all, you did lock your device using FindMyiPhone so this email alert is surely real. Or is it?

Looking at the header of the email you will see that it is not from Apple at all. In fact, it will be an email sent from a private account such as ‘’ or ‘’. The problem is, email services make it all too easy to spoof the ‘From’ fields in emails. Users who do not pay close attention will easily think this is an email from Apple, and click the prompt.

Spoofed Wesbite

Just like the email, a clone of official Apple websites can also be built very easily. In this case, the ‘See Location’ button will not take you to Apple’s iCloud website, but a cloned version instead.

Cloned iCloud Website

The website is designed to mimic the Apple website and feel familiar. But, look closely. Do you notice the address bar shows that this web page does not belong to That is the biggest hint that you are walking in to a trapdoor.

What you should see from any website that asks you to enter confidential details such as passwords is something like this:

Apple SSL

This image shows a green padlock indicating that the website you are visiting is secure, encrypted and registered under the following name. Still, you should keep your wits about you – the website may have been compromised, but the likelihood of that happening to such a large company and not being on the news is fairly slim.

Back to the iCloud clone…

On this page, the hacker is hoping you won’t notice it’s a spoof website. You enter your iCloud email address and password. And that’s it. You’ve been compromised. Essentially, your ID has been stolen.

Removing the iCloud activation lock

The final step. This can be done manually, or it can be automated. More advanced hackers will automate this process. That means this last step can be completed within a few seconds, and so even if you change your password it’s too late.

Now that the hackers have access to your iCloud credentials, they can log in at and disable ‘Lost Mode’. This will remove the iCloud activation lock on the stolen device. To make sure you don’t log back in and re-activate the lock, they are also able to remove the device from your account. That means, the stolen device is no longer associated with your iCloud account. You can no longer track its location, lock or wipe it remotely. What’s worse is that the data on your device remains. That includes any private and sensitive information which can now be accessed and sold by the hacker or new owner of the stolen device.

Rubbing salt in the wounds

If the hacker really wanted to they could do a number of things from their access to your iCloud account:

  • Wipe data from all devices linked to your iCloud account. That means to delete all information from your Mac, iPads and iPhones
  • Lock your device for a ransom. A hacker could potentially change your iCloud account password and security details and then put all your other devices into ‘Lost Mode’. They can then make a message appear on the screens of those devices demanding money in return for unlocking your devices.
  • With ApplePay, a hacker could add another iPhone to your iCloud account and use it to make Contactless transactions. The hacker would be able to use your bank card on file to make multiple £30 transactions without a trace.

Stay vigilant

After reading this article it should become blatantly obvious that it is important to stay vigilant online. If you have recently lost an Apple device and are receiving emails like the one shown above, be careful. You are being targeted and it is paramount that you do not pass over your details. If you are unsure about an email, speak to an expert.

For those who are not familiar with the FindMyiPhone service, search for it and familiarise yourself. It is the first step in ensuring your information is not compromised should your device get lost or stolen.

Subscribe to Email Updates