So you bought an iPad – and it’s iCloud locked. Chances are you either got scammed by the seller, or you have bought a stolen device. If you are lucky, maybe the seller has just forgotten to remove his iCloud account from the device and in that case you’re safe.
So let’s say you have an iCloud locked iPad. What can you do with it? Well… Nothing. iCloud locked devices will show you the following screen:
If you don’t have access to the iCloud account in question, the only way you can get your iPad unlocked is by visiting an Apple store and showing proof of purchase. They will then check your credentials against their iCloud servers and if it matches, they can override the iCloud lock for you.
However, low-skill hackers have devised a very simple method of removing the iCloud activation from devices. A quick search on Twitter brings up hundreds of users that offer iCloud activation unlocking services for $150USD. Though I don’t understand the entire process, and there are possibly multiple ways of doing this, I have done some research and will outline the process an iCloud Activation Unlock works.
Below you can see just a small sample of Twitter accounts set up to sell an iCloud Activation Unlock:
So how are they doing it?
The first step involves identifying the iCloud email address locked to the device.
The device display shows an obfuscated iCloud username which can be targeted using a mass mailing attack. I will illustrate this in a simplified example below.
Let’s say (for simplicity) that an iCloud email address can only contain binary characters (1s and 0s). The iPad screenshot above would show us something like firstname.lastname@example.org. Hackers can then create an automated program or mailing list which sends an email to all possibilities of that email address.
So, we know that the device belongs to one of the following email addresses:
This is a simplified example, but in a real-case scenario we would need to try all possible combinations for a-z and 0-9. Therefore, it is likely an automated program is used. It is important to note that this is not the only way a hacker can find the email address of the iCloud account associated with the locked device. Some hackers are able to retrieve this information with the IMEI number of an iPhone. This suggests there may be a database, or service, somewhere that allows a lookup of registered iCloud email addresses against IMEI numbers.
Once a list of emails has been made, the hacker can send out a phishing email.
Browsing the timeline of the above Twitter accounts you can find tweets such as the following:
This suggests that email templates are used to fool users in handing over their iCloud details. These emails look something like this:
The idea is fool the user in to thinking it is a genuine email from Apple. These templates are very easily duplicated or crafted using HTML and CSS, and unfortunately many users do fall in to the trap.
Imagine having lost your iPhone with all your personal information and precious photos. And then and email pops up from ‘Apple’ saying that your phone has been found. After all, you did lock your device using FindMyiPhone so this email alert is surely real. Or is it?
Looking at the header of the email you will see that it is not from Apple at all. In fact, it will be an email sent from a private account such as ‘email@example.com’ or ‘firstname.lastname@example.org’. The problem is, email services make it all too easy to spoof the ‘From’ fields in emails. Users who do not pay close attention will easily think this is an email from Apple, and click the prompt.
Just like the email, a clone of official Apple websites can also be built very easily. In this case, the ‘See Location’ button will not take you to Apple’s iCloud website, but a cloned version instead.
The website is designed to mimic the Apple website and feel familiar. But, look closely. Do you notice the address bar shows that this web page does not belong to Apple.com? That is the biggest hint that you are walking in to a trapdoor.
What you should see from any website that asks you to enter confidential details such as passwords is something like this:
This image shows a green padlock indicating that the website you are visiting is secure, encrypted and registered under the following name. Still, you should keep your wits about you – the website may have been compromised, but the likelihood of that happening to such a large company and not being on the news is fairly slim.
Back to the iCloud clone…
On this page, the hacker is hoping you won’t notice it’s a spoof website. You enter your iCloud email address and password. And that’s it. You’ve been compromised. Essentially, your ID has been stolen.
The final step. This can be done manually, or it can be automated. More advanced hackers will automate this process. That means this last step can be completed within a few seconds, and so even if you change your password it’s too late.
Now that the hackers have access to your iCloud credentials, they can log in at iCloud.com and disable ‘Lost Mode’. This will remove the iCloud activation lock on the stolen device. To make sure you don’t log back in and re-activate the lock, they are also able to remove the device from your account. That means, the stolen device is no longer associated with your iCloud account. You can no longer track its location, lock or wipe it remotely. What’s worse is that the data on your device remains. That includes any private and sensitive information which can now be accessed and sold by the hacker or new owner of the stolen device.
If the hacker really wanted to they could do a number of things from their access to your iCloud account:
After reading this article it should become blatantly obvious that it is important to stay vigilant online. If you have recently lost an Apple device and are receiving emails like the one shown above, be careful. You are being targeted and it is paramount that you do not pass over your details. If you are unsure about an email, speak to an expert.
For those who are not familiar with the FindMyiPhone service, search for it and familiarise yourself. It is the first step in ensuring your information is not compromised should your device get lost or stolen.