Report Exposes Massive Effort by Hackers and Others to Bypass iCloud-Locked iPhones

Apple introduced more detailed security features in iOS (and macOS) devices to try and deter device theft and illegitimate access to iCloud accounts.

It may have worked right out of the gate, but it appears that the potential thieves out there in the world have simply adapted their methodology. Some are brute force attacks, which is noted in a new report from Vice‘s Motherboard this week. Those attacks see thieves putting their victims in life-or-death situations, but instead of simply stealing their device they are telling them to “Turn off Find My iPhone” and remove their iCloud account altogether.

In one account, someone was held up at gunpoint and told to remove their credentials and turn off the feature to find the iPhone. In another account, a person was put in a chokehold and told to “Be quiet and delete your iCloud”. The thief then ran off with the iPhone 6s. These features, which tie an iOS device to a single iCloud account, were introduced in 2013. Since then, thieves have had to adapt if they actually want to use, or sell, the device they are stealing. An unlocked phone is simply more valuable than a locked one.

But the efforts have become pretty extreme. The report is an in-depth look at what goes on behind-the-scenes, as individuals, and even third-party repair shops, get in the game of illegally unlocking locked iOS devices.

“In practice, ‘iCloud unlock’ as it’s often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner.”

The report sheds light on what goes on with this massive scheme, which includes hundreds of people working towards a similar goal: Unlock a locked iPhone or other iOS device. In part, there are huge group chats, sometimes with 100 members, that can find a method to unlock a device. That can include paying for phishing scams, handing over already available iCloud passwords, and even the creation of fake receipts.

“The iPhones, iPads, and occasional Apple Watch come from all over the world: the United States, Britain, Europe, South America, Southeast Asia, and the Middle East. Some hackers have dozens of targets at a time, according to screenshots of control panels shared in the group chat. The hackers are also global: one said in the chat they were in the Philippines, while a hacking tool developer indicated they were based in Eastern Europe.”

Some of the hackers involved even claim to have access to Apple’s own Global Service Exchange, or GSX, which can give them a full repair database.

“GSX is the Global Service Exchange website used by Retail and Apple Authorized Service Provides to access technical resources, ranging from Apple Service Guides and Troubleshooting tools to Service Technician training,” an internal Apple document describing the service obtained by Motherboard reads. Various different employees in Apple Stores, such as those who work at the Genius Bar, automatically have access to GSX, another internal Apple document reads.”

Perhaps one of the crazier elements of the story are the fake receipts. Because it’s well known that an Apple Store’s employee can bypass the iCloud security feature if given the right credentials, the thieves and cybercriminals can actually manifest a fake receipt, with all the necessary information to get an Apple Store employee to unlock the phone, but with the thief’s information on the receipt rather than the real, original owner. Sometimes they don’t even need to go into an Apple Store to do it:

“Scammers will use Photoshop or similar software to alter the invoice to make it appear to be a legitimate one for the device they’re trying to unlock. They keep on top of any changes to the documents as well—some scammers were recently asking for 2019 versions of invoices.

Armed with a legitimate-looking Apple invoice filed with accurate information about the phone such as its IMEI number—a unique, per device identifier code—and its estimated date of purchase, scammers can ask Apple customer support to remove iCloud from the device. Scammers don’t always need to go into an Apple store to do this—screenshots shared in the invoice chat room show successful iCloud removals by just conversing with Apple support over email. This likely only works with phones that have not been marked as stolen, however.”

You can find the full report through the source link below. It is well worth a full read through. If anything, it’s a good reason as to why the security features we have always need to be improved upon in some way or another. This is not a stagnant market, and the nefarious methods that criminals can come up with can be equally ingenious.

[via Motherboard]