DoulCi hacks iOS devices through Apple's iCloud vulnerability

A pair of hackers known as Team DuolCi has expolited a vulnerability on Apple's iCloud system, allowing them to disable the Activation Lock on iOS devices.

The two hackers, identified as AquaXetine from the Netherlands and MerrukTechnolog from Morocco, have unlocked as many as 30,000 stolen iPhones just in the past few days, allowing thieves to resell the smartphones into the black market.

Team Duolci reportedly worked on the iCloud vulnerability for five months, as they studied the data transmission between iPhones and Apple's iCloud. The hackers claimed that they were able to unlock iPhones by placing a computer between an iPhone and the servers of Apple, tricking the iPhone into the thinking that their computer is an Apple server. This allows them to send commands to the iPhone using their computer to remove the phone's Activation Lock.

The attack of the hackers on Apple's iCloud is made possible because Apple's iTunes for Windows does not properly check security certificates, a discovery made by Mark Loman, a security researcher of SurfRight.

"The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it - which is how I figured it out," Loman said.

Loman thinks that the security lapse is "either a beginner's mistake, or it was done on purpose," alleging that the so-called mistake may have been done on purpose to provide access to all the information stored in iCloud to intelligence agencies.

A Dutch article reported that Chinese traders bought stolen iOS devices trough online commerce websites such as eBay, for the price tag of US$50 to US$150. The pair of hackers then removed the Activation Lock on the devices, leading to a considerable profit for the Chinese traders.

Team DuolCi said that they are not looking to gain money by revealing this hack. Instead, the pair just wants to warn the general public about the security issues for iPhones and iCloud. They allegedly reported the vulnerability to Apple in March, but they did not receive a reply.

This vulnerability is exposed right after another Apple security issue that was revealed last month. A German security researcher discovered that a bug in Apple's iOS 7 leaves e-mail attachments unencrypted in spite of Apple's Data Protection technology.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics