How an Underground Industry of Thieves Unlock Stolen iPhones

iPhone security is notoriously tough to crack. As such, hackers, thieves and others are finding more creative ways to unlock them.

Back in 2013, Apple made a profound change that would make iPhones much less attractive to thieves. That change was adding an iCloud lock — making it so an iPhone can only be associated with one iCloud account.

Without the original owner’s iCloud password, a device can’t be factory reset or unlinked from the primary account (this is known as Activation Lock). Similarly, a user has the ability to locate a lost or stolen iPhone and remotely lock it with Find My iPhone.

Essentially, that meant a stolen iPhone was useless, and perhaps even threatening, to a thief. Thieves, however, did not give up.

They just developed increasingly creative methods to strip iPhones of their associated iCloud accounts.

A Motherboard investigative report published this week details some of those methods.

Methods

By far the simplest way is to simply get the owner of the handset to do it for them. Motherboard notes that there has been a uptick in muggings in which the thieves give very specific instructions to the person being robbed.

Last month, for example, there was a string of muggings in Philadelphia in which the perpetrator held a victim up at gunpoint and instructed them to disable Find My iPhone and log out of iCloud.

But there is also an underground industry of illegal iCloud unlocking entities that perform so-called “iCloud unlock” schemes. Motherboard describes the illicit network as “involving a complex supply chain of different scams and cybercriminals.”

In cases in which a password isn’t obtained during a mugging, cybercriminals can attempt to disable iCloud by phishing the password associated with it.

Another way is to use doctored receipts to try and trick Apple staff to override iCloud — an ability that Apple Store managers have.

The most complicated method is to remove an iPhone’s chip from a logic board and reprogram it with a “clean” iPhone’s IMEI number. This, essentially, creates a “new device,” but is an inherently difficult and time-consuming task. Which is why it’s only common in Chinese refurbishing labs.

Complicating matters is the fact that not all iCloud-locked iPhones are necessarily stolen.

Sometimes, carriers or other third-parties end up with such devices when users trade them in without wiping them.

Apple, for its part, doesn’t work with third-parties to unlock these devices en masse. While they can be used for parts in their locked state, third-party repair shops know that an unlocked iPhone is worth much more.

In other words, the complicated iCloud unlocking industry is also populated with legitimate third-parties that need a device to be unlocked.

There are also other facets to the underground industry.

Motherboard points out that there are unofficial databases that can be used to check the status of an iPhone (to determine whether it’s lost, stolen or “clean”).

iCloud phishing “kits” and fake receipts are also bought and sold through various channels. The network also uses these channels to share iPhone unlocking tips and tricks with each other.

There are a lot more details and specifics in Motherboard’s full article, which is fascinating and well worth a read. You can find it here.