
How Hackers and Scammers Break into iCloud-Locked iPhones - walterbell
https://www.vice.com/en_us/article/8xyq8v/how-to-unlock-icloud-stolen-iphone
======
jwr
It seems that most of these problems would be solved by a time delay, like on
safes at gas stations. You can disable the "Find my iPhone" service, and it
will show as disabled, but it will actually stop working 48h or 72h later, so
that there is a time window in which to catch criminals.

As always, the important thing here is for criminals to know this: even if
they force you to unlock the phone, they are not off the hook.

~~~
ZitchDog
Wouldn't they just turn off the device for 72h?

~~~
chongli
The 72h window should notify the owner and allow them to go in and flag the
device as stolen. Once the device is stolen, it should essentially brick
itself as soon as it connects to a network and reaches Apple's servers. The
device could only be unbricked by bringing it to an Apple store and showing ID
to prove ownership.

~~~
netsharc
In the paranoid scenario this turns the mugging into a hostage situation
(unlikely, since that requires a much more complicated logistics)...

Maybe Apple can also provide a duress password.

------
zensavona
Interestingly enough I was in Vietnam last week and had my iPhone XR snatched
out of my hands by a guy on a motorbike. I locked it immediately from my
partner's phone and noted that it had been immediately switched off. I figured
it was surely gone forever and pretty much straight away went and bought a new
iPhone.

When I was setting up my new phone I restored my latest backup from iCloud and
upon doing so, my old stolen phone was no longer trackable since iCloud
recognises the new one _as being the old one_.

Although I am far from an Apple fanboy, I feel that their phones are the
least-bad choice at the moment but I am really starting to question that after
this experience. Not very happy about that, Apple. I am interested to know if
by doing that the phone is now unlocked, or what the deal is, but I can't,
since it's no longer trackable.

~~~
Terretta
Don’t think this is correct. My list of devices is littered with the old
devices I restored backups from onto new devices. I have to do extra steps to
wipe and remove a device to be able to be adopted by new homes.

That said, it is a pet peeve of mine that the new phone from old backup
workflow doesn’t prompt for a new device name or to rename the old device.
Reusing the name can be confusing if/when you still have both devices.

~~~
knd775
Yeah, I just checked my account and the phones that I didn't sell or send back
to Apple are all still in my account, despite all being on the same backup
chain.

I suspect that the user above fell victim to something similar to what was
mentioned in the article and had the device removed from their account that
way.

------
helloindia
Brian Krebs wrote two posts on the Phishing part.

[https://krebsonsecurity.com/2017/02/iphone-robbers-try-to-
ip...](https://krebsonsecurity.com/2017/02/iphone-robbers-try-to-iphish-
victims/)

[https://krebsonsecurity.com/2017/03/if-your-iphone-is-
stolen...](https://krebsonsecurity.com/2017/03/if-your-iphone-is-stolen-these-
guys-may-try-to-iphish-you/)

Personally, i lost my iPhone 3 yrs ago, since then I have got many phishing
emails, which leads to an Apple-like website. I always type something like,
"betterlucknexttime" for password, just for fun.

~~~
Kurtz79
I'm always tempted to answer to clear phishing or scam e-mails telling the
sender to FO, or folllow the link to the predictably broken website for a
laugh, but then I think that it makes more sense to just move the email to the
spam folder and move on.

Why give further information to the scammer, even if it's just my IP address?

------
STRiDEX
Had my iphone pickpocketed in Indio, CA and was relentlessly texted icloud
looking links. I spent the time to report a few of the fake icloud websites to
their hosting provider, hetzner. They took them down and that made me feel
slightly better. The phone did eventually call home, GPS said it was in china.

~~~
reaperducer
My wife's got swiped in Rome. Thanks to Find My iPhone we were able to watch
it end up in North Africa.

~~~
EForEndeavour
My spiteful side sorely wishes for a remote-meltdown feature that shorts the
battery or otherwise catastrophically destroys the phone.

------
neuralRiot
To make it "new" or virgin they need to replace the CPU an the baseband, I'm
not sure how they manage the secure enclave problem as the touch id is tied to
the CPU.

~~~
dashesyan
The article linked to a 34 minute YouTube video which demonstrated one unlock
method: they replaced a locked iPhone's CPU, baseband CPU, baseband EPROM,
NAND Flash (reprogrammed), and touch ID sensor with ones from a donor iPhone
and were able to restore iOS.

~~~
rasz
except its cheaper to just fix donor iphone that already has all the listed
components working

~~~
londons_explore
Labour is cheap in Vietnam...

~~~
knd775
But the parts aren't. It simply does not make sense to go that route.

~~~
londons_explore
The parts are if you buy water damaged devices.

Water tends to kill the PCB (due to corrosion), but all the individual chips
will usually survive.

------
newnewpdro
Apple should have an under-duress alternative iCloud password which behaves
identically to the real password, but with all the changes totally reversible
using the real password, as well as silently alerting the authorities with
location tracking etc.

------
aurox
So basically; don't get mugged, don't click on weird links. Got it.

~~~
ASalazarMX
Oh, I see. I'll just yell "No one can mug me without my consent! It's
illegal!"

------
sytelus
TLDR; The article says many people are being mugged to give away their iPhone
at gun point and then scammers somehow reset the device for resell. They
describe 3 techniques to do reset the device (1) phis victim (2) fool Apple
store manager (3) reprogram CPU. I don't see how any of these would be
effective. I would guess mugger would simply ask password and do it himself.
The article needs technical review.

~~~
14
Well, if it is organizecd crime I could imagine they could use some sort of
coercion on the store manager. Or even better yet they could simply bribe a
store manager. But if there is a manager with the power to unlock then he is
the weak point.

~~~
yardie
Walking into an Apple Store and threatening the manager is a quick way to end
up in prison for a long time. The stores are under heavy surveillance. Don’t
let the lack of guards fool you, they know who is doing what with loads of
face tracking.

~~~
hackermailman
Org crime would never walk into a place and start making threats, they would
approach the manager through somebody they both know in the community who
makes the bribe offer 'just produce fake receipts, unlock phone and pocket
$100 each time'. These stores are all over the world it's probably not
impossible to convince the manager of a foreign Apple store in a highly
corrupt country making peanuts to reset iCloud logins on stolen US phones that
have been shipped over.

~~~
14
And if they did not take the bribe then the next step would be coercion and
again it would happen outside of the store. But my bet is there are plenty of
people out there willing to take the bribe for what ever reason. I think they
get about $65,000usd salary on average according to glassdoor. Plenty of room
to take offers for a better lifestyle.

------
jmkni
I have a question, if you remotely wipe your iPhone is it usable at that
point, or bricked?

If usable, couldn't a thief just steal your iPhone and wait for you to wipe
it?

~~~
yardie
Not really. The next time you try to activate it. The activation servers will
recognize it as being attached to an iCloud account and ask for your iCloud
password.

This is why resellers want it removed from iCloud and will visually confirm
it. You can get halfway through the setup process before realizing it’s still
locked to another account.

We learned the hard way, once, when returning a company phone.

------
petrikapu
When unlocked can they access the data?

~~~
olliej
What do you mean by access the data?

Activation lock effects the ability for the phone to be set up (e.g.
activated).

Actual data on the phone is encrypted to a set of keys, that are themselves
protected by the SEP, which checks the passcode, does the timer enforcement,
and increments counters, etc.

The moment the device is reset/wiped the keys are gone forever and the data
cannot be recovered (even if your took it apart and read the flash directly)

------
StreamBright
Can they bypass MFA?

~~~
NedIsakoff
Yes. It’s called a knife.

------
gok
tl;dr mostly by beating it out of their victims and relying on people feeling
bad about the plight of robbers.

~~~
SG-
It sounds like you didn't actually read the article tho.

~~~
mschuster91
He did, I believe. The question is, if I were a criminal and robbed someone at
gunpoint for their iPhone, would it make any sense to _not_ ask the victim
about their iCloud password at the same time? I'd still be going down with
armed robbery if caught, but if not caught I'd still be ahead either over $150
to pay for a corrupt Apple manager to unlock it or have the bad luck of being
recorded on Apple security cameras while spoofing the Genius Bar employee with
a fake invoice?

I don't care much about the repair industry, they can sell every part of a
phone, both legit or stolen, except the display and the logic board. The
display can't be resold anyway as it will have been extensively scratched
anyway and the logic board rarely breaks.

~~~
jmkni
I legitimately don't know my iCloud password, it's in (and generated by) my
password manager, so if my phone asks me for it, I need to go to my PC and
open Keepass.

I'm a bit fucked if I get mugged!

~~~
snypox
That’s the best solution to the problem if you ask me. I wonder how would a
thief react to that response tho.

