GotoFail lives? Hackers claim compromise of Apple’s iCloud and Activation Lock, possibly via SSL bug

“A pair of hackers from the Netherlands and Morocco, identifying themselves as AquaXetine and MerrukTechnolog, claim to have compromised the security of Apple’s iCloud system for locking iOS devices,” Kelly Hodgkins reports for MacRumors.

“The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf,” Hodgkins reports. “It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple’s iCloud service.”

“The pair claim to be able to unlock a locked iPhone by placing a computer between the iPhone and Apple’s servers,” Hodgkins reports. “In this configuration, the iPhone mistakenly identifies the hacker’s computer as one of Apple’s servers and follows instructions provided by the nefarious computer to reverse activation lock on the handset. ”

Read more in the full article here.

“Mark Loman decided to do some investigating of his own and made a shocking discovery,” István Fekete reports for iPhone in Canada. “‘I was asked to look into a claim coming from hackers, that they ‘hacked’ iCloud,’ he tells iPhone in Canada. ‘These hackers did not want to talk about the vulnerability they are using but this vulnerability is actually a pretty big hole…'”

What Mark discovered is that Apple forgot step one: the basis of secure communication. When we contacted him for clarification, Mark pointed to the core issue: ‘The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it — which is how I figured it out,'” Fekete reports. “Loman also questions whether this flaw was an accidental mistake or if it was possibly ‘done on purpose:’ ‘This is either a beginner’s mistake, or it was done on purpose,’ he tells Tweakers. ‘Intelligence agencies like the NSA can thus easily intercept all communication via iCloud.'”

“Also, the passwords are sent unencrypted not only when buying music on iTunes, but also when activating a new iOS device using iTunes. According to Mark Loman of Dutch security company SurfRight, the flaw only concerns Windows users, as OS X users are warned that the certificate is incorrect.”

Read more in the full article here.

Related articles:
Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism – February 25, 2014
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014


    1. IF this report is true, then it affects iPhone owners. The flaw may be an issue with Windows or an issue with iTunes on Windows, but if someone can bypass activation lock using iTunes on Windows, then all iPhone owners have just had the risk level raised as potential criminals now see all iPhones as valuable regardless of whether or not they’ve been locked since any Windows PC with iTunes can bypass the activation lock.

      Of course, this sounds like a temporary issue, that I hope gets resolved quickly. In the meantime, this is really disturbing:

    2. It makes me wonder if iTunes uses the OS network security layers. This makes sense since the issue does not exist on the Mac as the Mac OS itself is not vulnerable to this attack but unpatched Windows machines are.

      If the attackers are running an unpatched Windows OS that is vulnerable to this SSL attack as the interceding machine then there is little that Apple can do about it. Apple could issue an update to iTunes for Windows that forces users to unlock or authenticate an iPhone on a patched version of Windows, but Apple forcing users to update Windows itself is definitely going to cause backlash against Apple — even if it is really a Windows issue. And adept users can usually spoof the Windows version iteration to get by that constraint.

      Apple could try a double blind technique of issuing a false request to a specific Apple server and see what the response is, if it is not as expected from the Apple server (the unpatched Windows machine echoing back a non spoofed certificate) then iTunes can say the Windows machine cannot perform certain functions. However, that will only work until they update the hack to spoof the new Apple servers.

      The only way for Apple to really solve this issue is to re-write the network interface part of iTunes. Forget using any of the Windows APIs for this, write everything as direct. This will work until Windows changes something so it does not allow direct connections then the system breaks down and Apple gets blamed. Writing things to do direct interfaces (memory, video, network, etc.) is always hazardous as the OS allows a layer of abstraction, and if the OS changes or the underlying system changes then the OS takes care of that change. When your app goes direct then if the underlying system changes or the OS changes everything can break.

  1. Nothing transmitted digitally is private. Get used to it, if you have not already.

    The software design theories, network protocols, cultural and government institutions that got us here aren’t changing overnight or with a couple SSL patches. Maybe our children will enjoy a safe and secure Internet, but we aren’t going to see anything resembling that this decade.

    We are living in the Insecure Internet Age.

  2. This is really serious. Apple needs to act now.
    It was always a comforting thought I could make my iPhone useless to those maroccan streetrobbing scum bastards.
    Please, get the kill switch working again i don’t want those inbreeds utilizing my iCloud data….
    Stop making crime being profitable Apple…

  3. They didn’t want to discuss the vulnerability because most likely it doesn’t exist. A couple of attention seeking geeks are able to stir up a lot of fear. All they have to do is make a security vulnerability claim, and mention the NSA and they know the clicks will come.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.