“A pair of hackers from the Netherlands and Morocco, identifying themselves as AquaXetine and MerrukTechnolog, claim to have compromised the security of Apple’s iCloud system for locking iOS devices,” Kelly Hodgkins reports for MacRumors.
“The hack will unlock stolen iPhones by bypassing Activation Lock, making it possible for thieves to resell the phones easily on the black market, reports Dutch publication De Telegraaf,” Hodgkins reports. “It also may provide hackers with access to Apple ID passwords and other personal information stored in Apple’s iCloud service.”
“The pair claim to be able to unlock a locked iPhone by placing a computer between the iPhone and Apple’s servers,” Hodgkins reports. “In this configuration, the iPhone mistakenly identifies the hacker’s computer as one of Apple’s servers and follows instructions provided by the nefarious computer to reverse activation lock on the handset. ”
Read more in the full article here.
“Mark Loman decided to do some investigating of his own and made a shocking discovery,” István Fekete reports for iPhone in Canada. “‘I was asked to look into a claim coming from hackers, that they ‘hacked’ iCloud,’ he tells iPhone in Canada. ‘These hackers did not want to talk about the vulnerability they are using but this vulnerability is actually a pretty big hole…'”
What Mark discovered is that Apple forgot step one: the basis of secure communication. When we contacted him for clarification, Mark pointed to the core issue: ‘The problem is with verifying the certificate. Apple appears to have deliberately left out this essential step required for proper secure communication. They fixed it last month for iOS but forgot to fix it for iTunes. But the jailbreak community is already making use of it — which is how I figured it out,'” Fekete reports. “Loman also questions whether this flaw was an accidental mistake or if it was possibly ‘done on purpose:’ ‘This is either a beginner’s mistake, or it was done on purpose,’ he tells Tweakers. ‘Intelligence agencies like the NSA can thus easily intercept all communication via iCloud.'”
“Also, the passwords are sent unencrypted not only when buying music on iTunes, but also when activating a new iOS device using iTunes. According to Mark Loman of Dutch security company SurfRight, the flaw only concerns Windows users, as OS X users are warned that the certificate is incorrect.”
Read more in the full article here.
Related articles:
Apple fixes OS X ‘GotoFail’ security flaw after four days of snowballing criticism – February 25, 2014
Apple releases OS X Mavericks 10.9.2 – February 25, 2014
Apple on OS X ‘GotoFail’ flaw: – February 25, 2014
Security expert captures all SSL traffic via Apple’s OS X ‘GotoFail’ flaw – February 25, 2014
Apple’s deafening silence on ‘GotoFail’ security flaw – February 24, 2014
8 ways to stay safe online while Apple works to fix ‘Gotofail’ flaw – February 24, 2014
Reasons for delay in SSL fix to OS X unclear as a single line of code found responsible – February 24, 2014
Single line of code, but still no fix; former Apple security engineer Paget to Apple: ‘FIX. YOUR. SHIT.’ – February 24, 2014
Apple promises to fix OS X encryption flaw ‘very soon’ – February 23, 2014
Behind iPhone’s critical ‘GotoFail’ security bug, a single bad, really bad ‘goto’ – February 22, 2014
Protect a Mac from the SSL / TLS security bug (until fix arrives) – February 22, 2014