In spring, 2017, a teenager walked up behind a woman leaving the Metro in Northeast Washington DC and put her in a chokehold: “Be quiet,” he said. And “delete your iCloud.” He grabbed her iPhone 6S and ran away.
Last month, there were a string of similar muggings in Philadelphia. In each of these muggings, the perpetrator allegedly held the victim up at gunpoint, demanded that they pull out their iPhone, and gave them instructions: Disable “Find My iPhone,” and log out of iCloud.
In 2013, Apple introduced a security feature designed to make iPhones less valuable targets to would-be thieves. An iPhone can only be associated to one iCloud account, meaning that, in order to sell it to someone else (or in order for a stolen phone to be used by someone new) that account needs to be removed from the phone altogether. A stolen iPhone which is still attached to the original owner’s iCloud account is worthless for personal use or reselling purposes (unless you strip it for parts), because at any point the original owner can remotely lock the phone and find its location with Find My iPhone. Without the owner’s password, the original owner’s account can’t be unlinked from the phone and the device can’t be factory reset. This security feature explains why some muggers have been demanding passwords from their victims.
The iCloud security feature has likely cut down on the number of iPhones that have been stolen, but enterprising criminals have found ways to remove iCloud in order to resell devices. To do this, they phish the phone’s original owners, or scam employees at Apple Stores, which have the ability to override iCloud locks. Thieves, coders, and hackers participate in an underground industry designed to remove a user’s iCloud account from a phone so that they can then be resold.
Making matters more complicated is the fact that not all iCloud-locked phones are stolen devices—some of them are phones that are returned to telecom companies as part of phone upgrade and insurance programs. The large number of legitimately obtained, iCloud-locked iPhones helps supply the independent phone repair industry with replacement parts that cannot be obtained directly from Apple. But naturally, repair companies know that a phone is worth more unlocked than it is locked, and so some of them have waded into the hacking underground to become customers of illegal iCloud unlocking companies.
In practice, “iCloud unlock” as it’s often called, is a scheme that involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores. There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner.
There are three ways to remove an iCloud account from an iPhone:
- The password to the original owner’s iCloud can be entered to remove it, which a hacker could obtain via phishing.
- An Apple Store manager can override iCloud. Scammers can trick Apple Store managers into unlocking a device they don’t own.
- The iPhone’s CPU can be removed from the Logic Board and reprogrammed to create what is essentially a “new” device (this is very labor intensive and rare. It is generally done in Chinese refurbishing labs and involves stealing a “clean” phone identification number called an IMEI.)
- Each of these methods are used to unlock specific devices and resell them, though some methods are far easier and more widely used than others.
- “Not every iCloud-locked phone is a stolen device,” RootJunky, an instructor at Phonlab, a company that teaches smartphone repair shops about software-related issues in the industry, told Motherboard. “But every method for removing iCloud involves illegal activity.”
WHEN THIEVES’ HANDS ARE TIED
iPhones are convenient target for thieves because they’re worth hundreds of dollars, plentiful, and easy to carry and hide. But thieves can run into several technical obstacles once they get hold of the phone. Many owners use the device’s Find My iPhone feature, which lets a customer log into an Apple website and easily see their phone’s precise location on a map, as well as remotely lock their device, which makes it much harder to resell, and worth much less than an unlocked, factory-reset phone. Although law enforcement officers can’t always act on this information, Find My iPhone has contributed to the arrests of phone thieves. Activation Lock, a related feature, means the phone can only be erased, used, or reactivated upon entering the owner’s device pincode or their iCloud password.
To be clear, “iCloud lock” and a device’s passcode are two different things. The iPhone passcode will unlock the screen, whereas the iCloud password can be used to remove features such as Find My iPhone, Activation Lock, and to associate the phone with a new Apple account, which is critical when a phone is resold.
There are many listings on eBay, Craigslist, and wholesale sites for phones billed as “iCloud-locked,” or “for parts” or something similar. While some of these phones are almost certainly stolen, many of them are not. According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones—including some iCloud-locked devices—are sold in bulk at private “carrier auctions” where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)
When the owner of a phone returns it to their cell phone provider as part of a phone upgrade or insurance claim, the employee who collects it is trained to ask that customer to remove iCloud from the device, according to spokespeople from AT&T and T-Mobile. But this doesn’t always happen, meaning that carriers and insurance companies get stuck with iCloud-locked phones. Motherboard could not determine whether any carriers currently have the ability to independently remove iCloud lock from iPhones, or whether Apple ever helps carriers remove iCloud at scale. AT&T and T-Mobile ignored specific questions about whether it has the ability to unlock phones, and Sprint and Verizon did not respond to a request for comment. According to two sources in the iPhone refurbishing community who have bought iCloud-locked phones from telecom auctions, mobile carriers want the ability to unlock phones, but Apple likely has little incentive to encourage the secondary market for iPhones……Read more>>