How the iPhone Activation Lock hack works

4K

Alex Heath (5:00 am PDT, May 23rd 2014)

image: http://cdn.cultofmac.com/wp-content/uploads/2014/05/20140522_findmyphone_0013-final-640x473.jpg

Hackers have discovered an exploit that makes it easy to defeat the Activation
Lock on iPhones. Photo: Jim Merithew/Cult of Mac

The recently revealed exploit that allows anyone to bypass the iPhones Activation Lock
system is a rather simple process that requires adding just a single line of code to a
computer running iTunes.
The exploit, which is called DoulCi (iCloud backward), has already been used
thousands of times on locked iPhones and iPads around the world. Its the work of a pair
of anonymous hackers, who cracked Apples theft-deterrent measure by tricking lost or
stolen iOS devices into thinking they are being reactivated by Apples servers.
Introduced in iOS 7, Activation Lock is designed to render a lost or stolen iPhone useless
unless it is recovered by its proper owner. Its a powerful tool designed to help protect
iPhone owners who fall victim to street thieves who find Apple products irresistible.
When Apples Find My Phone app is turned on, an iDevice can be tracked by its owner
through iCloud.com and remotely wiped if necessary.

Say a thief snatches an iPhone, it gets remotely wiped by the owner, and the thief
attempts to restore the iPhone so it can be used again as a new device. Thats when
Activation Lock comes into play. During the setup process after a restore, the Apple ID
and password originally associated with the device needs to be entered. If that login info
cant be provided, the iPhone cant be reactivated with Apples iCloud servers. You have
a bricked iPhone that cant get past the initial setup. All its good for is spare parts.
By performing what is commonly referred to as a man-in-the-middle attack, the DoulCi
exploit intercepts web traffic between the iPhone and Apples servers.

Heres how DoulCi works

1) The first step is to edit your computers hosts file and add a line of code that points to
DoulCis server. The IP address of DoulCis server, 188.226.251.76, is simply copied and
pasted at the bottom of the hosts file, like so:

image: http://cdn.cultofmac.com/wp-content/uploads/2014/05/Screen-Shot-2014-05-22-at4.24.29-PM-640x446.jpg

The hosts file maps IP addresses to domain names, directing the computers network
traffic. The hosts file takes precedence over the public and private DNS servers that are
used to map IP addresses. Usually you should leave the hosts file alone, but
its sometimes edited override the computers DNS system, manually rerouting IP
addresses to block spam or malicious software.
Obviously, modifying the hosts file is a potential security risk. It might not be a good
idea to route your data through a shady IP address controlled by a pair of
anonymous hackers. Luckily, modifying the hosts file isnt super easy. Its a multistep

process that varies depending upon which operating system you are using. Heres a
good overview of how to edit the hosts file on different Mac and Windows systems.
2) The lost/stolen iPhone is then plugged into a Mac or PC running iTunes and put
into DFU/Recovery mode. To do this, turn off the device. Turn it back on, holding down
the Sleep/Wake button for three seconds, and then without releasing the Sleep/Wake
button begin holding the Home button for an additional 10 seconds. Release the
Sleep/Wake button but keep holding the Home button until iTunes recognizes your
device and Recovery mode begins. iTunes will restore the iPhone to a blank state, and
the normal setup process begins while the iPhone is connected to the computer with
iTunes open.
3) This is where things get shady. When the device attempts to contact Apples server to
see if it needs to be activated, the line added to the hosts file reroutes the ping through
DoulCis servers instead. The iPhone thinks its talking to Apple when its really talking
to the hackers server.

The iPhone thinks its talking to Apple when its really

talking to DoulCi.
At this point, the hackers running DoulCis servers could capture device info, such as
serial numbers and other unique identifiers. However, security researcher and iOS
hacker Steven De Franco told Cult of Mac that no credit card or other personal
information tied to the original owner can be swiped. Unless they have access to
Apples database, they cant do much, he said. Even then I think the most they
could pull up is billing info. Besides, if the device being unlocked was stolen in the first
place, the person using the exploit likely doesnt care about sharing its serial number
with a mysterious server.
4) After the DoulCi servers have spoofed the activation request, the iPhone is good to go
as though it has been authenticated with the owners Apple ID login. Sort of

The SIM card problem

The catch is that after the exploit, the iPhones SIM card wont be recognized. The SIM is
blocked because iOS has been tricked into thinking it has been activated, while the
iPhones baseband (the firmware that communicates and authenticates the device with
the carrier) has not. The iPhone wont connect to a wireless carrier but can be used for
all other functions.
The hackers behind DoulCi told Cult of Mac their technique works on all iOS devices.
They claim to have a fix for the SIM-blocking issue in the works.
Apple has not responded to Cult of Macs requests for comment.
Read more at http://www.cultofmac.com/280450/heres-easy-hack-past-applesactivation-lock-missing-iphone/#dJJszMMheXVAPqgX.99