How the iPhone Activation Lock hack works

By

Find My iPhone
Find My iPhone app in the news.
Photo: Jim Merithew/Cult of Mac

The recently revealed exploit that allows anyone to bypass the iPhone’s Activation Lock system is a rather simple process that requires adding just a single line of code to a computer running iTunes.

The exploit, which is called DoulCi (“iCloud” backward), has already been used thousands of times on locked iPhones and iPads around the world. It’s the work of a pair of anonymous hackers, who cracked Apple’s theft-deterrent measure by tricking lost or stolen iOS devices into thinking they are being reactivated by Apple’s servers.

Introduced in iOS 7, Activation Lock is designed to render a lost or stolen iPhone useless unless it is recovered by its proper owner. It’s a powerful tool designed to help protect iPhone owners who fall victim to street thieves who find Apple products irresistible. When Apple’s Find My Phone app is turned on, an iDevice can be tracked by its owner through iCloud.com and remotely wiped if necessary.

Say a thief snatches an iPhone, it gets remotely wiped by the owner, and the thief attempts to restore the iPhone so it can be used again as a new device. That’s when Activation Lock comes into play. During the setup process after a restore, the Apple ID and password originally associated with the device needs to be entered. If that login info can’t be provided, the iPhone can’t be reactivated with Apple’s iCloud servers. You have a bricked iPhone that can’t get past the initial setup. All it’s good for is spare parts.

By performing what is commonly referred to as a man-in-the-middle attack, the DoulCi exploit intercepts web traffic between the iPhone and Apple’s servers.

Here’s how DoulCi works

1) The first step is to edit your computer’s hosts file and add a line of code that points to DoulCi’s server. The IP address of DoulCi’s server, 188.226.251.76, is simply copied and pasted at the bottom of the hosts file, like so:

Screen Shot 2014-05-22 at 4.24.29 PM

The hosts file maps IP addresses to domain names, directing the computer’s network traffic. The hosts file takes precedence over the public and private DNS servers that are used to map IP addresses. Usually you should leave the hosts file alone, but it’s sometimes edited override the computer’s DNS system, manually rerouting IP addresses to block spam or malicious software.

Obviously, modifying the hosts file is a potential security risk. It might not be a good idea to route your data through a shady IP address controlled by a pair of anonymous hackers. Luckily, modifying the hosts file isn’t super easy. It’s a multistep process that varies depending upon which operating system you are using. Here’s a good overview of how to edit the hosts file on different Mac and Windows systems.

2) The lost/stolen iPhone is then plugged into a Mac or PC running iTunes and put into DFU/Recovery mode. To do this, turn off the device. Turn it back on, holding down the Sleep/Wake button for three seconds, and then — without releasing the Sleep/Wake button — begin holding the Home button for an additional 10 seconds. Release the Sleep/Wake button but keep holding the Home button until iTunes recognizes your device and Recovery mode begins. iTunes will restore the iPhone to a blank state, and the normal setup process begins while the iPhone is connected to the computer with iTunes open.

3) This is where things get shady. When the device attempts to contact Apple’s server to see if it needs to be activated, the line added to the hosts file reroutes the ping through DoulCi’s servers instead. The iPhone thinks it’s talking to Apple when it’s really talking to the hackers’ server.

The iPhone thinks it’s talking to Apple when it’s really talking to DoulCi.

At this point, the hackers running DoulCi’s servers could capture device info, such as serial numbers and other unique identifiers. However, security researcher and iOS hacker Steven De Franco told Cult of Mac that no credit card or other personal information tied to the original owner can be swiped. “Unless they have access to Apple’s database, they can’t do much,” he said. “Even then … I think the most they could pull up is billing info.” Besides, if the device being unlocked was stolen in the first place, the person using the exploit likely doesn’t care about sharing its serial number with a mysterious server.

4) After the DoulCi servers have spoofed the activation request, the iPhone is good to go as though it has been authenticated with the owner’s Apple ID login. Sort of…

The SIM card problem

The catch is that after the exploit, the iPhone’s SIM card won’t be recognized. The SIM is blocked because iOS has been tricked into thinking it has been activated, while the iPhone’s baseband (the firmware that communicates and authenticates the device with the carrier) has not. The iPhone won’t connect to a wireless carrier but can be used for all other functions.

The hackers behind DoulCi told Cult of Mac their technique works on all iOS devices. They claim to have a fix for the SIM-blocking issue in the works.

Apple has not responded to Cult of Mac’s requests for comment.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.