Apple’s Activation Lock Website Played Key Role in Hack, Perhaps Explaining its Removal

Apple recently removed the Activation Lock status checker from its website, giving no explanation as to why a seemingly useful tool was eliminated. The Activation Lock website was designed to make sure a used device being purchased wasn't locked with Activation Lock, rendering it unusable.

As it turns out, the Activation Lock website was a vital part of a bypass hack used to unlock devices bricked by Activation Lock, perhaps hinting at why Apple shelved it.

The process is demonstrated in the video below. By changing one or two characters of an invalid serial number, hackers are able to generate a valid serial number, using the Activation Lock tool for verification purposes to make sure it's functional. That valid number, which belongs to a legitimate device owner, can then be used to unlock a previously non-functional iPhone or iPad.

Activation Lock website verification starts at 5:25 in the video

The Activation Lock scheme that steals valid serial numbers from existing iOS users potentially explains a mysterious Apple ID bug that's been plaguing iPhone owners for months.

When attempting to activate a new or recently restored device, some iPhone owners have found their devices inexplicably locked to another Apple ID account - one with an unknown name and password. The problem has been affecting iPhone 6s, 6s Plus, 7, and 7 Plus models since September and can only be fixed by Apple.

Apple has not confirmed that the hack shown in the video is related to the Apple ID Activation Lock bug, but as the hack uses valid serial numbers from existing owners, it's a plausible theory. If the two are linked, it explains why the Activation Lock website was shut down so suddenly, and it should put an end to the Apple ID issue.

Introduced alongside iOS 7, Activation Lock has proven to be a successful theft deterrent. It effectively locks an iOS device to a user's Apple ID account and even when wiped, the device will continue to require an original Apple ID and password. Activation Lock is extremely difficult to bypass and has led to complicated hacks like the one in the video above to attempt to get around it.

It's not clear if Apple will provide a new Activation Lock website for customers who used it legitimately, but unless the company comes up with a method to prevent it from being misused, it seems unlikely.

Related Roundup: iPhone 7
Tag: Activation Lock

Discuss this article in our forums

Apple Removes Tool to Check if an iPhone or iPad is Activation Locked

Apple has removed its Activation Lock status checker on iCloud.com at some point in the past few days. The tool enabled users to enter the serial number or IMEI of an iPhone, iPad, or iPod touch and find out if the device is secured with Activation Lock, helping buyers avoid purchasing a device locked to another user.

checkactivationlockstatus
A user purchasing a used iPhone on eBay or another website, for example, was able to request the device's serial number and use Apple's tool to verify that Activation Lock had been turned off. If the device was still locked, or if the seller refused to provide the serial number, then it was likely lost or stolen.

The iCloud page where the tool was available now returns a "Not Found" page aka 404 error. Apple also removed the following reference to the tool from a related Find My iPhone support document earlier this week:
How do I check for Activation Lock before purchasing a used device?

When you buy an iPhone, iPad, iPod touch, or Apple Watch from someone other than Apple or an authorized Apple reseller, it is up to you to ensure that the device is erased and no longer linked to the previous owner’s account.

You can check the current Activation Lock status of a device when you visit icloud.com/activationlock from any Mac or PC.
Apple has not explained why it removed the page. The company did not immediately respond to a request for comment.

Activation Lock, enabled automatically when you turn on Find My iPhone, is designed to prevent anyone else from using your iPhone, iPad, iPod touch, or Apple Watch if it is ever lost or stolen. A device with Activation Lock enabled requires the owner's Apple ID and password before it can be used, even if it is erased or reactivated.

Last year, a number of users who purchased a brand new iPhone experienced an Activation Lock issue where their device was locked to someone else's Apple ID. Apple disabled Activation Lock for affected users upon being provided proof of purchase, but it is unclear if the strange issue factored into the page's removal.

Activation Lock was introduced alongside iOS 7. The tool to check the Activation Lock status of a device had been available since October 2014.


Discuss this article in our forums