How Stolen iOS Devices Are Unlocked

Published: 2016-10-21
Last Updated: 2016-10-21 14:36:41 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

For a number of years now, Apple has been implementing "Activation Lock" and "Find my iPhone" to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.

Activation Lock links a device to a user's iCloud account. If a user configures a new device, the user is asked for iCloud credentials or offered to set up a new iCloud account. A device can not be activated without providing this information. If you sell or pass on a device, deleting the data from the device is not sufficient, but you will also have to remove the link to your iCloud account, for example by turning off "Find My iPhone." Changing the setting always requires at least a password (and if configured two-factor authentication). Biometrics can be used to unlock the phone, but it can not be used to remove the iCloud link.

But iOS devices are still being stolen, and thieves have come up with some rather ingenious methods to unlock them:

1 - Phishing E-Mails

If you lose track of an iOS device, you have the option to register it as stolen via "Find my iPhone." Once the device is found, you will receive an e-mail or a pop-up on another iOS device. Thieves have used this technique to phish the owner's iCloud credentials. If they are aware of the owner's phone number or e-mail address (it is often displayed as part of the "Lost Phone" message), then they will send a "Found" e-mail to the address or an SMS to the phone number claiming that the phone has been found. The user is then sent to an iCloud look alike site which is asking the user to log in. The attacker will then use the harvested credentials to unlock the phone. [1]

2 - Purchase Offer

Making an offer to buy your device is probably the most brazen approach. The "finder" of the phone will contact the displayed phone number, and offering you to buy the phone from you. Making a purchase offer is in particular popular if the phone was found in a foreign country and the owner is already back home. Shipping the phone back to the owner would often be quite expensive. The finder then asks the owner to unlock the phone before payment is received to "proof" that the owner is legitimate.

3 - Password Resets

In many cases, your phone is critical to reset your password because you configured various sites (including iCloud) to use SMS messages to your phone for reset codes. On a locked phone, SMS messages may still appear on the screen, so will many messages from other applications (like iMessage, Whats App). An attacker can also remove the SIM card from a phone and plug it into another phone to receive messages unless your SIM card is secured with a PIN code.

How to Secure Your Devices

- Set up two-factor authentication

Apple offers two-factor as well as two-step authentication. If you enable it, make sure you keep the recovery code in a safe place. Apple does not offer a way to "turn off" two-factor authentication if you lose your recovery options. This can be the case in particular if your iPhone is lost/stolen and the only device you configured for two-factor authentication. Try to setup multiple devices to receive the code so you have a backup. [4]

- Enable "Find my iPhone."

This will allow you to locate a lost device if the device is connected to a network (WiFi or Cellular). You should also configure the feature to transmit its location before the device runs out of power.

- Limit messages displayed on the lock screen

You can configure what is displayed on the lock screen for each application. It may be ok to see things like news items, but you should not display e-mail content, SMS messages or output from other messaging applications like Skype.

- Protect your SIM card with a PIN

I find that in the US, most SIM cards arrive unlocked. In Europe, SIM cards are often locked via a PIN. But even if your SIM card is not locked, you can usually configure a PIN for it. Before you do so, make sure that you have the current PIN code (usual default is 1111 or 234) and the PUK code, which can be used to recover a locked card. In many cases, you can look it up on your carrier's website, or it may be included with your SIM card. Write the PUK down and keep it in a safe place. Your phone will allow you to configure a new PIN (but the PUK is fixed). Now you will have to enter the PIN whenever you power up the phone or whenever you remove the SIM cards and plug it into a new phone.

- Test "Lost my iPhone."

It is important to test the "Lost my iPhone" feature to make sure you have it setup correctly. See this article at Macrumors for more details [3].



Johannes B. Ullrich, Ph.D.

1 comment(s)


Lost mode requires an iOS device that meets the minimum system requirements. You can lock your Mac or iOS 5 device, but you can't track it. If you lock your Mac, it cannot be found if it is not near a previously used Wi-Fi network, and you cannot remotely change the password, unlock it, or delete it

Diary Archives