By Roger Fingas
Monday, January 30, 2017, 12:01 pm PT (03:01 pm ET)
Apple’s removal of the iCloud Activation Lock status page last week was likely connected to hacks letting people bypass the Activation Lock system, a report noted on Monday.
By changing one or two characters in an invalid serial number, it becomes possible to stumble across a value that will crack a bricked Apple device. The status check page made this a realistic option, since hackers could simply keep plugging in new characters there until they found something that worked.
The flaw, first a href=”http://www.macrumors.com/2017/01/30/activation-lock-website-used-in-hack/”>pointed out by MacRumors might also explain some glitches encountered since September, in which people suddenly find their devices locked to an unknown Apple ID and can’t regain control without Apple’s help.
Complaints along those lines have revolved around the iPhone 6s, 7, and their Plus equivalents, but could conceivably apply to any device with Activation Lock, such as an iPad, iPod touch, or Apple Watch.
Online Activation Lock checks previously made buying a used Apple device more reliable, since shoppers could ask for an IMEI or serial number and verify it before sending any money. Without that system, the only way of checking is in person, which probably isn’t an option if the seller is in another city or a buyer is worried about being robbed.
The black market could take advantage of the new situation, since thieves can more easily unload stolen goods.
Other Activation Lock vulnerabilities have been exposed in the past. In November, a researcher showed that it was possible to bypass the system on an iPad by flooding Wi-Fi logins with long character strings and repeatedly opening and closing a Smart Cover.