Your i Phone Gets Stolen. Then the Hacking Begins | WIRED

Overview

Every year, millions of phones are stolen. While thousands of i Phones are shipped to China and broken down for parts, criminals can make more money selling a device that has been unlocked and wiped. Now researchers have unpicked part of the underground web of cybercrime services that can help provide access to stolen i Phones.

Across the web and on Telegram, there’s a “thriving” ecosystem of software sellers helping power the market for stolen i Phones by providing “unlocking” tools and the technology to produce phishing messages to help get access to a phone, according to findings from researchers at cybersecurity firm Infoblox. The company says it has tracked “dozens” of groups selling unlocking tools, mostly with a focus on i Phones, and has linked more than 10,000 phishing websites to the activity. Traffic to these domains increased 350 percent last year, the researchers say.

Details

“Reselling is a hundred percent what they’re going for,” says Maël Le Touz, a staff threat researcher at Infoblox, who says people from all around the world appear to be buying access to the pay-per-use software. The average cost is below $10. “Most of the people looking to unlock phones clearly don’t have thousands of phones in their hands—they’re not at that scale,” Le Touz says.

Over the last few years, the number of phones being stolen has risen—for example, with around 80,000 devices being taken in London in one year. While Apple and Google have improved their protections for stolen devices, a variety of more- and less-sophisticated thieves can still make money from stolen handsets: If a phone is unlocked or a thief has its passcode, they can potentially steal money from online bank accounts or crypto wallets; those snatching phones on the streets or in bars can make hundreds of dollars selling them on.

“Phone thieves don’t just want the handset—they want access to bank accounts and personal information,” says Will Lyne, the head of economic and cybercrime at London’s Metropolitan Police. Lyne highlights one case of four men who had been caught handling more than 5,000 stolen phones and spending money from financial accounts on the devices.

Dan Guido, the CEO and cofounder of security firm Trail of Bits and a strategic adviser to mobile security firm i Verify, says a stolen phone may only be worth

50 to

200 when it is locked. “But if you unlock it, it’s worth

500, or it’s worth

1,000.” That difference can encourage people to develop ways to try and get into devices. “This whole thing is an ecosystem, and there’s multiple people at different levels of the supply chain that all work together in order to unlock phones,” he says.

Security researchers at Infoblox started looking into the stolen-phone unlocking economy earlier this year when a law-enforcement-related contact in Asia messaged them saying their i Phone had been stolen and they had received a phishing message after including alternative contact details on the locked device. A link in the phishing page mimicked an Apple Find My page and showed a false map with the phone’s location—it then showed a pop-up asking for the phone’s PIN code.

Numerous people online, as well as the Swiss National Cybersecurity Center, have reported receiving phishing messages after losing or having their i Phones stolen, with the attackers aiming to get access to Apple i Cloud accounts and remove them from phones. “To make the messages look convincing, they include accurate details of the missing device—such as its model, colour, and storage capacity—which the scammers can read directly from the phone itself,” the Swiss body wrote in November. “As there is no known way to bypass this lock, tricking the owner through social engineering is the only realistic option for criminals.”

While they sell different tools, Infoblox’s Le Touz and Elena Puga write in their research, three features are common: unlocking tools that claim to jailbreak older i Phones or Android devices and pull owner information from phones; phishing kits referred to as “Find My i Phone Off” that can be used to access accounts; and scripts and AI voice calling software to run the phishing operations.

“What you need, first of all, is physical access to the phone,” Le Touz says. If jailbreaks do not work, some of the systems can be used to launch phishing attacks and collect unlocking information. “All the tools we analyzed wipe the device by default as soon as access is attained,” the researchers write in their report.

A video obtained by the researchers shows software called i Realm generating phishing links and pages mimicking Apple services. Other posts linked to i Realm mention features such as “Find My i Phone nullified,” advertise “scripts” that mention Apple Pay, and say the software can provide a “seamless experience” for “accessing and unlocking Apple devices.”

“Hello I have a dozen blocked i Phone limited to the owner,” one person posted in the group of another unlocker, before asking if it’s possible to turn off Find My on the devices. In another group, someone said the unlocking tool they used worked on the first phone they tried but not the second one. In other Telegram groups, members post screenshots of phishing text messages saying i Phones have been turned on or connected to the internet.

While the services do not explicitly mention use for stolen devices, experts say the incorporation of phishing tools within some services indicate they are likely not meant for legitimate purposes. “There’s plenty of means to unlock your own phone through legitimate use of your Apple ID,” says Guido, of Trail of Bits, who has had a friend targeted with phishing after having their i Phone stolen in a bar. “Apple’s provided the right pathway for people that legitimately can't get into their own devices, but these things serve no purpose for someone who's legitimately trying to do that.”

After WIRED contacted Telegram about the phone unlocking channels, the company appeared to remove half a dozen groups linked to the services. “Phishing and the promotion of tools that enable it can and does happen through every method of communication from messengers to email to phone calls,” says a Telegram spokesperson. They did not directly address the removals but say the platform has “industry-leading moderation.”

Apple did not respond to WIRED’s request for comment by the time of publication. In recent years, the company has continued to improve device security making most jailbreaks obsolete and hardening newer i Phones against attacks. The company has also introduced Stolen Device Protection, making it harder for thieves to make changes on phones—although this setting may not be turned on by default.

As the London Metro Police’s Lyne advises: “Simple steps such as activating built‑in anti‑theft features, keeping software updated and using strong passwords, plus being aware of your surroundings when using phones in public can significantly reduce the harm caused if a phone is stolen.”

How to find us: Add WIRED.com to your preferred sources in Google

How the Canvas hack threatened thousands of schools

Big Story: I've covered robots for years—this one is eerily lifelike

Orbs, saucers, and flashes on the moon—here’s what’s in the UFO files

Key Takeaways

Every year, millions of phones are stolen
Across the web and on Telegram, there’s a “thriving” ecosystem of software sellers helping power the market for stolen i Phones by providing “unlocking” tools and the technology to produce phishing messages to help get access to a phone, according to findings from researchers at cybersecurity firm Infoblox
“Reselling is a hundred percent what they’re going for,” says Maël Le Touz, a staff threat researcher at Infoblox, who says people from all around the world appear to be buying access to the pay-per-use software
Over the last few years, the number of phones being stolen has risen—for example, with around 80,000 devices being taken in London in one year
“Phone thieves don’t just want the handset—they want access to bank accounts and personal information,” says Will Lyne, the head of economic and cybercrime at London’s Metropolitan Police