ianfNovember 11, 2015 3:47 PM

This part of that clever MITM method caught my ATTN.

               The catch is that after the exploit, the iPhone’s SIM card won’t be recognized. The SIM is blocked because iOS has been tricked into thinking it has been activated, while the iPhone’s baseband (the firmware that communicates and authenticates the device with the carrier) has not. The iPhone won’t connect to a wireless carrier but can be used for all other functions.

As per the law of unintended consequences, doesn't it sound a bit like Answered Prayers for those who'd like to harden their iPhone5, iPhone6 and newer into carrier-deaf iPod Touch-like devices, capable only of communication via wire and/or on demand easily turned off/ near-permanently airplane-mode WiFi & BT? Because that's what it sounds to me, and a perfectly legal way to hobble one's unit to deny it being tracked and "smurf-invaded" in this fashion.

    (For those unfamiliar with iOS, for purely commercial reasons the 'Touch has remained on the level of almost 5 years old iPhone4S, and without proper GPS-triangulation; it is unknown whether Apple will come out with an upgraded larger-screen no-SIM version of iTouch6 or later).

Won't workNovember 11, 2015 7:53 PM

As posted, this exploit will do NOTHING. Simply adding an IP to the hosts file won't get you anywhere, because it needs to be associated with a hostname.

rgaffNovember 11, 2015 8:12 PM

Indeed, as "@Won't work" said, the exploit listed is incomplete, it needs more work to figure out what host name to point to the IP address... (as well as what's going on at that IP address for full disclosure of what's going on)

Also, modifying your hosts file isn't a "MITM attack"... this is simply the Domain Name System (DNS) working as intended. If you're using host name lookups like that for security, you're doing it wrong.

Now there is a remote possibility this is actually a kind of "fail open" issue, where once you intercept the activation check, and it's not working, the phone just prefers to open up and unlock, rather than brick itself in all sorts of bad network conditions for legitimate users. But the article doesn't make this clear, it kind of makes it sound more like some sort of special "magic" was invented and is running at that IP address instead...

rgaffNovember 11, 2015 8:20 PM

Calling modifying your hosts file a "MITM attack" is like calling losing your keys and someone finding them and opening your door with them a "design flaw in the keys"... um.. no? This doesn't mean that there couldn't be something else invented that isn't so easily lost that we should all switch to instead of old fashioned keys, but you still don't blame key manufacturers for your forgetfulness!

keinerNovember 12, 2015 1:01 AM


One of Steves disciples, huh?

Lame comparisons as usual with these Apple fan boys...

rgaffNovember 12, 2015 2:04 AM

@ keiner

lol... I don't need to be a Steve disciple to call modifying the /etc/hosts file what it is... i.e. NOT criminal activity!!! This is normal activity that most Linux users do all the time (and a rare Mac user does too yeah).

And when I read how he actually acted and treated people (throwing chairs across the room in a tantrum, really?), I lean more toward the villain description than the hero one.

Erm...November 12, 2015 3:53 AM


I don't think Bruce meant that the modification of the hosts file makes it a MITM attack. As the iPhone is tricked into believing that it's contacting genuine Apple servers (by an intervening party) then that has all the hallmarks of a classic MITM.

johnsNovember 12, 2015 5:34 AM

This is what TLS is for and I can't believe Apple isn't using it for this call home. It's like leaving your front door wide open and saying someone was clever by going through it.

Erm...November 12, 2015 6:26 AM


This story is well over a year old; they probably do use TLS now - although they should always have done so in my opinion. However, from the sketchy details in the article, it probably wouldn't have made a difference if I read it correctly. Certificate pinning on the other hand would have helped.

rgaffNovember 12, 2015 9:49 AM


"iPhone is tricked into believing that it's contacting genuine Apple servers (by an intervening party"

What do you think modifying the /etc/hosts file does? It redirects the traffic from one party (apple's servers) to another. What other action is performing said "MITM attack"?

All I'm objecting to is classifying normal ordinary activity as criminal activity. This is the kind of activity that every firewall maintainer and sysadmin performs on a regular basis. Should they all be hauled off to prison for "MITM attacking" their own stuff? I should never ever be classified a criminal for doing ANYTHING I WANT with the traffic of my own devices on my own network.

Erm...November 12, 2015 10:24 AM


The Activation Lock is to prevent a stolen device from being reactivated by an unauthorized third party thus the people requiring this workaround wouldn't be acting with a legitimate purpose.

I don't dispute that you should be allowed to do what you please with your own device but this workaround seems to be of use only to criminals.

rgaffNovember 12, 2015 12:15 PM


"I don't dispute that you should be allowed to do what you please with your own device but this workaround seems to be of use only to criminals."

I can concede your point here. But the solution isn't to demonize every sysadmin's normal job as a "MITM attack" and then outlaw it ... it's to get apple to fix their broken lockout system, which people have pointed out might have already happened since this report is so old.

If we look to lawmakers for help they WILL outlaw normal behavior though, and then companies will use it to do all kinds of nasty encroachment into what we can and can't do with our own devices, just because they can! The way to avoid this is a few steps back: push back on anyone demonizing normal everyday tasks and behavior in the first place, before lawmakers get their hands on it.

dragonfrogNovember 12, 2015 2:31 PM

@rgaff - You're still missing the point. doulCi is a MITM attack. However, nobody is saying it should be illegal except you.

Specifically, the victims of the MITM attack are the devices that think they're talking to one another - the iPhone and Apple's iCloud activation servers - as well as the owners of those devices - the person whose iPhone was stolen, and Apple.

The activation happens over a computer with iTunes installed, using that computer's Internet connection to reach Apple. So the iTunes software, the OS and hardware running iTunes, and that computer's Internet connection are all part of the untrusted network that the iPhone and Apple's servers must communicate over. They are the tools that could be used to carry out a MITM attack.

Apple apparently made the mistake of having the iPhone trust the iTunes software it's talking to at activation time, as being inside the trust boudary, reliably part of the defences against MITM, rather than something that could be carrying out a MITM against it. Since doulCi is a tool to allow people to activate stolen iPhones (not ostensibly of course, but it is), the computer used at activation time are going to be under the control of the thieves. I'm not sure how this escaped Apple's attention.

Erm...November 12, 2015 3:22 PM


I agree with @dragonfrog; nobody, myself included, are suggesting such modifications be outlawed (if they're not already).

I can't see where this has been classified as criminal activity per se - obviously theft of a phone and/or receiving stolen goods (where applicable) are distinct penal offences.

rgaffNovember 12, 2015 3:38 PM


for fuck's sake.. I change my hosts file on my computers or router all the time to fix issues with devices on my network that aren't behaving the way I want them to. This should NOT be classified as me "MITM ATTACKING" the devices on my network... because *IF* lawmakers ever define that term in any law, they WILL define it as a crime! And NOWHERE did I EVER say that's the right thing to do.

Altering the responses of DNS lookups on your own network or computer (which is what happens when you edit that file) is NORMAL EVERYDAY BEHAVIOR FOR EVERY NETWORK ADMINISTRATOR ON THE PLANET!!!! It is not doing anything wrong, it is not "attacking" anything, it is not "MITM Attacking" anything, nobody should ever demonize it as bad or evil behavior, and no lawmaker should ever classify it as a crime! Period.

This is personal for me, because I DON'T WANT TO GO TO PRISON when some IDIOT future lawmaker makes it a crime, and turns what I just said above into an outright confession of a crime, because the stupid press was demonizing common behavior to make it look evil!!!

According to the article, "doulCi" is just a service that needs a host file edit to redirect traffic to it. Thus, the host file edit itself becomes the actual redirection, in other words, it is the MITM attack or a major portion thereof.

Why is this all so hard for people to get?

rgaffNovember 12, 2015 4:02 PM

You see, the real problem is that bank robbers can walk into the bank... walking is a truly evil behavior. It's an attack on banks. We need to convene congress and pass a law outlawing such bad behavior, and then we can just haul off anyone of any bipedal species that we don't like, because they've all committed crimes.... please... you suck.

Yet this is what you're doing, when you paint "editing a hosts file" as an "MITM ATTACK"!

ianfNovember 12, 2015 9:38 PM

@ dragonfrog (cc: @rgaff)

doulCi is a MITM attack… Specifically, the victims are the devices that think they're talking to one another

Let's say formally you are right, but for such an illicit activation to take place, there has to be an exploit payload somewhere along the chain – doesn't it. So where do you envision it resides, ready to be injected/ invoked? Or is it that mere redirecting the DNS by itself allows reactivation of a locked (stolen) phone.

Besides, that was published a year and a half ago… ample time for anybody at Apple to plug in that particular hole (and the fact that the Cult of Mac website has not bothered to revalidate the attack, or to simply update the page as potentially being outdated is quite telling). Or do you really believe that, when this came to Apple's attention, they simply shrugged, and thought "cool, another replacement iPhone sold" or something?

Clive RobinsonNovember 13, 2015 8:39 AM

@ rgaff,

Altering the responses of DNS lookups on your own network or computer (which is what happens when you edit that file) is NORMAL EVERYDAY BEHAVIOR FOR EVERY NETWORK ADMINISTRATOR ON THE PLANET!!!! It is not doing anything wrong,... ...nobody should ever demonize it as bad or evil behavior, and no lawmaker should ever classify it as a crime! Period.

You are already to late on that that particular train has left the station...

Various persons working for the US DoJ have started trying to have people "breaking EULA" classified as breaking the law. One way they can do this is via the overly broad interpretation of the DMCA and othe Computer Misuse legislation.

It takes very little effort to see that by changing the mapping of the machine-domain-name to IP-number you are circumventing the Apple protocol (DMCA violation) to circumvent a security feature and thus gain unauthorised by Apple access to their Cloud servers (Computer Misuse).

Yes I know it appears stupid and defys common sense if --and only if-- you are the owner of the phone, but that is the way prosecution hungry lawyers will present it in court. And when you think about it in terms of criminal acts such as facilitating "receiving stolen goods" it's like changing VINs on cars and removing serial numbers off of guns etc.

The reason the prosecuters can get away with it for those that own the phone, is that in fact you don't own the phone only part of it. In this respect it's a bit like a "leasehold property" you might own the bricks and plaster of the building but not the land it sits on that you only lease. Thus you might own the physical instance of a phone, but not the software or other IP that makes it a usable phone, these you only lease. Their used to be a "third party doctrine" that alowed you second hand sales rights on books etc... But the software and entertainments industry has all but destroyed that and the DMCA has firmly nailed the coffin lid down on the "act of modification of process" via the fact it's illegal to circumvent copyright or processes and IP covered by copyright, trade marks, patent etc...

You, I and most people may see such mind warping as at best unjust protectionism by ephemeral nonsense. But civil (tort) law has no concept of just/unjust or things being ephemeral, it just sees breach and remedies. Unfortunatly the legislators alowed tort remedies to become criminal sanctions thus what was just a breach of contractual terms with minimal remedies, has now become a major sledge hammer by "rent seaking" entities that use the "might is right" view on life to extract unwarented payment or vengful suffering. Because the legislators want to line their pockets as well.

Get used to it because that is the way Offshore, tax avoiding Corporate America wants it to be. Back in times past such illegitimate "payment or vengence" was known as "protectionism" and earlier still as "paying Dane Gelt".

rgaffNovember 13, 2015 12:55 PM

@Clive Robinson

I'm aware that every American commits 3 felonies per day while thinking they are perfect law-abiding citizens...

trying to explain to dunderheads why this is such a bad thing is like pulling teeth... but that doesn't mean I won't try sometimes :)

By the way, I said the word "future" a couple times up above, knowing it was really "past"... because I didn't want to get derailed defending that word to people just yet... it wasn't the point I was trying to make at the time. You've done a pretty good job though, thanks ;)

TyroonMay 6, 2017 12:45 AM

There are many apps to bypass activation lock. But you need to have a secured app. You can get all those apps for free on your Vshare iOS 11 app market. All the latest paid apps and tweaks are available for free on this app store.

LeinsAugust 12, 2017 6:57 AM

The need to bypass iCloud activation is usually at minimal as one is always aware of his or her iCloud account details. But in the event of your device being misplaced or accidentally being taken by someone (usually stolen), bypassing the iCloud activation is the only viable solution that one with good intentions can afford in order to find necessary details about the device's owner. There are many apps available to bypass iCloud activation. You can get all those apps for free on

JayAugust 16, 2017 2:37 AM

Any one saying that bypassing the activation lock by changing the dns and using doulCi is bad and only used by people with stolen iPhones are a bunch of morons and need to stfu because I have a iPhone that has the activation lock on it that I bought from Walmart You got that bought and paid for at a store and only used on my wifi and when apple did there stupid updates my phone locked because I never activated it or hooked it up to a phone service and apple won't do shit for me so I have to use this method to use my 500 dollar iPhone that I paid for so no more saying this is only for people with stolen phones because Its not and I just handed you your asses on this subject

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.