A high school student in Melbourne, Australia, hacked Apple servers multiple times, got his hands on 90GB worth of “secure” files, and stuck the loot in a folder titled “hacky hack hack”.
On Thursday, he pleaded guilty in an Australian children’s court.
Details are sketchy, but it sounds like the teen – who’s described as being well-known in hacking circles – probably used virtual private networks (VPNs), Tor and other tools to try to hide his tracks.
At any rate, Australian newspaper The Age reported that the high schooler, who can’t be named because he’s a minor, developed “computerized tunnels and online bypassing systems” to exfiltrate the files.
But, try as he might, he got tracked down: Apple’s systems recorded the serial numbers of the MacBooks from which the attacks were launched. The Age reports that prosecutors told the court that the Australian Federal Police (AFP) raided the teen’s home last year.
Prosecutors told the court that police seized two Apple laptops and that the serial numbers matched those of the devices that accessed Apple’s servers. The IP addresses of a seized mobile phone and a disk device also matched up with what Apple had recorded.
Prosecutors said that the boy’s “computerized tunnels” had “worked flawlessly” – until, that is, they didn’t, and he was caught.
Apple contacted the FBI after detecting and shutting down the intrusions, sparking what The Age called a “major international investigation”. During the investigation, the FBI passed its allegations on to the AFP.
The AFP found the hacking software used to launch the attacks on the boy’s laptop, tucked into that “hacky hack hack” folder along with the stolen files and a “litany of hacking files” on the laptop and a hard drive.
The mobile phone was used to let others know about his successful forays: he posted about them using the end-to-end encrypted messaging app WhatsApp.
The teen’s lawyer says his client’s motivation was an infatuation with Apple: the boy did it “because he was such a fan of the company” and hoped to work there some day.
If the high schooler hasn’t figured it out already, the penny will drop soon: “hacking your servers” isn’t the best thing to put on your resume. Even if you’re applying to work for a penetration testing company, you might as well save everybody some time and instead write “I break the law in my spare time!”
Beyond the story of a kid getting caught is the fact that a 16-year-old could break into servers at Apple, which, rightfully or not, has a reputation for solid security. We don’t have much detail on what information was compromised, though Mac Rumors mentioned that customer account details were involved.
Apple account details played a starring role in the multiple thievery sprees we saw a few years back, which resulted in waves of celebrity nude photos being stolen. We were up to Celebgate 3.0 as of a year ago, when Miley Cyrus found herself among the most recent victims.
But according to the FBI, Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.
One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.
Did the Australian teen also launch phishing attacks?
If so, there was apparently no word about it mentioned by the prosecutors. Apple could certainly clear up the details, but it’s been publicity-shy about this case. It’s easy to see why: it could point to vulnerabilities that Apple is surely scampering to fix.
I contacted Apple. If it loosens its zipped lip, I’ll update the post with whatever I learn.
Mike
The kid will have a job with some super secret company. Hackers only get good by, cough, hacking.
I can assure you that I know of a few people that work for some very prominent pen testing companies that hack in their spare time. It’s how they keep their skills up plus it is what they did before. He will get a nice job with one of them or a government agency.
Lorraine Graves
I did a story on kids’ and computers back in the early days, the 1980s, of home computers. A mom with a PhD offered up her kid and his chum as examples of how kids love to use the internet. The computer was on a desk in the living room where everyone could see it, all the time. What the mom didn’t know is that her 13 year-old and his buddy were hacking into mainframes. The chum then told the story of how the spring before, she and another buddy had hacked into a major telecom and left a message for fun. She didn’t get her stuff seized because she was on a family road trip to Alaska. The parents were gob-smacked at all of this. The computer security expert we asked was amazed at their sophistication and knowledge. In my view, they were pre-moral, too young to have been taught or to really understand the implication of what they had done. It was a wake-up call for all involved
Jan Doggen
“Apple’s systems recorded the serial numbers of the MacBooks from which the attacks were launched” How did they do that?
Paul Ducklin
Maybe his device did an App Store update check at the same time, or some other standard Apple “call home” and it was a simple matter to tie the connections together? Both the update check (using Apple’s own software) and the hack would have terminated somewhere in Apple’s cloud. Even with a VPN via Tor the two connections might still fairly easily have be linked.
Anonymous
Regardless of how, I can assure you a macbook should be the last device to use if one doesnt want to be detected.
Zof
I’m trying to figure out how Apple got a reputation for “solid security”. iOS and OSX have literally topped the critival vulnerabilities lists for years. Apple also was the victim of the largest hacking incident in the history of mankind when XCodeGhost hacked 200 million WeChat iOS users for over six months before Apple noticed.
Paul Ducklin
I hear you, but “topping the vulnerability lists” need some explanation.
Firstly, these lists and their items can’t be directly compared. Linux vulnerabilities, for instance, cover Linux (an OS kernel) while Windows and macOS vulnerabilities cover what is essentially an entire distro, including apps such as browsers that ship with the OS. Secondly, fewer vulnerabilities fixed doesn’t automatically imply a more secure vendor. If that we’re true, routers that haven’t had an update for 5 years would be as good as guaranteed secure.
You need some evidence and context if you are sweepingly judging any major vendor by “vulnerability count”. It’s like judging the severity of the virus threat simply on “number of samples seen per unit of time”. Not all samples are made equal (or equally different).
Glenn Roncal (@groncal)
Not to mention they leave root passwords wide open when upgrading OS X.
Bryan
Prosecutors said that the boy’s “computerized tunnels” had “worked flawlessly” – until, that is, they didn’t, and he was caught.
Silly boy should’ve saved himself some time and foregone all the cloak and dagger. After using I.E. 6 to download all I could find at SwipeStuffFromApple, I’m currently building my prototype iPhonEleven.
Anonymous
One thing i notice in your article that Apple is collecting information from whoever uses an apple computer, and who knows if that is extended to PC’s.
Of course what the young man was doing was wrong.
SandPox
somehow he knows how to hack their server and didn’t use VPN? It’s not like he’s selling their data and get caught or something? Or is he?
Paul Ducklin
We don’t know whether he used a VPN, Tor, both or neither but one way or another he left a trace that led back to him and that seems to have been that…