It's still not clear how this requires Apple to do anything or why it should have anything to do with any cloud service.
The IMEI is burned into the phone. They should definitely make it hard to change the IMEI; but they do. If the phone is stolen then the IMEI gets reported as stolen and anyone who tries to activate the phone with a wireless carrier gets caught.
Why does Apple or Google need to inconvenience people who forget their passwords or encounter the conglomerate's bugs?
Stolen Imeis aren't always exchanged between carriers, much less internationally.
Even if that wasn't the case, as long as there were at least a few decently-sized countries not plugged into the system, that's where the thieves would sell all their devices.
Stolen Apple devices are still usable for parts (which is why parts pairing is not always a bad thing), and you can sometimes phish the Apple ID credentials from the victim, which is why stealing those devices is still profitable enough.
> Even if that wasn't the case, as long as there were at least a few decently-sized countries not plugged into the system, that's where the thieves would sell all their devices.
It still limits the market where they can be sold, because even there the customer doesn't actually want a stolen device. What if that country starts blocking them, or they want to travel anywhere that does? They could even get arrested.
It also requires the thieves to have a network to transport them there, vs. individual petty thieves who would otherwise be selling them locally.
> Stolen Apple devices are still usable for parts (which is why parts pairing is not always a bad thing)
Parts pairing is still a scam. They could check the part against a stolen device list without refusing to pair with parts from third party OEMs or first party non-stolen parts from other regional markets.
> Stolen Imeis aren't always exchanged between carriers, much less internationally.
Yes these often end up in Eastern Europe where the carriers don't really care about that stuff. And most people can't pay full price for top end phones so there's much more market for this stuff.
Even on legit corporations with tens of thousands of iPhones, Apple still gives you a lot of hassle if you want to get one unlocked. Just so this won't be used as a loophole.
> and you can sometimes phish the Apple ID credentials from the victim, which is why stealing those devices is still profitable enough.
Yep, I always see "is this text legit?" posts with clear phishing URLs in iOS help groups on Facebook, posted by people who had their iPhones stolen and think it's Apple Support attempting to get it back.
IMEI blacklisting is not worldwide. The phone can still be used in other countries. Also, rogue carrier employees are selling IMEI blacklist removal as a side gig on the black market.
Isn't this the same problem either way? The enterprising criminal can take a low level job at Apple rather than a low level job at a carrier, which is presumably one of the reasons it hasn't actually worked.
And if the problem is that each country is using a different IMEI blacklist then that seems like an obvious thing to fix. There are already treaties and agreements which is how the global phone network operates to begin with, or you could have US law enforcement set up a system to submit the IMEI to each of the individual blacklists.
I trust apple to have more intelligent audit controls on their employees than the average carrier.
And the calculation for the carrier is different. There's a inherent incentive on unblocking a phone for the carrier, as this means a billable contract. For Apple there's a inherent incentive in being known as having devices hard to unblock and thus, presumably less attractive for thieves.
> The enterprising criminal can take a low level job at Apple rather than a low level job at a carrier
To my knowledge, Apple has not had any insider compromise of activation lock.
This is why criminals try to phish the credentials from the victim instead.
Yes and even companies that can request it (I worked for one in this role) have to provide extensive documentation.
A phone must be purchased for us (with invoice with serial no) originally, or it must have been enrolled in our corporate MDM before getting locked. And for a while they didn't even accept the latter.
So even if you are at a third party you won't get away with sneaking these through. Which is good, a bit annoying sometimes though when some of our vendors didn't provide serial number invoices. We now require it but during the first years of anti-theft lock it was a bit of an issue and caused a lot of e-waste for us, sadly.
> To my knowledge, Apple has not had any insider compromise of activation lock.
First they would have to get caught.
> This is why criminals try to phish the credentials from the victim instead.
Either method would be effective and not every criminal would have access to an insider, or they would have to pay off the insider for each device and then still prefer to phish the customer if possible to avoid paying the bribe.