Apple gets cored: 90GB of ‘secure files’ stolen by high schooler

A high school student in Melbourne, Australia, hacked Apple servers multiple times, got his hands on 90GB worth of “secure” files, and stuck the loot in a folder titled “hacky hack hack”.

On Thursday, he pleaded guilty in an Australian children’s court.

Details are sketchy, but it sounds like the teen – who’s described as being well-known in hacking circles – probably used virtual private networks (VPNs), Tor and other tools to try to hide his tracks.

At any rate, Australian newspaper The Age reported that the high schooler, who can’t be named because he’s a minor, developed “computerized tunnels and online bypassing systems” to exfiltrate the files.

But, try as he might, he got tracked down: Apple’s systems recorded the serial numbers of the MacBooks from which the attacks were launched. The Age reports that prosecutors told the court that the Australian Federal Police (AFP) raided the teen’s home last year.

Prosecutors told the court that police seized two Apple laptops and that the serial numbers matched those of the devices that accessed Apple’s servers. The IP addresses of a seized mobile phone and a disk device also matched up with what Apple had recorded.

Prosecutors said that the boy’s “computerized tunnels” had “worked flawlessly” – until, that is, they didn’t, and he was caught.

Apple contacted the FBI after detecting and shutting down the intrusions, sparking what The Age called a “major international investigation”. During the investigation, the FBI passed its allegations on to the AFP.

The AFP found the hacking software used to launch the attacks on the boy’s laptop, tucked into that “hacky hack hack” folder along with the stolen files and a “litany of hacking files” on the laptop and a hard drive.

The mobile phone was used to let others know about his successful forays: he posted about them using the end-to-end encrypted messaging app WhatsApp.

The teen’s lawyer says his client’s motivation was an infatuation with Apple: the boy did it “because he was such a fan of the company” and hoped to work there some day.

If the high schooler hasn’t figured it out already, the penny will drop soon: “hacking your servers” isn’t the best thing to put on your resume. Even if you’re applying to work for a penetration testing company, you might as well save everybody some time and instead write “I break the law in my spare time!”

Beyond the story of a kid getting caught is the fact that a 16-year-old could break into servers at Apple, which, rightfully or not, has a reputation for solid security. We don’t have much detail on what information was compromised, though Mac Rumors mentioned that customer account details were involved.

Apple account details played a starring role in the multiple thievery sprees we saw a few years back, which resulted in waves of celebrity nude photos being stolen. We were up to Celebgate 3.0 as of a year ago, when Miley Cyrus found herself among the most recent victims.

But according to the FBI, Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

Did the Australian teen also launch phishing attacks?

If so, there was apparently no word about it mentioned by the prosecutors. Apple could certainly clear up the details, but it’s been publicity-shy about this case. It’s easy to see why: it could point to vulnerabilities that Apple is surely scampering to fix.

I contacted Apple. If it loosens its zipped lip, I’ll update the post with whatever I learn.