iPhone theft accounts to half the crimes in cities like New York and San Francisco, pushing law makers in to imposing legislations that require smartphones to have a kill-switch. The proposed kill-switch technology under the Smartphone Theft Prevention Act allows smartphone owners to turn stolen devices into unreadable and unusable devices. Apple already has Activation Lock, a fail-safe introduced in 2007 to keep stolen devices unreadable.

A group of hackers have reportedly managed to go around Apple’s iCloud activation lock enabling users to restore iDevices without authentication, exploiting Apple's security. The attack allows them to intercept Apple ID credentials of users as well as to unlock iOS devices which are practically unusable by activation lock. Known as “Team DoulCi”, member’s @AquaXetine and @MerrukTechnolog created a tool called doulCi (iCloud backwards) which they describe as follows:

doulCi is the world’s first Alternative iCloud Server, and the world's first iCloud Activation Bypass. doulCi will bypass and activate you iDevice for you when you are stuck at the Apple activation menu. So, why would you use it? For example, if you have forgotten your Apple ID and password or no longer have access to your old itunes-email account then it’s impossible to regain control of your Apple Product!! doulCi is the solution that will enable you to can regain permanent access.

The tool doulCi remains available for thieves to unlock stolen iDevices.

According to security researcher Mark Loman of SurfRight, the attack was possible since the Windows version of iTunes does not verify security certificates properly. Team DoulCi demonstrated the attacks effectiveness by posting screenshots of Apple’s iCloud activation service.

The two hackers posted several screenshots of their success:

In a statement given to CultofMac, @AquaXetine had warned Apple of the vunerability in March but the Cupertino-based company did not reply. AquaXetine received an email from Apple today to contact them as quickly as possible. However, the hacker took to Twitter to announce that he deleted the mail posting “There are so too late”.

Just deleted the mail from Apple 😉 They are sooooooooo toooo late — AquaXetine (@AquaXetine) May 21, 2014

Sorry we are offline someone was attacking us ? But our Bouncer works perfect 🙂 10832 devices unlocked in 5 minutes AMAZING — AquaXetine (@AquaXetine) May 21, 2014

The two hackers spent five months to bypass Apple’s iCloud. They said their motive isn’t to make money, but to make users aware that iPhone and iCloud online storage is not safe.

Thousands of Twitter users from around the world were able to bypass using the tool doulCi. Most of the tweets thanking the two Dutch hackers were from outside the U.S., where stolen iPhones are shipped and sold at premium prices in black market.

Very recently, Apple had patched similar risks in OS X and iOS, leaving Windows vulnerable. Loman believes it may have been left vunerable on purpose to allow intelligence agencies access to iCloud servers.

Until Apple fixes the issue, users are advised to not use iCloud services over public Wi-Fi networks. Remarkably, a well known hacker, iH8sn0w in the iPhone community had also discovered an iCloud activation bypass a while ago. One possible insinuation that comes out from the incident is that their servers will soon be tracked with the Interpol knocking at their doors.