A lock is only good at protecting things if it actually stays locked. The activation lock in iOS, for example, makes it very hard for someone other than the owner to wipe an iPhone or iPad and set it up as a new device. Very hard, but not impossible.
Two different bugs have recently been discovered that could allow someone to bypass Apple’s activation lock. One impacts devices running iOS 10.1 and another on the most current version of the software, iOS 10.1.1.
The first was found by Hemanth Joseph, a security researcher who works out of Kerala, India. Joseph’s workaround exploited a weakness in the iOS device setup process, and he tested it on a locked iPad he purchased from eBay. When asked to choose a WiFi network, he simply chose ‘other network’ and then proceeded to fill its name and a WPA2-enterprise key in with thousands of characters. His thought was that enough data in those fields would cause the device to freeze, and he was right.
After figuring out how to freeze the iPad, he began to work on a way to make the setup process fail and drop him on the home screen. Pressing the sleep/wake button merely restarted the wizard, but with a little help from the magnetic catch in Apple’s Smart Cover and some practice to perfect the timing, Joseph succeeded. He demonstrated the bypass in a video uploaded to Google Drive.
Researchers at Vulnerability Lab discovered the iOS 10.1.1 bug. Like Joseph, the team began by overloading the WiFi setup fields and employed a smart cover. There’s one minor difference: they rotate the device in their video demo to display the home screen.
In both cases, the home screen only appears for an instant and then it’s gone. Vulnerability Labs founder Benjamin Kunz-Mejri told Security Week that pressing the sleep/wake button quickly allowed his team to keep it open. The danger, of course, is that a criminal who can replicate the attack could wipe a stolen iPhone or iPad and set it up as a new device. It’s not clear from the videos, however, whether the home screen that appeared is fully functional and it’s even possible to access the reset screen.
The bug discovered by Joseph was reportedly fixed in an iOS update on November 16. The second appears to be unpatched, though that could change with the arrival of iOS 10.2 which is currently being beta tested.