Security experts have discovered a new bug that could be exploited to bypass Activation Lock feature on Apple devices (iPhone, iPad).
The bug could allow gaining access to the homescreen of a locked device running the latest version of the Apple iOS.
Researchers reported at least two different variations of the issue, a first one working on iOS 10.1 and the second one on the latest iOS 10.1.1.
In case of a theft or loss of an Apple device (iPhone, iPad or iPod), users can activate the Lost Mode through the Find My iPhone service.
This mode automatically enables the Activation Lock to prevent the reactivation of the device without the owner’s permission.
When a user starts a locked device, he is prompted to connect to a Wi-Fi network. In case the “Other Network” option is selected, the user must enter the name of the network and choose a security protocol (e.g. WEP, WPA2, etc.).
Of course, the user has to provide a username and a password, but researchers noticed that there is no limitation on the number of characters that can be entered into the name, username and password fields.
An attacker can trigger a crash that exposes the device’s homescreen by entering a very long string into these fields.
The crash can be caused one of the following methods: Apple’s iPad smart cases, which cause the device to wake or sleep when the case is opened or closed.
The first method was first analyzed by Hemant Joseph, who tested the Activation Lock feature after purchasing a locked iPad from eBay. The method worked on iOS 10.1 and was fixed by Apple with the iOS 10.1.1 release.
The second method was discovered by researchers at Vulnerability Lab and works also on iOS 10.1.1.
(Security Affairs – iPhone, Activation Lock Bypass)