A flaw allows to bypass the activation lock on iPhone and iPad

Pierluigi Paganini December 02, 2016

Researchers discovered a bug that can be exploited to bypass Apple’s Activation Lock feature and gain access to the homescreen of locked Apple devices.

Security experts have discovered a new bug that could be exploited to bypass Activation Lock feature on Apple devices (iPhone, iPad).

The bug could allow gaining access to the homescreen of a locked device running the latest version of the Apple iOS.

Researchers reported at least two different variations of the issue, a first one working on iOS 10.1 and the second one on the latest iOS 10.1.1.

In case of a theft or loss of an Apple device (iPhone, iPad or iPod), users can activate the Lost Mode through the Find My iPhone service.

This mode automatically enables the Activation Lock to prevent the reactivation of the device without the owner’s permission.

When a user starts a locked device, he is prompted to connect to a Wi-Fi network. In case the “Other Network” option is selected, the user must enter the name of the network and choose a security protocol (e.g. WEP, WPA2, etc.).

bypass Apple activation lock

Of course, the user has to provide a username and a password, but researchers noticed that there is no limitation on the number of characters that can be entered into the name, username and password fields.

An attacker can trigger a crash that exposes the device’s homescreen by entering a very long string into these fields.

The crash can be caused one of the following methods: Apple’s iPad smart cases, which cause the device to wake or sleep when the case is opened or closed.

  • Leveraging on the Apple’s iPad smart cases, which cause the mobile device to wake or sleep when the case is opened or closed.
  • Leveraging the screen rotation feature and Night Shift mode as demonstrated in the video PoC published by Vulnerability Lab.

The first method was first analyzed by Hemant Joseph, who tested the Activation Lock feature after purchasing a locked iPad from eBay.  The method worked on iOS 10.1 and was fixed by Apple with the iOS 10.1.1 release.

The second method was discovered by researchers at Vulnerability Lab and works also on iOS 10.1.1.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – iPhone, Activation Lock Bypass)

you might also like

leave a comment