One of the strongest security mechanisms implemented by Apple is called Activation Lock. It prohibits anyone without access to owner’s Apple ID password from accessing a stolen or lost iDevice. Unless they have a lot of patience and some magnets.
If you ever loose your iDevice, you can remotely lock it in a permanent way. Once you turn on the Activation Lock you won’t be able to re-enable your iPhone or iPad without providing your Apple ID credentials. A few software versions back there were some possible bypasses like substituting your own activation servers – but they were eliminated via security updates. It took an angry researcher with a locked iPad to find another surprising bypass – working for at least a fraction of a second.
Hemanth Joseph bought an iPad Air from Ebay with iOS v10.1 and discovered an unpleasant surprise – the iPad was locked with an Activation Lock. A quick research showed that no known bypass exists, but the researcher did not give up. He realized that the Activation Lock is just an app which needs to be crashed. But how do you crash an app with such a limited functionality?
Crashing an app usually requires providing it with some input and Activation Lock allows the user to provide connection details for WiFi network. The researcher used this opportunity to try to overflow input fields in WPA Enterprise WiFi network settings. There were three fields there: network name, username and password. As there was not length limit, all of them were filled with multiple characters – somewhere around the range of 10 000 before the app stopped responding, but the app did not crash. Pressing the lock button did not help either – it just returned the user to the welcome screen. Then the researcher had an epiphany and repeated the whole process, but when the app froze, he did not not push the lock button but closed the Smart Case instead. Magnets located inside this cover must have triggered something different – because when the researcher opened the cover and waited a few seconds, the app finally crashed, showing the device’s home screen. Here’s the video.
If you pay close attention to the end of the movie (or you can slow it down to 0.25 of regular speed with video player options) you can see that the home screen starts disappearing when the video is cut. Apparently, judging from the email screenshots included in the bug description, the system returns to the locked state after crashing (which the researcher failed to mention in his article) – but the exploit is interesting nonetheless.
The issue was reported to Apple on the 4th of November and patched 2 weeks later. Congratulations to the researcher.
4 thoughts on “Bypassing Apple’s Activation Lock with typing and magnets – for a fraction of a second”
teh video ish borken
Sais “An errour occurd. Pls try again l8r”
Video link not working