Two researchers have found a way to bypass the Apple Activation Lock on both iPhones and iPads, running the two most recent versions of iOS, 10.1 and 10.1.1.
If you’re not familiar with the Activation Lock, this is the lock screen that appears on Apple devices when they’ve been locked through the Find My iPhone service, when lost or stolen.
Unless the Find My iPhone service is turned off, users must enter a password on the Activation Lock screen, after connecting it to the Internet.
When turning on an Apple device locked this way, users can select a WiFi network to connect to.
Crashing Apple devices via long WiFi network names
Security researcher Hemanth Joseph says that Apple failed to protect the WiFi network name and password input fields for (WPA2 networks) against long text entries.
By entering long strings in these two fields, the researcher says he was able to cause a buffer overflow that freezes the device’s screen.
The researcher says that by using one of the smart covers Apple sells, he put the device to sleep and reopened it to the state it was before the crash. At this point, without any interaction, after 20-25 seconds, the WiFi network and password input form crashed and disappeared, giving the researcher access to the device.
Apple knows about the issue
Joseph says he tested this bug only in iOS 10.1 and reported it to Apple in October. Benjamin Kunz-Mejri, a researcher at Vulnerability Lab, expanded on Joseph’s findings and altered the method to bypass the Find My Phone Activation Lock on the latest iOS version, 10.1.1.
Kunz-Mejri’s method relies on rotating the screen at a certain point in the exploitation scenario and keeping the Home button pressed when the device crashes to the home screen, to maintain access to the device.
The researcher recorded a video, which he released on YouTube, walking users through the bypass technique on iOS 10.1.1.