Slashdot Mirror
iOS's 'Activation Lock' For Stolen iPads And iPhones Can Be Easily Bypassed (computerworld.com)
An anonymous reader quotes ComputerWorld:
Two researchers claim to have found a way to bypass the activation lock feature in iOS that's supposed to prevent anyone from using an iPhone or iPad marked as lost by its owner... One of the few things allowed from the activation lock screen is connecting the device to a Wi-Fi network, including manually configuring one. [Security researcher] Hemanth had the idea of trying to crash the service that enforces the lock screen by entering very long strings of characters in the WPA2-Enterprise username and password fields.
The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it... "After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock," he said in a blog post.
There's also a five-minute video on YouTube which purports to show a newer version of the same attack.
The researcher claims that, after awhile, the screen froze, and he used the iPad smart cover sold by Apple to put the tablet to sleep and then reopen it... "After 20-25 seconds the Add Wifi Connection screen crashed to the iPad home screen, thereby bypassing the so-called Find My iPhone Activation Lock," he said in a blog post.
There's also a five-minute video on YouTube which purports to show a newer version of the same attack.
If the lock can be bypassed by crashing the GUI logic that presents the lock then that must mean Apple implemented the lock as a simple flag that triggers a UI view controller, and that once the view controller is dismissed (either normally or by crashing it) the logic doesn't check the flag again thereafter. They should have instead implemented it as something that hashes a critical data structure with the unlock code so that the OS can't run without being unlocked.