If your iPad gets stolen, you can normally rest assured that the thieves will never be able to use it, thanks to Apple's Activation Lock feature, which ties the device to your iCloud account. But it turns out a clever and dedicated bandit might be able to bypass Activation Lock with the unlikely combination of a very long Wi-Fi network name and password and the iPad Smart Cover magnetic cover — or even a piece of black tape.
Hemanth Joseph, an information security researcher at India-based security firm Slash Secure, and his friend bought an iPad on eBay. They were dismayed to find that it was still stuck behind Activation Lock tied to the previous owner. For obvious reasons, Apple will not help users bypass this lock, so it was up to Joseph to see if Apple had overlooked something in its activation process.
Apple has not yet fixed this flaw, so until it is, you might want to keep your iPad under lock and key. Neither of these exploits seems to work on iPhones.
As Joseph wrote in a blog posting late last month, he realized that Activation Lock is a discrete piece of software, not directly related to the everyday functions of iOS. As such, if he could crash Activation Lock, he could continue on to the settings menu and set up the used iPad with his own account. The easiest moment in which to do this was during the network-connection prompt, when an iPad (or iPhone, or any other mobile device) asks the new user for access to the nearest Wi-Fi network.
First, Joseph selected the option to choose a different Wi-Fi network than those automatically found during local scans, and to select WPA2 Enterprise as the target network's security protocol. Unlike the WEP, WPA and WPA2 protocols, WPA2 Enterprise has is no character limit to how long a Wi-Fi network's name or the user password can be.
Joseph found that by copying and pasting random characters ad nauseum into the iPad field for a network name and password, he could make the iPad freeze. That's a classic example of a buffer overflow, in which the amount of data being input into a function exceeds the amount of running memory allocated for that function. (Think of trying to stuff a large down comforter into a small cardboard box.)
But Joseph could not yet take advantage of the tablet's compromised state. That's where the iPad Smart Cover came in. Thanks to strategically placed magnets, the Smart Cover shuts off the screen when closed and wakes up the home screen when opened again.
Since opening the cover reverts an iPad to its Home screen, Joseph theorized that this engineering quirk might encourage a frozen program to crash and the unprotected Home screen to take precedence. His theory was correct. Although it took about 30 seconds, the Wi-Fi prompt crashed and brought Joseph to an unsecured Home screen. (Our pals over at Ars Technica have confirmed that this works.)
While some researchers would have just called it a day there and rejoiced in their new iPads, Joseph contacted Apple, and is in the process of exploring the security risk with the company. Right now, there's no known method to prevent this exploit, except to detach your Smart Cover. Even if there were, a thief could always use his own Smart Cover, or even use a few small magnets to replicate the effect.
Joseph carried out his tests on iOS 10.1, but after he posted his results online, German researcher Benjamin Kunz Mejri was able to replicate it in iOS 10.1.1.
Kunz Mejri, of security firm Vulnerability Lab, tried the same method of copying and pasting hundreds of characters into a WPA2 Enterprise connection process, and flipping the Smart Cover. But he found another method — putting black tape over the iPad's front-facing camera and rotating the iPad during setup so that the screen switched to landscape mode — also achieved the desired result, even without a Smart Cover.
Whether using a Smart Cover or rotating the iPad, the unsecured home screen flashed for only a fraction of a second. But Mejri determined that pressing the power button or activating Siri during that time would keep the home screen open, and open up the iPad for a full reset.
This Wi-Fi network name-entry flaw could theoretically affect iPhones as well, since the software works in the same way. But there's no iPhone equivalent to the iPad Smart Cover, and iPhone screens don't auto-rotate during the setup process, so iPhones are probably safe for now.
Apple will probably patch this issue soon, so in the meantime, just try to keep your iDevices out of enemy hands.