New iOS lockscreen bypass renders Activation Lock useless

We recently reported on a flaw in iOS that would allow someone to bypass the iOS lockscreen by using Siri. Well, Siri’s off the hook this time. The new vulnerability, disclosed yesterday by Benjamin Kunz Mejri of Vulnerability Lab, involves breaking iOS’s Activation Lock feature, which you’d use if your iPhone or iPad were marked as lost via the “Find my iPhone” app.

The idea behind Activation Lock is that if someone steals your iPhone or iPad, or if you just misplace it, you can remotely lock out your lost device so no one else can try to use it, turn off “Find My iPhone,” or erase the device completely. Unfortunately this bug renders that safety protocol pretty much useless.

Unlocking the Activation Lock requires first joining a Wi-Fi network before entering the required Apple ID and Password. Apparently, as discovered in this vulnerability, there is no character limit for the username and password for the Wi-Fi network prompt.

By stuffing the username and password field with an huge number of characters, the attacker starts to glitch out the input screen.

Proof of concept video by Vulnerability Labs

Then, the attacker takes advantage of the iPhone or iPad’s screen rotation or auto-wake functions, either by physically turning the device so the screen rotates, or by opening and closing one of Apple’s “Smart Cases” for the iPad. This, combined with the glitched-out Wi-Fi screen, will crash the screen for just a moment, and if timed correctly, the attacker will be able to access the device by pressing the home button. Thus they can bypass the Activation Lock.

A similar vulnerability was reported to Apple in early November by Hemanth Joseph for iOS
10.1, supposedly patched in iOS 10.1.1, though this recent attack by Benjamin Kunz Mejri still works on iOS 10.1.1. It seems there’s still a bit more work to do before this bug is squashed.

What to do?

This bypass works around a security feature meant to make lost or stolen devices harder to hack, so there’s not a whole lot to be done until Apple releases a fix. When Apple provides a patch for this bug, install it as soon as you can.

Of course, your iDevice doesn’t have to be lost or stolen for someone malicious to try to break into it – it simply has to be out of your immediate sight. So until Apple fixes this, do consider setting a long PIN or passphrase for everyday locking of the device, and until this ibug s fixed, be warned that the Lost Mode that you can trigger via iCloud might not give you the extra protection you thought you had.

And in the meantime, keep a close eye on your iDevices.