We recently reported on a flaw in iOS that would allow someone to bypass the iOS lockscreen by using Siri. Well, Siri’s off the hook this time. The new vulnerability, disclosed yesterday by Benjamin Kunz Mejri of Vulnerability Lab, involves breaking iOS’s Activation Lock feature, which you’d use if your iPhone or iPad were marked as lost via the “Find my iPhone” app.
The idea behind Activation Lock is that if someone steals your iPhone or iPad, or if you just misplace it, you can remotely lock out your lost device so no one else can try to use it, turn off “Find My iPhone,” or erase the device completely. Unfortunately this bug renders that safety protocol pretty much useless.
Unlocking the Activation Lock requires first joining a Wi-Fi network before entering the required Apple ID and Password. Apparently, as discovered in this vulnerability, there is no character limit for the username and password for the Wi-Fi network prompt.
By stuffing the username and password field with an huge number of characters, the attacker starts to glitch out the input screen.
Then, the attacker takes advantage of the iPhone or iPad’s screen rotation or auto-wake functions, either by physically turning the device so the screen rotates, or by opening and closing one of Apple’s “Smart Cases” for the iPad. This, combined with the glitched-out Wi-Fi screen, will crash the screen for just a moment, and if timed correctly, the attacker will be able to access the device by pressing the home button. Thus they can bypass the Activation Lock.
A similar vulnerability was reported to Apple in early November by Hemanth Joseph for iOS
10.1, supposedly patched in iOS 10.1.1, though this recent attack by Benjamin Kunz Mejri still works on iOS 10.1.1. It seems there’s still a bit more work to do before this bug is squashed.
What to do?
This bypass works around a security feature meant to make lost or stolen devices harder to hack, so there’s not a whole lot to be done until Apple releases a fix. When Apple provides a patch for this bug, install it as soon as you can.
Of course, your iDevice doesn’t have to be lost or stolen for someone malicious to try to break into it – it simply has to be out of your immediate sight. So until Apple fixes this, do consider setting a long PIN or passphrase for everyday locking of the device, and until this ibug s fixed, be warned that the Lost Mode that you can trigger via iCloud might not give you the extra protection you thought you had.
And in the meantime, keep a close eye on your iDevices.
7 comments on “New iOS lockscreen bypass renders Activation Lock useless”
“Of course, your iDevice doesn’t have to be lost or stolen for someone malicious to try to break into it – it simply has to be out of your immediate sight”
How is that the case? From your article it sounds like the device has to be at the “Activation Lock” screen which is only if I activate that remotely. Someone picking my phone up I left on the coffee break table won’t be able to break into it, from the sound of it
We mean that your phone is at risk even if it isn’t lost and “Activation Locked”, because with a poorly chosen PIN code (or no PIN at all) it can be broken into even when you leave it briefly unattended. The Activation Lock is supposed to like setting a deadbolt for extra security; a weak PIN code is like relying on an easily loided spring lock. Unfortunately, many people seem to rely on simple (or even no) lock codes because they don’t expect to lose the phone, or for miscreants to fiddle with them when they aren’t looking.
In other words, we’re just taking the opportunity to remind you that even when you’re not at the point of needing Lost Mode, it’s worth thinking about phone security 🙂
Activation Lock is only there to prevent re-sale of stolen devices. I think it might be helpful for some to clarify the differences, as lost mode simply locks the device (using it’s existing passcode) and prompts to call a number. Activation Lock prevents the device from being set up after a factory reset and requires the Apple ID and password of the iCloud account.
Thank you for the heads up. 🙁
easily _loided_ ???
It may be an Americanism, but I know it (from PI novels 🙂 as a term for unlawfully opening a spring lock from the outside using a credit card, plastic strip or other lock-popping tool to push back the lock bolt “round the corner” of the doorframe.
Is fingerprint the best