Researchers bypass Apple activation lock

Researchers bypass Apple activation lock [Image: erhui1979 via iStock]

Security researchers have bypassed the activation lock on Apple devices, using a bug unknown until now.

This could potentially leave the devices open to attack from hackers.

The first report of the bypassing of the lock came from Indian security researcher Hemanth Joseph earlier this year. He was investigating potential ways of getting past the activation lock after he purchased a locked iPad from an online marketplace.

AppleInsider.com reported that Mr Joseph “discovered a method of crashing the security software layer by entering an excessively long string of characters in iPad's Wi-Fi setup text fields”.

Activation lock is enabled automatically when Find My iPhone is activated. It then stores the device’s owner’s Apple ID on an offsite server for verification. It is intended to prevent anyone turning off Find My iPhone on the device, erasing the device, or reactivating and using the device, according to Mr Joseph.

He went about finding the bug by creating an overflow error when prompted to join a Wi-Fi network. Mr Joseph could enter a long string of text in all fields – Name, Username and Password – as they have no character limit.

Mr Joseph’s iPad then froze, but this was not enough to override the activation lock. What did work was closing the magnetic Smart Cover, an Apple product that allows the iPad to be locked and unlocked upon closing and opening it respectively.

He said that “after 20-25 seconds the ‘Add Wi-Fi Connection’ screen crashed to the iPad home screen,” bypassing the Find My iPhone activation lock. He reported his findings to Apple, which patched the security flaw in its iOS 10.1.1, which was released in October.

However, Vulnerability Labs founder Benjamin Kunz-Mejri has posted a video showing how he gained access to a locked device on the updated iOS. He used a similar method to trigger the crash, using a long string of text to overflow the Wi-Fi form fields but also rotating the screen to cause the device to crash after using the Smart Cover.

It remains to be seen if Apple will issue a fix for the flaw pointed out by Mr Kunz-Mejri.

The problems with activation lock emphasise the need for businesses to employ an effective mobile device management (MDM) solution in order to safeguard devices accessing their networks. This is especially true for firms using a Bring Your Own Device (BYOD) strategy, which allows workers to access company information on their own devices.

With hackers clearly able to access Apple devices, companies need to ensure that they are keeping their sensitive information secure. The risks of allowing employees to access company data on their own devices or those issued by the firm can be minimised by ensuring the best protection is in place.

Arrow can provide the most up-to-date MDM solutions, which will keep devices as secure as possible.