Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Vulnerability helps iPad thieves bypass Activation Lock security feature

Researchers are warning about a buffer overflow vulnerability in iPads that would an allow an attacker to bypass Apple iOS' Activation Lock, a feature meant to prevent unauthorized users and thieves from accessing the device's functionality and user data.

The Activation Lock is triggered when an iPad owner uses Find My iPhone, an app that helps individuals locate and recover their lost or stolen devices. The Activation Lock grants access to the device only after the user connects to the cloud and enters the owner's AppleID and password.

But independent researcher Hemanth Joseph explained in a blog post late last month that he was able to bypass the security mechanism in iOS version 10.1 by taking advantage of a lack of character limits placed on certain data fields. To accomplish this, he first requested to choose a Wi-Fi network, and then typed long strings of characters into the fields for the network name, user name and user password. Doing so froze the iPad.

Joseph then locked the iPad screen using a magnetic Smart Case and opened it moments later. This sequence of steps crashed the iPad back to the home screen, thus allowing him to bypass the Activation Lock. (This trick did not work on iPhones, however.)

Benjamin Kunz Mejri, security analyst at Vulnerability Lab subsequently posted a new advisory and accompanying video last Thursday, warning that the flaw was not thoroughly fixed in iOS version 10.1.1. According to Mejri, hackers can still bypass the Activation Lock with a few extra steps, including a rotation of the tablet and a quick press of the Home button before the iPad automatically returns to its set-up screen. Apple reportedly has yet to address this issue.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.