Apple's Activation Lock Isn't Really Secured, Researchers Revealed

By Precious Gem de Peralta
iOS 10
Security researchers have discovered bug in iOS 10.1 and iOS 10.1.1 that allowed anyone to bypass the activation lock of the iOS device. The vulnerability in the iOS 10.1 was already patched on Nov. 16 while the upcoming iOS 10.2 update will resolve the issue in the iOS 10.1.1. iPhoneDigital / Flickr

Though iOS devices are more secure than Android devices, researchers have recently discovered bugs in two current versions of iOS 10. They have found out that someone else can bypass the activation lock of your iPhone or iPad other than yourself. Two separate security researchers have explained how it is possible.

According to Forbes, security researcher Hemanth Joseph from Kerala, India was able to exploit a vulnerability in the iOS device setup process. He purchased a locked iPad from eBay. Joseph explained how he did it on his website. He also has uploaded a video of the demonstration in Google Drive.

The purpose of the Activation Lock is to prevent anyone from accessing your iOS device. Those who attempt to do this is required to input the username and password of the owner's iCloud account. They wouldn't be able to unlock it unless they filled those details correctly. Naturally, there will be no use of the device for them.

Joseph shared that he chose "other network" when he was prompted to instead of selecting those that are mentioned. He filled the name and as well as the WPA2-enterprise key. Now, the latter field is instrumental. He out thousands of characters. This caused the iPad to freeze. He eventually succeeded in making the setup process fail and access the home screen. Joseph had to use both sleep/wake button and magnetic catch in Apple's Smart Cover.

The timing is also crucial to achieving this. He said that he reported this to Apple back on Nov. 4. The next day, he got a reply that asked for further details about his exploit. He immediately mailed them back with additional information. By Nov. 16, Apple has issued a security update that fixed this flaw in iOS devices.

The bug in the iOS 10.1.1 was discovered by researchers at Vulnerability Lab. The process they went through was almost similar to what Joseph did. They had overloaded the WiFi setup fields and utilized the smart cover. Both have made the home screen appear for a moment until it disappears. The lab's founder Benjamin Kunz-Mejri said to Security Week that they also quickly pressed the sleep/wake button to keep the device open.

Though both security researchers acted with good intentions, it is possible that cybercriminals could do the same thing for a whole different purpose. Forbes also pointed out that they did not specify if the home screen that appeared works. Apple is yet to patch the flaw in the iOS 10.1.1. However, the iOS 10.2 is already in its beta stage. This vulnerability might have been resolved once it becomes available for consumers.