iOS activation lock can be bypassed by overwhelming the Wi-Fi connection
Mon 5 Dec 2016
A researcher has discovered a method for defeating the protection lock on potentially stolen Apple iOS devices, including iPhones and iPads, by taking advantage of the few features that are still enabled in the lock-screen state.
The lock-down occurs when a user activates ‘Find my phone’ (which also applies to non-phone devices). The device in question receives the status signal, becomes aware that it is no longer in the hands of the right owner, and thereafter will grant no further access to any user unless they input their password – blocking them from disabling Find My Phone, using the device or reactivating it.
Hemanth Joseph, a cyber-security ‘enthusiast’ working out of Kerala in India, discovered that he was able to get to the home screen of a locked device by sending extremely long Wi-Fi password strings to the processes which still allow a user to attempt to connect to a Wi-Fi network, even from the locked activation screen.
Under the settings still available in the locked-down state, Joseph selected the ‘Choose a Wi-Fi Network’ option, and enabled the WPA2 Enterprise Edition connection protocol. This advanced security connection adds two extra input fields, expanding the possibilities for overwhelming a request process with bloated or extended information. Incredibly, in this state, there is no character limit on any of the fields, and Joseph was able to continually copy and paste the padded input until the sample iPad, purchased on eBay for testing purposes, finally froze.
Pressing the ‘Home’ button after the device had been put into this vulnerable state simply returned Joseph to the Welcome screen. This provided the first part of what would become the exploit.
Then Joseph took advantage of the way a proprietary iPad case can mimic the ‘auto-lock on close’ behaviour of a laptop. By returning the device to the same confused state, and then opening the case, the compromised Wi-Fi connection process crashes straight to the Home screen, completely bypassing the ‘Find My Phone’ security measures.
It’s a stunning exploit, taking advantage of the oldest trick in the crash-and-access book: the exploitation of inadequate input sanitising procedures.
On November 4th Joseph reported the exploit to Apple, and the following day was asked by the company for further evidence and videos, which he supplied.