How a 10,000-letter made up password and Smart Cover helped crack a locked iPad
Cyber security researcher Hemanth Joseph hacked an iPad secured with iCloud Activation Lock.
Using a 10,000-letter made up password and Apple's magnetic Smart Cover, a cyber security enthusiast has been able to bypass iCloud security and unlock an iPad without the real password.
Based in Kerala, India, Hemanth Joseph discovered the vulnerability in Apple's iOS 10.1 software when he mistakenly bought an iPad from eBay which was locked by its previous owner.
With Apple's iCloud Activation Lock, the iPad cannot be activated without the Apple ID and password of the owner. At least that is the theory and, as Apple says: "If you purchase an iOS device with an Activation Lock, contact the previous owner as soon as possible and ask them to erase the device and remove it from their account."
But Joseph believed he could hack his way around Activation Lock by crashing this part of the software, which he hoped would take him to the iPad's home screen.
First, Joseph asked the iPad to connect to a Wi-Fi network, then picked the WPA2 Enterprise option for the type of network to connect to. This gave him three input fields to exploit; Name, Username and Password.
"On testing I came to know that there is no character limit in the three fields," Joseph explains on his blog. "We can enter as many character as we like to that field. Perfect for creating an overflow."
Joseph believed he could cause the software to crash by filling these fields with more characters than iOS can handle, and saw there was no limiter in place to stop him from trying. He went ahead and typed thousands of random characters into each of the three text boxes until the iPad froze. Unfortunately, pressing the Home button after it froze returned the iPad to the original Activation lock screen.
Undeterred, Joseph tried again, but this time he caused the iPad to freeze then locked it by closing Apple's magnetic Smart Cover over the screen. After opening the cover again the iPad was still at the same screen, but after "20 to 25 seconds", it crashed to the iOS home screen. This bypassed Activation Lock and gave Joseph full access to the iPad. It isn't clear if he would then be able to delete the original owner's account from the iPad without their iCloud password, but nevertheless the lock screen was compromised with tens of thousands of characters and a Smart Cover.
Joseph performed the hack on 27 October, reported it to Apple on 4 November, got a reply the next day and Apple released a software update fixing the flaw on all iOS devices on 16 November.
IBTimes UK has contacted Joseph and asked to see a video he recorded of the hack; we have also contacted Apple for comment and will update this article when we receive a reply.
© Copyright IBTimes 2024. All rights reserved.