With the number of iOS devices out there in the wild, you can bet that if even the most obscure, ridiculous vulnerability exists in the software, someone is going to discover it sooner or later. A new bug in iOS 10.1 and 10.1.1, posted on Vulnerability Lab, seemingly allows users to bypass the iCloud activation lock on lost or stolen devices.
The vulnerability, which is being credited to Benjamin Kunz Mejri, works by bogging down the operating system while it’s in an activation lock state, via a flood of characters in the Wi-Fi connection input fields.
When a device has been remotely locked by a user, the device requires an iCloud sign-in in order to unlock it. In order to actually complete the log in, the device has to connect to the internet, and one of the options for doing so is to sign in to a locked Wi-Fi network.
By initiating the Wi-Fi sign-in process, the user is given two text input fields with unlimited character limits. Kunz Mejri discovered that by spamming characters into both fields, copying and pasting huge chunks of text over and over again, the entire system crawls to a halt. Then, if the device is put to sleep by a Smart Cover, when the cover is opened again the activation lock is gone and the user can navigate the home screen.
As TechCrunch reports, the initial version of this exploit was discovered by Hemanth Joseph of Slash Secure, and it affected iOS 10.1. The rollout of iOS 10.1 seemingly fixed the crash, but Kunz Mejri figured out that he could still initiate the activation lock crash by using Night Shift mode while also turning the device back and forth on its side and prompting the perspective to switch. Eventually it seems the operating system just gives up on life and lets the attacker in.
It seems like a simple character limit safety net would solve the issue entirely, though we’ll clearly have to wait until Apple fully plugs the hole before calling the all clear.