So Before Starting
What is Find iCloud Activation Lock/My iPhone Activation Lock ?
Find My iPhone includes Activation Lock—a feature that’s designed to
prevent anyone else from using your iPhone, iPad, iPod touch, or Apple
Watch if it’s ever lost or stolen. Activation Lock is enabled
automatically when you turn on Find My iPhone. When you enable Find My iPhone on your iPhone, iPad, or iPod touch, your
Apple ID is securely stored on Apple’s activation servers and linked to
your device. From that point on, your password is required before
anyone can turn off Find My iPhone on your device, erase your device, or
reactivate and use your device.
” If you forget your password and can’t reset it, you’ll lose access to
your Apple ID and might be unable to use or reactivate your device. If you purchase an iOS device with an Activation Lock Contact the previous owner as soon as possible and ask them to erase the device and remove it from their account ”
Source : https://support.apple.com/en-us/HT201365
In simple words iPhone Ativation Lock is a security measure which prevents an attacker accessing your stolen iPad/iPhone thus getting access to your personal data. If you enable this feature, the thief/attacker while turning ON your iPad/iPhone will be prompted to connect to an Apple Server using a WiFi to check whether the iPhone Activation Lock is ON or Not. As it is enabled in our case the attacker will be again prompted to Enter the Username and Password of the iCloud Account linked to that iPad (ie Our iCloud Details). Without which he cant unlock the device and thereby protecting all our data by making that iPad Useless.
Is there any Working Bypasses ?
A Big NO
Go through : https://www.quora.com/Can-the-iCloud-lock-be-broken
Some DNS Bypass is there but it only allow you to connect it to some other servers and allows you to browse the web. You wont get any access to iPad/iPhone data or to the Home Screen.
The Impact
If an attacker can Unlock a iCloud Locked iOS device he will get access to all your personal data, Documents, Saved Passwords etc etc. and also he can sell your iPad as it will work fine.
The Story
Bought one used iPad Air iOS v10.1 from Ebay last month for my friend, And that iPad was having such an Activation lock . We got FOOLED, Thank You ebay . As i was new to iOS i browsed a lot for one working bypass. GOT NOTHING ! SO THAT’S A BRICK IN OUR HAND !
The Exploit
When i turned on my iPad Air it welcomed me with a setup option to select the language and all . After that the iPad prompted me to connect to a WiFi Network so that it can check the activation status. I connected it to a wifi and after the check iPad showed me a Username and Password field and that means it is locked and i need to enter the iCloud details of the previous Owner.
So how can i bypass it ?
iCloud lock is a software layer so that if i can crash it, it will take me to the Home Screen.
So how can i Crash it ?
Overflow ??? But where ?
The Attack
( Images are the Screenshots from the video that i made while reporting the issue )
Under the Choose a Wifi Network there was one option Choose Another Network .
If we select that option the ipad will take us to a window with a Name Field and Select the security Option.
Thats just one input field, I cant create an over flow if it is having a character limit . But if we press on the security option, with other security protocols like WEP, WPA etc we have WPA2 Enterprise edition.
Select WPA2 Enterprise edition and it will give two more input fields Username & Password. ie Now we have 3 Input fields Name, Username, Password.
On testing i came to know that there is no Character limit in that 3 fields . ie We can enter as many characters as we like to that field. Perfect for creating an OverFlow.
Keep on Typing/Pasting any characters in a bulk to all those three fields until the iPad freezes .
Waited a bit to see if the iPad is recovering from it or Not . Nothing happened to the iPad, Not Recovering Nor Crashing .
After waiting a little more i pressed the lock button and it took me back to the welcome screen Again 🙁
WTF ?
Is there any ways left create an overflow and crash that app layer to home screen ?
YES
The iPad Smart Case
What an iPad smart case will do is. If we lock the screen using this magnetic smartcase and unlock it by opening the case it will show the same old screen thereby sending the req again.
Here i followed the steps again until my iPad freeze and locked it using the Smart Case and then unlocked the iPad by opening the case and waited a bit .
After 20-25 seconds the Add Wifi Connection Screen Crashed to the iPad Home screen . Thereby bypassing the so called Find My iPhone Activation Lock .
The issue which i exploited: There was no Character limit in those input fields. No one will set a wifi name with 10000 letter name or a password with 10000 letter so a character limit is important for fixing this bug.
In addition to it Their exits a bug called The Black Screen Mode which allows accessing data without unlocking the device using a previously synced device .
Apple updated all Vulnerabilities in iOS 10.2.1
Check it’s documentation for more details .
Timeline
Nov. 4 – Issue Reported to Apple
Nov. 5 – Got Reply asking for more info and video
Nov. 5 – Mailed additional Information
Nov. 16 – Security Update fixing this flaw to all iOS devices
Great… Did apple pay for this??
Awesome…
Awesome..👍
Nyce work..keep doing…all the best
Nyce work..keep doing…all the best
Nice write-up!
If you still need to remove Activation Lock, you can usually print out your eBay proof of purchase, and go to an Apple Store. I've only seen a few times where they refused to remove it with proof of purchase.
So Apple patched this on November 16th?