Apple's iCloud Activation Lock, designed to disable stolen iOS devices, can be bypassed by fiddling with the login screen and iPad smart cover, potentially letting thieves wipe the devices and resell them.
In a report published this week, a security blogger identified a creative way to disable Activation Lock. Hemanth Joseph, a self-described "cyber security enthusiast" from India, uploaded a YouTube video in which he floods an iPad's Wi-Fi network login screen with character inputs and then opens and closes its Smart Cover.
Doing so takes advantage of a loophole in Apple's Wi-Fi login system: its password field apparently has no character limit, so entering an extremely long password will cause it to crash, after which opening and closing the iPad's smart cover will cause it to display the home screen. From there, a thief could restore the device as new and sell it online.
The Activation Lock was introduced in iOS 7. When it's working properly, it requires an Apple ID and password to reactivate an iOS device if its owner loses it and remotely wipes it using the Find My iPhone feature.
In a blog post, Joseph wrote that he shared his findings with Apple on Nov. 4, and the company responded a few days later that it was investigating the issue. An Apple representative did not immediately respond to a request for comment about its plans to fix the vulnerability.
The Activation Lock feature has been a hacking target before. In 2014, two hackers released a tool that allowed users to plug a bricked iOS device into their computer and alter the "hosts" file inside. The iPhone or iPad was then tricked into connecting to a hacked server, which unlocked the gadget.