back to article 5 SECONDS to bypass an iPad 2 password

The password protection of an iPad 2 running iOS 5 can be circumvented in less than five seconds with just three simple steps. Bypassing the unlock screen on iPad 2 can be accomplished by first pressing the power button until the power-off screen is displayed. Users then need only to close and reopen the fondleslab's 'smart …

COMMENTS

This topic is closed for new posts.
  1. Pink Duck
    Meh

    Proof positive that Apple care about your security.

    1. Ammaross Danan
      FAIL

      Patch

      They'll likely patch it...about as quickly, and accurately as they did with the Daylight Savings Time shifts....

    2. Scorchio!!
      Happy

      "Proof positive that Apple care about your security."

      But Apple products do not have security problems. Security problems are for Pee Cee's! If only Steve Jobs were here to answer a few questions about this.

  2. D@v3
    Meh

    only a minor issue, really.

    1) you can only access the app that was open when the cover was closed.

    Obviously, I can't speak for anyone else, but i always go back to the home screen before locking mine anyway. (force of habit, OCD, what ever...)

    2) only effects those who use a 'smart cover'. The smart function of which can easily be disabled in the settings. Seriously, is it that hard to press a button when you open the cover? The 3rd party cover i have _is_ 'smart' but after 5 mins of finding it wasn't very effective, i turned off the feature.

    1. Phil Endecott

      Re: only a minor issue, really.

      > only effects those who use a 'smart cover'

      The attacker can bring their own cover, or use a magnet.

    2. Anonymous Coward
      Stop

      Not necessarily...

      The functionality of a smart cover can be replicated with a magnet, so not having a smart cover doesn't protect you - turning off the smart cover function in the preferences is the bit that's key. (But this is old news, anyway - broken last week by other sites. That said, you'd expect perhaps a fix by now...)

    3. TheOtherJola
      WTF?

      Only a minor issue, really

      O hai guise, I heard about the feature on my front door whereby anyone can get in, regardless of using the security features built in to the door (i.e. the yale lock). Here's why the vendor is still great:

      1) you can only access the hall of my house. If I've left some stuff in there, then yeah, you can get to it, but since I tidy my hall up quite a bit (doesn't everyone?) this isn't an issue.

      2) only AFFECTS those who use a magnet-based sensor, and not many people have those.

      Stop trolling, guise - it's not that big a deal, you're just holding it wrong!

      1. Anonymous Coward
        Anonymous Coward

        @Jola

        I'm missing item 3:

        3) I went into great efforts to board up all the other doors in my hallway so no one can come in or out ;-)

      2. BristolBachelor Gold badge
        Coat

        @TheOtherJola

        I seem to have misunderstood your post. Are you saying that you accidentally superglued the key into your front-door Yale lock, so anyone can open it?

    4. Colin Millar

      Congratulations

      You have just won first prize in the sycophant of the year competition

    5. Anonymous Coward
      Anonymous Coward

      Re: only a minor issue, really.

      > 1) you can only access the app that was open when the cover was closed.

      That is still one app too many.

    6. Grease Monkey Silver badge

      @D@v3 why is it that fanbois will always play down every Apple security issue. Just because your return to the home screen does not mean that everybody else does, more importantly it does not mean that everybody else *should*. However as a fanboi presumably you feel that Apple are infallible and users should work round security issues. Oh sorry, my bad. It's not a security issue is it? It's a feature and users who are at risk are actually doing it wrong. Or at least that's what the Big Jobs would tell us were he still around.

      If Apple had coded this right you wouldn't need to work around it would you. It's crap coding and crap testing plain and simple.

  3. Tim Brown 1
    Facepalm

    Great...

    So Apple go to great lengths to secure the iPad so that we can't (legitimately) run customised software on it then make a total screwup of proper security for our data.

    1. Evil Auditor Silver badge

      @Tim Brown 1

      What did you expect?! "Security focus" in Applespeak means securing Apple's business and profits. And yes, this holds true not just for Apple.

    2. Andy ORourke
      Joke

      What you are missing.......

      Is that the guy in the Video wasnt using the device in an apple aproved manner, obviously any deviation from the deivce operating instructions renders the warranty null and void and will get a stern letter of warning from Apples iLawyers (or a letter telling him that the "gestures" he used to acehive this have now been patented)

  4. Graeme 7
    Coffee/keyboard

    4 finger swipe?

    I've not watched the video, (flash issues) so don't know if it is only the home button that will relock the screen. However on iOS5 a four finger swipe up will bring up all background apps, so you could access those that way, and since once used everything stays available in the background you should get access to everything of use.

    1. jubtastic1

      Just tested this

      4 finger swipes don't work, so you're limited to whatever the active app was when you locked it.

      I'd expect an OTA patch for this fairly promptly.

      1. Anonymous Coward
        WTF?

        I'd expect an OTA patch for this fairly promptly.

        Ha ha ha ha ha haaaa haaaaaa.

        This is Apple we are talking about. 2nd only to Oracle when it comes to shit timescales for security issues.

      2. Afflicted.John
        Thumb Up

        OTA patch

        Would that be the functionality similar to that offered in Android? Hmmmm.....if only they could patent it?!

    2. Ian Yates
      WTF?

      Four finger swipe?

      Really? At some point there are going to be too many gestures for people to remember, or they'll just be too complicated to perform.

    3. relpy
      Stop

      Won't work, Apple have a patent on that kind of thing so nobody's can do that without a licence.

  5. cocknee
    FAIL

    Lame

    "As enterprise IT blog BringYourOwnIT.com notes, one obvious workaround would be to instruct users to close any foreground application before locking their iPad."

    Trust users with security? Surely some mistake?

    Just like:

    - Don't leave your laptop in the boot of your car

    - Don't copy customer/patient/employee data to that memory stick

    - Don't read sensitive documents on the train

    - Don't expose national security documents as you walk into No10

    - etc ad nauseum

    Alternatively,

    Get Apple to fix the bloody bug PDQ and ban iPad's for anything remotely sensitive until they do.

    1. cosymart
      Trollface

      Missed one

      Don't send your readers/users email addresses to man+dog.

      Sorry El Reg :-p

      PS not a lot of point in posting anonymously.

  6. Solly
    FAIL

    It just works....

  7. Captain Haddock
    Gimp

    All they are going to get...

    ...is my last session of Angry birds.

    Bothered.

    1. Grease Monkey Silver badge

      Which tells us that you think that's all your fondleslab is good for.

  8. Anonymous Coward
    FAIL

    I mean seriously..

    Did anyone actually think the iPad2 was secure? it's hardly a business tool, it doesn't even support filesystem encryption.

    My Asus Transformer supported that since the outset, and it's a standard feature in Android 4.0.

    1. Anonymous Coward
      Anonymous Coward

      Exactly ...

      But I find it astonishing and terrifying just how often and how increasingly they are being used as proper business tools and are used to tote around really quite sensitive data more and more. Shudder ... I wouldn't even use one of these things to carry around my email or address book.

      I can see a really big data infringement case soon. Of course no one will care and will carry on regardless.

  9. Ian Ferguson
    FAIL

    Oh bollocks

    Just tried it and it works. There goes our mobile data compliance.

    Those saying 'it's not a big issue' - it may not be for you, or for private users, but for corporate data protection the issue is more that the hole is there at all, rather than whether the hole is used or not.

    I know the iPad2 isn't an encrypted device, but it at least enforces basic Exchange rules like password protection - or, it's MEANT to.

    1. alan buxey
      Flame

      no encryption

      the fact that is cant do filesystem encryption should be enough for it to fail mobile data compliance :-|

  10. hudster1969
    WTF?

    http://www.theregister.co.uk/Design/graphics/icons/comment/wtf_32.png 5 secs to unlock it but 1min 22secs to listen to some arse talk about it.

  11. JFK
    FAIL

    First iOS patch over the air incoming soon i guess

    If you have it locked on the 'home screen'. A left swipe to the search allows you to see contacts with their primary phone number. And the normal search able context.

    Expect this will get patched soon enough, seems like a good test for their over the magical etherweb incremental icloud software updates.

  12. Anonymous Coward
    Anonymous Coward

    Just press the home button before closing or turn 'iPad Cover Lock / Unlock' off for now in Settings > General.

    At least Apple *will* fix it - unlike a certain Android phone I have that is locked to the network and cannot now (or will ever) be updated unless I want to root it and frig around with trying to get a newer version on.

    1. raving angry loony

      At least you CAN unlock the phone, and it's probably fairly easily rooted, and the phone vendor won't come back and try to deliberately unroot or even brick your phone if you've rooted it.

      But yeah, I guess if you're used to and really need hand holding all the time, it might be hard to understand why others might want to be allowed to cross the street on their own.

  13. Kevin McMurtrie Silver badge

    iOS, MacOS X, and Android

    The problem is that the lockout app launches when the device is awakened, not when the device becomes idle. That creates an opportunity for things to go wrong. I've had my Macbook Pro and Galaxy SII run for several seconds unprotected because the lockout application's launch was delayed by heavy filesystem I/O.

    1. Daniel B.
      Boffin

      Nice!

      That means that the Blackberry is still the only one actually caring about security. The app launches at idle time, always.

  14. Anonymous Coward
    Anonymous Coward

    Storm in a teacup - probably fixed in a matter of days and trivial compared to many of the bugs and poor security practices many companies and users have.

    1. The Indomitable Gall

      Erm... what?

      What on Earth is more trivial than being able to wake up a locked device without knowing the password?

      1. Maliciously Crafted Packet
        Gimp

        Whats more trivial? Oh I don't know...

        possibly the numerous amount of malware infested freebee apps that haunt the -quite frankly dangerous- Android Marketplace.

        You know, the ones that nick your bank account details, passwords and credit card numbers. Thats possibly more trivial.

  15. Fuh Quit
    Thumb Up

    It's not a big issue

    Honestly, it's a consumer device with ease of use first and security some way behind. It's a single user environment so security is never going to be that hot.

    1. Grease Monkey Silver badge

      You might think it's a consumer device. Unfortunately I doubt many senior managers will agree with you. Senior management like their toys and want to use them for corporate tasks and the IT department never have the power to tell them no.

      1. Fuh Quit
        Thumb Up

        I know, I know

        I'm one of the people telling them No (or at least what they can and can't do).

  16. Anonymous Coward
    Anonymous Coward

    Where is iSecure?

    Apple really are embarrassing when it comes to security, especially when you consider that they're built on a BSD heritage.

    The changes are obviously all fluff and no substance, like the girl that looks great but struggles to add 2+2.

  17. Anonymous Coward
    Anonymous Coward

    "Those saying 'it's not a big issue' - it may not be for you, or for private users, but for corporate data protection the issue is more that the hole is there at all, rather than whether the hole is used or not."

    Didn't you see this previous post:

    "Just press the home button before closing or turn 'iPad Cover Lock / Unlock' off for now in Settings > General."

    Simples.

  18. Anonymous Coward
    Anonymous Coward

    Frankly with most users setting the password to 5555 or 0000 or 1234 it's unlikely to be a big issue (when of course that would give them access to the whole device and not just your Angry Birds / home screen etc.).

    People make out as if this is a mega issue when not educating users about proper security - i.e. not allowing unauthorised access in the first place or setting a decent password.

    Plus it will be fixed and probably pretty quickly.

  19. Anonymous Coward
    Anonymous Coward

    How many people do not use password protected / encrypted USB drives?

  20. Anonymous Coward
    Anonymous Coward

    Apple Security

    It just wo.. Wait, what? You're shitting me? You're not? Scratch that...

  21. Steve Todd
    Stop

    Settings -> General -> iPad Cover Lock/Unlock

    Set to Off, wait for patch.

    Tricky one that.

  22. JassMan
    Happy

    I bet Apple have a patent on this and will sue the ass off anyone who dares consider implementing a security flaw. Or.. maybe they missed the opportunity and there is an opening (prior art being completely missing from the US patent system) for Samsung to patent security flaws then force Apple to drop their suits on the Galaxys. They only need to wait 5 weeks for Apple to fail yet again on the security front.

  23. Solomon Grundy
    Meh

    TL/DR

    Sure, there are many ways to prevent this issue; but at the end of the day it is still an issue. Systems security is paid to prevent problems (forecast them, if you will).

    In hindsight there is ALWAYS a way to get into any system/product. If your job is to PROTECT something & your measures have been found failing then it's on the Sec.

    People poke holes in any/everything and at the end of the day someone has to pay for those decisions. Don't blame Micosoft or Apple. The persons that decided easy vs secure & thought they were taking the easy route are to blame.

    Look to the Admins and their greasy, "keep my job because I deserve it" attitude. Truly secure products do exist, but they don't dominate the "fandom" entry level staff. Real security means people telling their bosses, staff, etc NO. That's where most IT folks fall down. They're not interested in security, or even their jobs, they just don't have the stones to say no.

  24. b166er

    So Haddock, you paid £400 for Angry Birds?

    Or you just have a habit of making sure you play Angry Birds before being distracted from your shiny shiny?

    Just face it, that's a fail from Apple.

  25. Eric Hood

    Very bad.

    I have just tested this and it is worse than just looking at the last used screen. The last screen on the iPad I just tested was the home screen. I tried to get into music but that did not work.

    I then swiped back to access the search function. This allows you to search & reveal contact information and so on with any unsuspecting owner none the wiser.

  26. Confuciousmobil

    This was known about last week and has been discussed to death - El Reg is a bit slow off the mark on this one.

    General consensus is that anyone who cares about security doesn't leave apps open anywat and it's a bit 'meh'.

    1. Zippy the Pinhead
      FAIL

      @ Confuciousmobil

      "General consensus is that anyone who cares about security"

      Obviously its not Apple or they would have tested this.

  27. Anonymous Coward
    Anonymous Coward

    Ipod Touch 4G

    Just tried it on on iPod Touch 4G and it has the same problem.

    However, unlike the iPhone 4S, it does not have the option to disable SIri when locked!!!

    1. Steve Todd
      FAIL

      Apple have started shipping smart covers for the iPod Touch?

      That is news!

      Since they haven't, and since it doesn't have a magnetic sensor then you can't possibly have done this.

  28. Chris Harden
    FAIL

    It's not the issue itself....it's the mindset

    My issue with this, isn't in the bug itself, but how Apple missed it - Windows was inherently insecure because of the 'it's single user so lets just patch security over the top' model they used to use. If Apple are thinking the same way with this then what ELSE is inside the thousands of lines of code in there?

    1. Prag Fest
      Gimp

      Not a fail

      Mate, have you ever been involved in any sort of serious software development? It's incredibly complex, you will never get everything 100%, it just doesn't work that way.

      Despite what many 'characters' on this site will tell you, the quality of Apple software is about as good as it gets. Even they miss things from time to time, just the way it is.

      And before some dick jumps in and flames, I'm basing that opinion on many, many years spent coding for OSX, .NET, WIN32, UNIX, Linux, QNX, JAVA and all sorts of shit I can't even remember, so please don't bother.

  29. Anonymous Coward
    Anonymous Coward

    Blah, blah, blah

    It's a fuck up. They'll fix it. Back in your boxes, everyone.

  30. Doug Glass
    Go

    Prayer

    The Sacred J has a prayer line now...use it.

  31. Peter 48
    Stop

    what do you expect

    The iPad (and to some degree the android tablets) are still only over hyped toys, so anyone introducing them in an environment requiring data security and privacy needs their head examining. Sure this is a massive fail for apple, but even if the lock worked perfectly, until they (and android) introduce a randomising position of the keypad / swype gesture all you need to do is inspect the finger smudges on the screen to determine the access code, making these devices about as secure as the first piggie's straw house before the wolf turned up.

  32. Geoff Campbell Silver badge
    Trollface

    <Snigger>

    "It Just Works" just took on a whole new meaning. Again.

    GJC

    1. Grease Monkey Silver badge

      Yup, just about the stupidest advertising slogan ever. It was always going to lay them open to mockery every time something broke. Of course the Big Jobs was so fucking arrogant that he believed that (a) nothing Apple would every break and (b) he could convince everybody it hadn't broken if it did.

  33. Jon Bellamy

    Oh Reg

    Why must every single article on here be hijacked by bitter linux users? Guys we get it, you irrationally hate Microsoft, Apple... well everyone. Give it a rest.

  34. Tigger in Amsterdam
    WTF?

    "Proof positive that Apple care about your security."

    Hmm - I was in a US iStore yesterday asking about CyberSecurity software they were selling on the shelf ; the bloke basically told me not to bother with it as "nothing we sell here needs it".

    So it's official, all us FanBoi's are safe from viruses, hackers, malware, trojans, etc etc - REJOICE!!!!!!

    (Bootnote - I didn't get an answer to my question "well why don't you take it off the shelf then?")

  35. Giles Jones Gold badge

    Typically many computer systems can be unlocked if you have access to the hardware. There's even special software you can use to unlock a computer with a USB drive.

    1. Grease Monkey Silver badge

      Your point being?

  36. Winkypop Silver badge
    FAIL

    Fondleslab

    Fingered!

  37. andy 45
    Mushroom

    @Settings -> General -> iPad Cover Lock/Unlock

    "Settings -> General -> iPad Cover Lock/Unlock #

    Set to Off, wait for patch.

    Tricky one that."

    You forgot one step:

    > Notify all users

    Your suggestion is fine once all owners know there's a problem -- but how many won't -- for ages?

This topic is closed for new posts.

Other stories you might like