Smart Cover Unlock Bug May Lead To iPad 2 Data Exposure
The folks at 9to5 Mac have noticed that Apple's iPad 2 Smart Cover lets you bypass a passcode lock on a device running iOS 5, albeit with limited access to the iPad's applications. Here's how the bug/exploit works.
First, make sure your passcode lock is set to activate immediately when you lock your iPad (this will simplify testing, although the problem is still there if there's a lock delay). Press and hold the iPad 2's power button to elicit the "Slide to Power Off" slider -- but don't slide the control to actually turn it off.
Next, close the Smart Cover over the iPad's display to put the device to sleep. Finally, open the Smart Cover and click Cancel on the power off screen. From there, the iPad will present whatever was last running before you locked it.
Here's where it gets interesting. Whatever you had on screen before locking your iPad is all you'll have access to. If you were on the Home screen, you won't be able to launch any apps, although you could delete one. If you had an app loaded when you locked your iPad, that's the only app you'll be able to run; backing out of the app using the Home button kicks you to the lock screen immediately.
Although the steps to reproduce this behavior specifically single out Apple's Smart Cover, I was able to reproduce this by simply passing a refrigerator magnet along the right edge of my iPad 2 -- so those of you without Smart Covers are still "at risk," though as you'll see the risk is relatively small.
The implications of this bug really depend on what app you left running when you closed the cover on your iPad. I tested Settings, Mail, and Safari using this hack, and I had basically unlimited access to all three apps. I was able to send an email to a colleague using Mail, and I was able to post to Twitter in Safari -- all without having to input my passcode first.
That having been said, and acknowledging that this is an iOS 5 bug that needs to be fixed: the opportunities for malice or mischief are pretty slim, and only the truly paranoid should be overworried about this. First of all, I don't know about you, but I never leave my iPad unattended in a public place anyway. I'd be less worried about someone forwarding porn links to my entire Contacts list or looking at my banking info (as if I'd ever leave that up anyway) and more worried about someone walking away with my iPad. Of course, if you have Find my iPad set up on your iCloud account (or an ActiveSync account for your business email), you can remotely wipe your data in a matter of a few clicks
Second, this exploit is pretty easily defeated by one of two means: either back your iPad out to the Home screen before you lock it (I almost always do this anyway) or, as 9to5 Mac notes, disable the setting that allows your Smart Cover to unlock the iPad. I suppose the biggest worry is what happens if someone does indeed steal your iPad, but given that they'll have relatively limited utility in the things they'll be able to do with it, it's still not likely to be as big of a worry to you as the fact that your device just got ripped off.
The steps to reproduce this bug are fairly obscure, although now that it's being publicized more people may try it (not necessarily including iPad thieves, who most likely don't care about continuing your game of Fruit Ninja). It's also something that Apple's going to have to fix in the next minor update to iOS 5. I don't even have a passcode lock active on my iPad in the first place, so this particular issue doesn't have me shaking in my shoes one bit. Meanwhile, although it's certainly an interesting bug and one with some security implications, iPad 2 users who don't have mischievous little brothers are probably safe for now.