If you think your iPad 2 is completely secure after enabling the passcode protection feature for iOS 5, then think again.
Apple blog 9to5 Mac, citing a German site, reported a security flaw that allows anyone with one of Apple’s Smart Covers to gain access to the device — giving them free rein on emails, messages, browser history, contacts and any application with stored login information (Facebook, mobile bank account apps, Twitter, etc.).
The flaw can be exploited on a locked iPad 2 by holding down the power button, which will eventually prompt you to slide a horizontal scroll button to turn off the device. With the “power off” screen still up, close the smart cover. When you lift up the cover again the “power off” screen is still present, but clicking cancel brings you to the home screen — thus bypassing the need to enter in the correct passcode.
The trigger seems to be when the iPad is put to sleep (locked), which cannot be done by clicking the power button again. However, the iPad 2 can get around this because it uses magnet sensors from the Smart Cover to lock the device when the cover is on and unlock it when taken off. Since the first generation iPad isn’t compatible with Smart Covers, it doesn’t suffer from the flaw.
Some iPad owners are reporting that the security exploit isn’t limited to iOS 5, and will also work on version 4.3 of the operating system. I can’t confirm if this is the true because I don’t have an iPad running 4.3, nor do I have the desire to roll back the operating system to an earlier version. Although, anyone who is running 4.3 on their iPad is more than welcome to test the exploit and let us know if it works. (Just drop us a comment below, or email us at firstname.lastname@example.org.)
Presumably, Apple will issue a fix in the next iOS update, which is due out any day now. In the meantime, if you’re worried about your iPad 2 geting compromised before the update is released, there is a temporary solution. As 9to5 Mac points out, iPad owners can disable the Smart Cover locking/unlocking function found in the Settings app under the “General” tab.
VB's research team is studying mobile user acquisition... Chime in here, and we’ll share the results.