My colleague Joe over at iSource reported on this last night and I have tested it out and confirmed the hack works just as described – like so:
- Take a locked, passcode-protected iPad, and wake it up, but do not enter a passcode
- Hold the power button until the “Swipe to turn off” button appears.
- Close the Smart Cover (or use a magnet)
- Open the Smart Cover
- Hit “Cancel” at the bottom of the screen (to cancel the shutdown)
This will leave you wherever the iPad 2 was prior to being locked. So if you were last in the Mail app, someone using this hack would be left staring at your Inbox and able to use it (though they will not be able to switch to any other apps). If you were last at the home screen, an attacker would be able to see your installed apps but not launch them.
I’m not worried about anyone seeing what apps are on my home screens, but someone getting immediate access to my email if I left off on that screen is a huge concern of course.
Currently, while we await a fix from Apple, there are two options to address this security gap:
1. Disable the option to unlock the iPad with the Smart Cover in Settings
2. Always go to the Home Screen before you put down/lock your iPad
Option 2 means the exploit is still possible but an attacker can only see your home screen, not run any apps. Option 1 takes away the vulnerability but also takes away a much-loved feature for the iPad 2 and the smart cover.
Here’s hoping Apple addresses this issue very soon with a firmware update.