One of the ways Apple has tried to discourage iPhone thieves is by introducing a security feature called Activation Lock. Basically anytime you try to disable features like Find My iPhone or to factory reset it, you will be prompted to enter your Apple ID password to verify that you are who you say you are.
This means that thieves who steal iPhones won’t be able to wipe the phones and resell them. Unfortunately it seems that researchers have managed to bypass Activation Lock not just once, but twice. The first time was done by security researcher Hemanth Joseph who managed to crash the security software layer through excessively long strings of characters in the iPad WiFi’s setup text field.
Apple reportedly fixed this in the iOS 10.1.1 update (which also seems to have brought about some battery issues), but apparently it seems that the folks at Vulnerability Labs have managed to replicate the flaw via a slightly different method (but same concept). Apple has yet to address that issue, but we can only imagine that they will in the next update.
The researchers claim that this works on both the iPhone and iPad. This is no doubt a rather critical issue that Apple needs to look into. In the meantime you can check out a demo of the vulnerability being exploited in the video above.