iOS 7 Bug Allows Disabling of 'Find My iPhone' Without Password

[garylapointe]

Airplane mode

Can't you thwart FindMyiPhone by just putting the phone in airplane mode?!?

If the iPhone owner has that enabled on the lock screen, the thief has all sorts of time. (Next step get the passcode wrong 10 times and the iPhone erases itself!).

Regardless, you've still got the Apple's Activation Lock issue when you want to reset it up...

Gary

 

[zeromeus]

No point to this exploit, really.

People who don't have a passcode on their phone aren't likely to turn on find my iPhone anyway, so there really is no point to this exploit.

 

[Blorzoga]

I can tell you I had a friend robbed at gunpoint and the thief asked for his wallet and phone. When he saw it was an iPhone he proceeded to tell him to disable passlock and disable Find My iPhone and then delete his iCloud account. This was in Koreatown in LA. Now thieves will get smarter. I know I don't have a passcode on my iPhone despite all this, but maybe Apple can do something like home security systems where there is a separate code than your own which will act like it disabling your system, but instead sending a silent alert. You would enter this code on the unlock screen and it would "unlock" the phone, but somehow already send an alert to Apple so that no matter what the guy does, it still has everything on and tracking to be wiped later.

Blackberry actually has this feature. It allows the phone to be unlocked by putting the last digit of the passcode first. The phone will unlock (satisfying the person holding the gun to your head) but it also sends a duress email to a predefined email address.

 

[RedOrchestra]

I can tell you I had a friend robbed at gunpoint and the thief asked for his wallet and phone. When he saw it was an iPhone he proceeded to tell him to disable passlock and disable Find My iPhone and then delete his iCloud account. This was in Koreatown in LA. Now thieves will get smarter. I know I don't have a passcode on my iPhone despite all this, but maybe Apple can do something like home security systems where there is a separate code than your own which will act like it disabling your system, but instead sending a silent alert. You would enter this code on the unlock screen and it would "unlock" the phone, but somehow already send an alert to Apple so that no matter what the guy does, it still has everything on and tracking to be wiped later.

This is OVER-THE-MOON.

 

[s15119]

Frankly, I'm disgusted that you post HOW to accomplish this. It's totally irresponsible. It's behavior I would expect from a kiddie warez site, not a responsible tech blog.

 

[Galagor]

Good thing I have a passcode. Also, jailbreaking is awesome.

----------

Frankly, I'm disgusted that you post HOW to accomplish this. It's totally irresponsible. It's behavior I would expect from a kiddie warez site, not a responsible tech blog.

It's an easy-to-fix problem that is going to be patched anyway. Better to warn the users, who can easily just enable the passcode, than to hope nobody evil finds out about it.

----------

Can't you thwart FindMyiPhone by just putting the phone in airplane mode?!?

Well, if the dirty scum intends to leave the iPhone in airplane mode forever… yes.

----------

I know I don't have a passcode on my iPhone despite all this, but maybe Apple can do something like home security systems where there is a separate code than your own which will act like it disabling your system, but instead sending a silent alert. You would enter this code on the unlock screen and it would "unlock" the phone, but somehow already send an alert to Apple so that no matter what the guy does, it still has everything on and tracking to be wiped later.

That's a good idea. I hope they do this.

----------

Or just swipe up form the bottom and put the phone into Airplane mode until you can wipe it and reset it entirely.

(Yes, assuming that menu wasn't disabled by a smart user)

As far as I know, you can't wipe it to disable Find My iPhone now that there's Activation Lock. Apple finally got serious about it.

 

[MisakixMikasa]

Frankly, I'm disgusted that you post HOW to accomplish this. It's totally irresponsible. It's behavior I would expect from a kiddie warez site, not a responsible tech blog.

The information is out there. Does not matter wather OP posted or not. It does not affect anything.

 

[dylin]

A quick fix

It might help to start enabling certain restrictions. This may not be the best way, but its an easy way to prevent someone from easily changing your settings

Go into general and then click on restrictions.

After that, be sure to enable it.

Then you will be prompted to make a passcode for it. Don't for get it

Make your way down to accounts and be sure to Check off don't allow changes.

Go back into Settings, and you will see that the iCloud tab is faded and cannot be accessed.

 

[Tech198]

this isn't the first, and probably not the last we've heard of a "bypass of password" type issue.

Apple makes this same thing, and the fact their are the number of vulnerabilities just to overcome this or "getting around a phone that's locked", is just bad.


Then again... Maybe all this is why Apple is popular phones....

You gotta take the bad with the good. I don't use Find My iPhone anyway, as i know where my phone is at all times,,, And if i "accidentally" loose it, it means i haven't put it somewhere safe to begin with... (That's not gonna happen) since i always keep in on me belt... (belt pouch with magnetic cover) and it never comes off till I choose too.


Convenience doesn't always pay off as in security.

 

[Septembersrain]

Just always use a passcode or touch ID. They have to get to settings right? Well make sure they can't!

 

[reel2reel]

Don't you folks at MacRumors realize that by posting a thread like this, you tip off thieves to a way of successfully thwarting Apple's find-my-iphone security. Maybe this should not be posted?!?!?!? Now you've given every thief who monitors this site a head start until Apple fixes. Well done MacRumors!!!!

That's how you get things done, son.

 

[nepalisherpa]

Only in limited markets....

Yes, but it does not matter. If Apple comes out with another update before 7.1, it has to be 7.0.6.

 

[tehpwnerer19]

Thanks for posting a how-to video...

That's just what we needed...

SMH

 

[C DM]

this isn't the first, and probably not the last we've heard of a "bypass of password" type issue.

Apple makes this same thing, and the fact their are the number of vulnerabilities just to overcome this or "getting around a phone that's locked", is just bad.


Then again... Maybe all this is why Apple is popular phones....

You gotta take the bad with the good. I don't use Find My iPhone anyway, as i know where my phone is at all times,,, And if i "accidentally" loose it, it means i haven't put it somewhere safe to begin with... (That's not gonna happen) since i always keep in on me belt... (belt pouch with magnetic cover) and it never comes off till I choose too.


Convenience doesn't always pay off as in security.

With iOS 7 big part of the usefulness of Find My iPhone is Activation Lock.

 

[livit]

This really is a big deal. Apple really should prioritize getting a fix for this included in 7.1, but probably won't.

 

[C DM]

This really is a big deal. But not sure if Apple will include a fix for the 7.1 even though.

Seems like people mentioned that it already can't be reproduced in the latest iOS 7.1 beta.

 

[MarcKerr]

You first have to unlock phone so this whole hack is useless for thieves..

It's only useless if people have a passcode to unlock their phone. I bet most people don't set a useful passcode. 1234 is probably rather common or 4444. And how many people have a passcode over 4 numbers or an alphanumeric? I bet it's less than 10% of iOS users. Admittedly the alphanumeric one is a pain in the a$$ on an iPhone.

 

[C DM]

It's only useless if people have a passcode to unlock their phone. I bet most people don't set a useful passcode. 1234 is probably rather common or 4444. And how many people have a passcode over 4 numbers or an alphanumeric? I bet it's less than 10% of iOS users. Admittedly the alphanumeric one is a pain in the a$$ on an iPhone.

Seems like a non 1234 or 1111 generic type of passcode would be a good enough deterrent in the vast majority of the cases.

 

[mdelvecchio]

Don't you folks at MacRumors realize that by posting a thread like this, you tip off thieves to a way of successfully thwarting Apple's find-my-iphone security. Maybe this should not be posted?!?!?!? Now you've given every thief who monitors this site a head start until Apple fixes. Well done MacRumors!!!!

you're so high. most thugs have never heard of this site.

further, do yourself a favor and research "security by obscurity", and learn why it's false security.

----------

There is always some obscure security bug that affects iOS. I find it astonishing that Apple [don't] know about them

yes, and thats because software is hard. which is why we make a lot of money doing it. iOS 7 is much more complex than the original iPhone OS. w/ complexity come bugs.

 

[Paddle1]

Wow, talk about getting it backwards. GM is declared AFTER the critical issues are fixed- the act of declaring GM doesn't magically fix anything. If Apple could do that, they would.

They have a timeline for release, they fix many known issues from the betas and release it as GM when they're ready. GM's still have bugs you know. They've even had multiple GM's before.

 

[Parasprite]

It's only useless if people have a passcode to unlock their phone. I bet most people don't set a useful passcode. 1234 is probably rather common or 4444. And how many people have a passcode over 4 numbers or an alphanumeric? I bet it's less than 10% of iOS users. Admittedly the alphanumeric one is a pain in the a$$ on an iPhone.

I really wish they allowed numeric passcodes longer than 4 characters (keeping the pinpad I mean). I don't mind typing in long passwords but I won't do alphanumeric for this very reason.

----------

Seems like a non 1234 or 1111 generic type of passcode would be a good enough deterrent in the vast majority of the cases.

I like to write badly written 4-digit numbers on the back of my debit card because it's likely that someone who wants to use my card will attempt a few invalid combinations and freeze the card for me.

Perhaps I could find a believable way to do that for my phone.

 

[karac54]

Restrictions solves this

Turning on restrictions and not allowing changes to "accounts" fixes this vulnerability. Bug squashed.

 

[C DM]

Turning on restrictions and not allowing changes to "accounts" fixes this vulnerability. Bug squashed.

Well, technically speaking that would be more of a workaround than a fix (a fix would actually fix it without that, and is seemingly part of iOS 7.1).

 

[PNutts]

So... I haven't visited the video since it was announced a few days ago. In the comments of it there was a discussion on whether it is a valid scenario due to the iCloud accounts he used. Is there still any question on whether this is a valid exploit? Now I'll have to go back and look.

 

[checker2010]

Let's be clear, THIS DOES NOT DISABLE FIND MY IPHONE/ACTIVATION LOCK.

I have tested it and while it shows find my iPhone is off in the settings app (which is a graphical bug), it is actually still active which is proven when you try to erase the phone or reactivate the phone.

No doubt 7.1 will fix the graphical bug, but there's no underlying issue for Apple to fix.