find my iphone ios 7

A major flaw has been discovered in iOS 7 that seemingly allows users to disable the important ‘Find My iPhone’ feature on a device without typing in the typically-required password. Turning off the feature on a stolen device makes it invisible to Apple’s location service.

And what’s worse is, the flaw isn’t difficult to exploit. The bug can be reproduced on any device [that we’ve seen] running iOS 7.0.4 by following a few simple steps that involve making changes in the iCloud section of the Settings app and entering in a dummy password…

Here’s a video demonstration of the flaw, first spotted by MacRumors:

And the accompanying text from the person who discovered the bug:

“MAJOR Security flaw in Find My iPhone iCloud Lock BYPASS. Activation Lock Bypass. This video is to show a security flaw in apple’s find my iphone feature so apple can fix thi. I tried to contact apple and nobody has responded.”

Obviously, this won’t work on a device that has Touch ID or Passcode enabled, since an attacker would have to make it passed the Lock screen to get to the Settings app, and it doesn’t look like the bug disables Activation Lock. But nevertheless, it’s still a fairly big security concern.

We were able to replicate the bug on an iPhone 5s running iOS 7.0.4, and MacRumors confirms it exists on the iPad as well. The good news, though, is that the site says they weren’t able to reproduce the problem on devices running iOS 7.1, suggesting it’s going to be patched soon.

  • jack

    Another intentional law-enforcement backdoor exposed

    • Hmmm, this may actually be one of the NSA backdoors that require physical access to the device…sure can’t wait to see what the wireless backdoor is; nothing stays buried forever.

      • Kamal Ahmad

        I dont think the NSA backdoors would be available to users. I think NSA backdoors would be in kernel and other components not available to the user. And apple said they weren’t planning on ruining privacy.

      • That’s the point of uncovering them. They’re hidden there in the code and it’s just a matter of time that a desperate hacker uncovers them.

        Regarding Apple’s words, what exactly were you expecting them to say? This is capitalism, and they’ll keep denying it until the truth is revealed.

  • Jonathan

    What if I have the description blank at set up, then if a thief gets my device, will he still be able to turn it off?

  • David Gitman

    Looks like it’s gonna fixed in iOS 7.1 beta 6 in two weeks from now

    • Shawn

      Already appears to be fixed in Beta 5

  • moofer

    *past

  • Rached FRIGUI

    Solution : Settings -> General > Restrictions -> Accounts > Don’t Allow changes.

    I’ll not update my iPhone !
    An iPhone without jailbreak is a piece of … 😉

  • calvinneal

    English as a second language?

  • Framboogle

    Great, now all would be thieves know exactly what to do.

    • This is only useful with non pass code locked device, so not so good for thieves.

    • Donovan

      If you don’t have a passcode on your device they will. But, who doesn’t have a passcode?

      • Litchy

        I don’t 😀
        I find typing in the password is incredibly annoying^^
        Still stuck with my iPhone 5. iPhone 5s with TouchID would be different.

  • neez

    Doesn’t matter if they can turn any device off without some sort of password protection.

    • s0me

      You can install ICoughtYou from Cydia, it has an option to disable power down when device is locked.

      • So long as the would-be-thief isn’t an experienced technician or jailbreaker…

      • neez

        That’s the main reason I jailbreak. Too many friends that have been stolen and ‘Find My iPhone’ doesn’t helped at all…

      • Niclas

        All you need is activator.

  • El Arqui Tecto

    Then? After doing this can you register the device via iTunes?

  • amazingrugs

    Yikes.

  • banx bigon

    wow, this scares me

  • Chun-Li aka ThunderThighs

    I go to school with this guy. He brags about all these potential exploits in CIS class all the time. It’s quite funny because it would be interesting until he starts bragging and saying we don’t know sh*t about our iPhones lol. Address below

    • tocsin

      You’re kind of a c**t giving out his address…

      • Chun-Li aka ThunderThighs

        Only if you knew him

      • tocsin

        Seems like a stand up bloke to me and it seems like you just threw him under the bus,

      • Brad Williams

        Dont worry, he gave out someone elses address

      • jack

        Like you nerds would leave your room to do something

      • tocsin

        Hey mate cmon let’s use our heads here… You don’t have to leave the room to order pizza. Anyone could just order pizza to this address then what’s that guys supposed to do

    • Brad Williams

      Wrong person man. Never taken a CIS class and do not live in gilbert. Your friend sounds like a jackass.

  • mrgerbik

    easy fix:
    1. jailbreak
    2. install applocker
    3. lock settings ‘app’ with password
    optional:
    4. install cylay

    • Easy workaround: reboot with volume up held to disable tweaks.

      • mrgerbik

        damn lol never thought of that – thanks for that

        cylay still works in ‘safe’ mode thou … and it’s far superior to apples find my phone IMO

      • Domodo

        Any workarounds for the lockscreen password after rebooting?

    • iGotya ftw 🙂

  • @dongiuj

    Ios7 bug that has slowed down my iPhone 5 and apps crash an unbelievable amount of times.
    I HATE IOS7!!!!!

  • Diego Morales Servìn

    This is not the only way to do this, I cannot recall exactly what I did in my iPad but I was able to turn off Find my iPhone without actually going to the settings

  • 7abib0

    Temporary fix for this Restrictions > Accounts > Don’t Allow Changes

  • Waleed

    can somebody confirm if this keeps working if u reset device? i mean the icloud account stays removed..

    • Drew Manson

      No it doesn’t. I used this on a 7.0.6 iPad that the user had set then left the company. After a reset it asks for the original iCloud login so the bug is pretty useless after a reset…

  • King Soulfire

    where you got that wallpaper?????

  • Mike Smedley

    Quick question there are 2 repo’s for airblue sharing, stack, and ng. Which one should I have them through? I have 1 from 1 and 2 from the other

  • danielgartin6993 .

    This flaw is still present in iOS 7.0.6,I don’t have a passcode on my iPad and my friend Rohail and I are anxiously waiting for iOS 7.1 to come out,we are stressed out because we don’t want our devices stolen.i have not seen any proof that Activation Lock is still on,and i am not erasing my iPad to see if it is still on