A security flaw has been discovered in iOS 7, which apparently allows any user to disable the “Find My iPhone” feature on a device without typing in the password. Turning off the feature means that Apple’s (NASDAQ:AAPL) location service cannot trace a stolen device.
The new bug that allows an intruder to compromise the “Find My iPhone” feature requires only a few steps to be reproduced on devices running iOS 7.0.4. The steps involve making some changes to the iCloud account section and entering in a fake password.
Here is the video demonstration of the bug, first reported by MacRumors:
According to MacRumors, the bug has been successfully replicated on an iPhone and an iPad running iOS 7.0.4. However, they were unable to do the same on a device with iOS 7.1 installed, which suggests that the security flaw is likely to be fixed with the upcoming iOS firmware update.
It is worth noting here that the bypass, shown in this video, only works on a device that does not have Touch ID or a Passcode enabled as the exploit requires the intruder to access the Settings menu. It also doesn’t look like the bug disables Activation Lock.
Nevertheless, the new flaw is indeed a serious security concern as “Find My iPhone” is considered to be a useful technique to locate a lost iOS device. Apple is yet to comment on the exploit.
Here is what the person that discovered the bug has to say, courtesy of iDownloadBlog:
MAJOR Security flaw in Find My iPhone iCloud Lock BYPASS. Activation Lock Bypass. This video is to show a security flaw in apple’s find my iphone feature so apple can fix thi. I tried to contact apple and nobody has responded.
iOS 7 has encountered security flaws multiple times ever since its release last year. In September, a bug was discovered in the redesigned platform that allowed anyone to use the Control Center feature to bypass the passcode-protected lock screen on a compatible device.
Later that month, another bug showed how making a phone call using Siri from the lock screen can open up the iPhone’s phone app and expose the entire list of contacts, call history and even voicemail.