iOS 7 Glitch Kills Find My iPhone Without Password
With two well-timed taps, a thief can override most anti-theft mechanisms on iPhone 4 and iPhone 4S running iOS 7.
There's an adage among iPhone owners that you should never update your phone to the last version of iOS that works on it, usually because a newer operating system can slow down an older device.
Unfortunately, a different kind of glitch appears to affect iPhone 4 and 4S models running iOS 7. It may be possible to turn off Find My iPhone without a password by simply hitting two buttons at the same time, a bonus for iPhone thieves.
MORE:Mobile Security Guide: Everything You Need to Know
American iPhone tweaker Miguel Alvarado posted a video on his YouTube page yesterday (April 2) demonstrating how to do this.
Alvarado showed that if the virtual toggle switch to disable Find My iPhone and the button to delete the attached iCloud account are pressed at the same time, and then the phone is switched off when the Apple ID password is asked for, the security settings can be overridden.
When the phone is powered back on, Find My iPhone and Activation Lock will be disabled and the iCloud account can be deleted. The video ends with Alvarado about to perform a system wipe on the phone.
Like previous iPhone bypasses, this involves a bit of dexterity, and few will get it right the first time. Alvarado made it work on an iPhone 4S, but many commenters on his YouTube page said it didn't work at all on an iPhone 5, 5s or 5c.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
It's worth noting that Alvarado's phone wasn't getting any cellular service during his demo, although the device did seem to have a Wi-Fi connection.
Find My iPhone is Apple's primary anti-theft mechanism and lets the iPhone's (or iPad's) legitimate user track it remotely if it is lost or stolen.
The app also lets the user remotely lock the phone, make it "scream" an alarm sound at maximum volume or perform a full factory reset. The final option is a last resort, as Find My iPhone will no longer work after all user data and settings are erased.
Using Find My iPhone requires the iPhone user to enter his or her Apple ID, as do activation, deactivation and settings changes for the app. (This applies whether or not the user has a passcode on the device.) It also requires the user to have an iCloud account, from which he or she can perform remote tasks on the device.
Activation Lock, introducted with iOS 7, will requires the user's Apple ID to access the phone upon powering on. Disabling Find My iPhone also disables Activation Lock.
If a thief, or any casual user, picked up an iPhone 4 or 4S, he or she could use Alvarado's method to disable Find My iPhone to prevent tracking, then perform a factory reset in order to sell the phone on the black market or overseas.
Fortunately, there's an easy way to prevent this from happening. Simply enabling a passcode on the device will lock the screen and prevent most people from getting in. To make it even more secure, enter a stronger passcode than the default four digits.
MORE:How to Set a PIN Lock or Password in iOS 7
Apple has fixed previous iOS security glitches with minor software updates; be sure to install the next version of iOS 7 when it arrives.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.