iOS vulnerability allows to disable ‘Find My iPhone’ without password


iphone

Smartphone manufacturers are adding ways for owners to track and manage their phones if they ever get lost or stolen. Find My iPhone is a service that comes with every iOS device that allows you to track your iPhone, whether it was lost or stolen.

Normally, the iPhone requires a password if you want to deactivate “Find My iPhone”, but it isn’t entirely perfect and thieves are now smart enough to disable ‘Find My iPhone‘ on devices running iOS 7.0.4 and lower version, without having to enter a password.

The exploit was discovered and demonstrated security researcher ‘Bradley Williams‘ and performing a successful bypass means you won’t be able to locate, make sound and wipe out.
The vulnerability could put the devices at risk, and the exploitation method involves a few simple steps that involve making changes in the iCloud settings, even if they don’t know the password.

Steps to hack ‘Find My iPhone':

  1. Navigate to iCloud in the settings.
  2. Select your account.
  3. Change the password to an incorrect one, then taps Done.
  4. When display ‘wrong password’ warning, Tap OK and then tap Cancel.
  5. Reselect your account.
  6. Empty the description field and then press Done.

You will notice Find My iPhone is now toggled off.

The exploitation also requires physical access to the device, and then only works if the user hasn’t set a passcode or enabled the iPhone 5S fingerprint-based Touch ID system and hackers are not able to reproduce it iOS 7.1 beta version, that means the flaw will be fixed in the next iOS update, which is expected to hit the devices in March.

Users are recommended to activate Apple’s device Lock system, which blocks a thief from erasing and re-activating a stolen phone unless they enter your Apple ID and password.

Source : The Hacker News