Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Potential security loophole in 'Find my iPhone'

Recently i got an old iPhone 5 hand-down from my pa. He've the machine locked with a simple password and an Apple ID. While I want to factory reset his phone but not knowing his Apple ID password, i found out that the security system is quite vulnerable to breaches.

First i tried a few (possibly 5+ times) unsuccessful wild guesses on his password. Then there is a system message that notifies me that his account has been in lockdown and asked me how i would like to unlock it. 1.by birthday or 2.by email. As all of you may know that the email address have been given all along the process by the system. i chose the latter option which the verification email was automatically sent to the email account linked. But THEN i found out that the iOS's Mail apps is uncompromised and linked to my dad's account. then i easily gain access to his Apple ID and iPhone Find My iPhone off.

This seems like a small little glitch ,maybe for most of us users, that most of us will omit it. But imagine that somehow phone thieves uses this loophole to bypass the Find My iPhone security watch and smuggle stolen phones under the radar. Hope some of Apple's software engineer could get to know the problem. Not trying to brag and no offence, as a student studying CS, this loophole can be easily fixed by logging off the email accounts on the phone to prevent the breach. If you are also concerned of this issue, please kindly spread the word. If anyone( or Apple) wants to know more about the issue, please feel free to contact me via email at **@gmail.com

<Email Edited by Host>

iPhone 5s, iOS 9.2.1, second hand, not jail broken/vanila

Posted on Feb 10, 2016 6:00 AM

Reply
4 replies

Feb 13, 2016 11:46 AM in response to Gavinivag

Gavinivag wrote:


Recently i got an old iPhone 5 hand-down from my pa. He've the machine locked with a simple password and an Apple ID. While I want to factory reset his phone but not knowing his Apple ID password, i found out that the security system is quite vulnerable to breaches.

First i tried a few (possibly 5+ times) unsuccessful wild guesses on his password. Then there is a system message that notifies me that his account has been in lockdown and asked me how i would like to unlock it. 1.by birthday or 2.by email. As all of you may know that the email address have been given all along the process by the system. i chose the latter option which the verification email was automatically sent to the email account linked. But THEN i found out that the iOS's Mail apps is uncompromised and linked to my dad's account. then i easily gain access to his Apple ID and iPhone Find My iPhone off.

This seems like a small little glitch ,maybe for most of us users, that most of us will omit it. But imagine that somehow phone thieves uses this loophole to bypass the Find My iPhone security watch and smuggle stolen phones under the radar. Hope some of Apple's software engineer could get to know the problem. Not trying to brag and no offence, as a student studying CS, this loophole can be easily fixed by logging off the email accounts on the phone to prevent the breach. If you are also concerned of this issue, please kindly spread the word. If anyone( or Apple) wants to know more about the issue, please feel free to contact me via email at **@gmail.com

<Email Edited by Host>

Yes, if someone uses a simple passcode that is easily guessed, the security is compromised. That is the same with any password enabled system. The solution is to use a fingerprint for regular access and a strong pass phrase, not a simple 4-digit code. And even If using just a simple passcode, pick one that is not easily guessed by people who know you.


Most people will NOT want to have to login to their email every time they use the mail app. I have 9 email accounts in mine, and I want them to remain unlocked and easily accessible as needed. I use a 10 character alpha-numeric pass phrase and my fingerprint for normal access to my devices.


To protect your AppleID itself, enable two step verification. But any password based security is only as good as the password. Your pa could have also used simple, easily guessed passcode for his email account, which in turn would make them easily cracked, especially by someone who knew him as you do.


Tell your pa to stop using simple, easily guessed passcodes for anything, as they are all vulnerable.

Potential security loophole in 'Find my iPhone'

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.