Settings in Apple iOS before 7.1.2 allows physically proximate attackers to bypass an intended iCloud password requirement, and turn off the Find My iPhone service, by leveraging incorrect state management.