Apple Screen Time Passcode Bruteforce

If you just wanna see how to do it skip to The "Exploit".

The Problem

A while ago I set up Screen Time on my iPhone to reduce the amount of time I spent on it. As it was late at night when doing that (and I fell asleep right after), I also promptly forgot this newly set passcode.

Now, sadly the Screen Time was not as effective as I hoped, since the default configuration allows you to ignore limits without needing to enter a password. Furthermore, it proved quite the annoyance, since I also set up a Downtime between midnight and 5 in the morning, which meant that I did not get notifications in that timeframe, except if I opened an app and ignored its Screen Time limits.

Thankfully there is a way to reset a forgotten Screen Time Passcode by using your Apple ID, however, it just did not work for me. I was already at third-level technical support with Apple about this topic, and they blamed some bug in iOS without any intention to fix it. Their recommended "solution" was to factory reset the phone and just install everything anew, losing all the data I had.
Not gonna happen...

The accidental Discovery

This was around 5 years ago, and since then I had even moved to another iPhone, but of course, Screen Time survived the migration. Approximately two weeks ago I again wanted to try some things, having heard that ingesting a backup into a factory reset phone could also do the trick.

Since I did not want to just do that on my main phone I tried it on the old one, which had already been factory reset and used as a playground for other things. I set up a Screen Time pin and went to do something else, while the phone did a backup to my laptop, and promptly forgot the Screen Time Passcode again.

However, I did not immediately realize that. Rather, during the normal process of factory resetting ("Erase All Content and Settings"), you are asked for the Passcode for your iPhone and then the Screen Time Passcode if you have one set. I first entered the Screen Time Passcode I thought correct twice, and then tried around a little until I remembered the actually correct one and was allowed to continue. But one thing was off: I definitely entered the wrong Passcode more than the 6 times that you are usually allowed before you are locked out from new tries for a while.

I canceled the reset and tried it again, this time deliberately entering the wrong Passcode 16 times, just to be sure. And as before, entering the correct one after 16 wrong tries still worked!
This meant that I did not need to reset my iPhone, but rather could bruteforce the Screen Time Pin!

How it should work

Now, to show how this should usually work, here is what happens when you enter your Screen Time Passcode wrongly in any other scenario:

You get 6 tries before you are first blocked for 1, then 5, then 15 minutes, etc.

The "Exploit"

1. Open Settings
2. Go to "General" > "Transfer or Reset iPhone"
3. Click "Erase All Content and Settings"
4. Click "Continue"
5. Enter the Passcode for the iPhone
6. Enter an arbitrary number of invalid Screen Time Passcodes
7. Enter the correct Screen Time Passcode
8. The erasure process now continues, just abort it
9. You have found the Screen Time passcode

All of this can be done manually with some time on your hands (I approximate around 4 hours of actual typing numbers to go through all possible options, so ~2h for a 50% chance of finding it).

However, if you want to automate it then install a Bluetooth keyboard emulator on your computer, e.g. KeyPad - Keyboard and Mouse on a Mac (just the first one that came up while searching, and it worked well enough for this task).
You also need clickclick for the script below brew install clickclick.
Then pair your phone with it and run the following bash script, opening the keyboard window right after starting the script (This should take 75 minutes for all possible options, so not even 40 minutes for a 50% chance).

#!/bin/bash

# sleep to have enough time to open the KeyPad window
sleep 5                                                                                                               
echo "hope you are ready"

# iterate through all the Screen Time Passcodes, printing them as we go along
for i in {0000..9999}
do
    echo "pin $(printf '%04d' $i)"
    cliclick w:001 t:"$(printf '%04d' $i)\n"
done
    

You should see the pins being entered pretty quickly one after the other. Make sure that you do watch the phone so that you can quickly stop the erasure process, and also check approximately which pin was the one actually unlocking screen time.

I retried the last ten entries that have been printed manually to find it, though depending on your alertness and speed you might need to go back a bit further.

The Reaction from Apple

Now I try to be a good citizen of the internet and of course sent Apple a report on their Security Research platform, which you can read below:

# Affected platform
Apple Devices and Software

# Affected area
Screen Time

# Title
Screen Time Passcode is able to be Bruteforced by using "Erase All Content and Settings" on iOS

# What is required to reproduce the issue?
This issue has been reproduced on an iPhone 6s and iPhone 12 Pro using the latest iOS version as of right now (15.7.2 and 16.2 respectively). The Passcode for the iPhone needs to be known as well.

# Summary

It is possible to brute-force a Screen Time Passcode using the "Erase All Content and Settings" function of an iOS Device.

Using a virtual Bluetooth keyboard as input, the entire input space of four numerical digits has been iterated in 75 minutes.


# Steps to reproduce

(With Screen Time enabled and a Screen Time Passcode set)

1. Open Settings
2. Go to "General" > "Transfer or Reset iPhone"
3. Click "Erase All Content and Settings"
4. Click "Continue"
5. Enter the Passcode for the iPhone
6. Enter an arbitrary number of invalid Screen Time Passcodes
7. Enter the correct Screen Time Passcode
8. The erasure process now continues, telling the operator that they have used the correct Screen Time Passcode


# Expected results

Repeated entering of a wrong Screen Time Passcode in Step 6 should trigger the same timeout / lockout mechanism as when changing / disabling the Screen Time Passcode in the Screen Time settings.


# Possible Impact

This could be used to brute-force the Screen Time Passcode by people which have had their Screen Time limits set by another person, such as children using a managed iPhone.  
With this they could circumvent the configured Screen Time.


# Actual results

There is neither a Timeout nor a Lockout when entering invalid Screen Time Passcodes in the "Erase All Contents and Settings" process, which allows a user to brute-force a (to them) unknown Screen Time Passcode by trying combinations until the process continues.


# Notes

Brute-forcing the Passcode entry in the same process has also been tried via this method, however, it was not successful.


# Attachments

Attached are the following videos:

- `Screentime_Setup.mov`:  
   Here it can be seen how Screen Time has been set up. It is important to note, that this works for both the Options "This is My iPhone" and "This is My Child's iPhone". However, the latter has been chosen for demonstration, as this is the more interesting attack vector for this circumvention.
- `Proper_Lockout_and_Circumvention.MP4`:  
   Here at first the expected result for entering an invalid Screen Time Passcode (as happening in the Screen Time settings) is shown, where after 6 failed attempts a Lock-Out period of 1 Minute is triggered.  
  After that the circumvention is shown as described in the Section `Steps to reproduce`, whereby a large number of invalid Screen Time Passcodes is entered, followed by the correct one.
- `Brute_force_via_virtual_Bluetooth_Keyboard.MP4`:  
   Here a successful brute-force attempt is shown, which uses a scripted, virtual Bluetooth keyboard connected to the iPhone 12 Pro. It succeeds after 200 tries, with the first guess having been 5527 and the last guess 5727. The brute-force attempt starts at 0:35 and ends at 2:05, taking 90 seconds, which yields a used entry rate of ~2.2 Passcodes per second. (Please ignore the reminder notification)
- `bruteforce.sh`:  
   This script has been used in the video `Brute_force_via_virtual_Bluetooth_Keyboard.MP4` using the virtual Bluetooth keyboard functionality of "KeyPad - Keyboard and Mouse" on macOS. It is first started, and during the initial 5 second sleep time the KeyPad window is opened. The script is run until the iOS device continues in the erasure process due to the correct Screen Time Passcode, at which time the operator aborts the running script. As the script does not detect which exact Passcode was successful, the last few output `pin`s need to be re-tried manually using the same procedure, after which the operator has successfully recovered an unknown Screen Time Passcode.

All videos have been recorded using the Screen Recording functionality included in iOS.

# Credit
Manuel Reinsperger
    

I did not really expect anything, especially not a bug bounty, since the impact of this was rather minor, and it was not really an exploit per se. I got the case number OE192460766385 and started waiting for a response. And what I got somehow surprised me a little.

Thanks again for reporting this to us. Features like Screen Time are designed to provide parents with the tools to understand and manage their children’s device usage. Screen Time is not intended to protect a device against manipulation. If you’ve found a vulnerability in the storage or transmission of Screen Time usage data, please let us know so we can pursue this as a security issue. Otherwise, we recommend reporting this via https://feedbackassistant.apple.com.

In addition, please remember physical security remains an important part of protecting the data on your iOS and iPadOS device.
    

I agree fully that Screen Time is intended as a tool for parents, rather than an actual security measure. However, I disagree with their statement that it is not at all intended to protect a device against manipulation.
Because if it really did not matter whether someone is stopped by the Screen Time Passcode or not, why even set one in the first place? And if the Passcode should exist, but the rate limiting is not important, then why have that in the first place?

Children are incredibly resourceful, and even if a child does not know how to set up the virtual Bluetooth keyboard and run a script to automatically bruteforce the pin, they usually have lots of what is needed when brute forcing something: Time.

I can immediately imagine my younger self being restrained by Screen Time (which is not a bad thing imo, I spend too much time on my phone, even as an adult that is aware of what this causes. Hell, this is exactly the reason I got myself into this trouble!). If I found out I could circumvent it by spending a few hours mindlessly entering numbers I would not even hesitate to do that.

And if my parents just trusted that Screen Time would prevent me from doing things I shouldn't, like spending too much time or going to illicit sites, without ever checking in with the data Screen Time collects they would never be the wiser.

Is that how Apple suggests parents use this feature? No, but I can see that a lot of people could use it that way nonetheless.

The Conclusion

• Am I happy that I found this way to bruteforce the Passcode and finally be able to properly use my phone again? Yes!
• Do I think that this is a neat finding? Also yes!
• Did I expect a bounty, a grandiose thank you message from Tim Apple personally, or even any thanks at all? Nope
• Was I still frustrated by Apple's response? Absolutely

Now feel free to take this information and use/publish it elsewhere (please link back to this blogpost though), apparently this fault is by design from the great people at Apple, so other users should know of this great feature as well and maybe even get a little silly with it :3
All jokes aside, if this is of any use to you just shoot me an e-mail at firstname [at] lastname [dot] org, I'd be interested in hearing from you.