Share
## https://sploitus.com/exploit?id=PACKETSTORM:181796
Document Title:  
===============  
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass)  
  
  
Release Date:  
=============  
2024-09-24  
  
  
Affected Product(s):   
====================   
Vendor: Apple Inc.  
Product: Apple iOS 17.2.1 (possibly all < 18.0 excluding 18.0)  
  
  
References:  
====================  
VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo   
  
The vulnerability has been patched in the latest release of the operating   
system (iOS 18.0).  
  
  
Abstract Advisory Information:  
==============================  
A mitigation bypass / privilege escalation flaw has been discovered in Apple's   
iOS Screen Time functionality, granting one access to modify the restrictions.  
  
It allows a local attacker to acquire the Screen Time Passcode by bypassing the  
anti-bruteforce protections on the four-digit Passcode, and in consequence  
gaining total control over Screen Time (Parental Control) settings.  
  
  
Common Weakness Enumeration  
====================================  
CWE-307: Improper Restriction of Excessive Authentication Attempts  
CWE-799: Improper Control of Interaction Frequency  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
Moderate  
  
  
Discovery Status:  
=================  
Full Disclosure  
  
  
Technical Details & Description:  
================================  
1. The Screen Time Passcode input is generally immune to bruteforce attacks,   
and the following document reveals a weakness in the implementation of these  
mitigations.  
  
2. The Passcode always consists of four digits, therefore the range of values   
an attacker needs to check is low.   
  
3. The usage of an external HID, particularly a keyboard,   
whether one connected through USB-C, Lightning or Bluetooth, simplifies and  
enhances the speed and practicality of the brute force attack.  
  
4. In nearly all cases, the Screen Time Passcode input form is fortified with   
strict mitigations, such as time delay imposed upon reaching  
a certain threshold of subsequent failed attempts.  
  
5. This can be noticed when one attempts to manually guess the Passcode in   
"Settings > Screen Time", where multiple consecutive failed attempts trigger  
the anti-bruteforce mitigation.  
  
6. The aforementioned mitigation is akin to the one in the Screen Lock input,  
with increasingly long delays after every block, making it a solid mitigation   
against bruteforce attacks.  
  
7. In one case, such mitigations are absent, enabling rapid bruteforce attacks  
against a low-complexity, four-digit input, suggesting a CWE-307 vulnerability.  
  
8. Because of this case, all the other protections of the Screen Time Passcode   
in practice become null and void.  
  
9. It is possible to create an user friendly, cross-platform software, that  
would allow children, or other people under Screen Time, to easily acquire  
the code to its settings.  
  
10. It is often the case that such codes are exactly the same on every device  
associated with one iCloud account, extending the impact to other devices.  
  
  
Proof of Concept (PoC):  
=======================  
Assumptions: Screen Time is enabled, and the Screen Time Passcode is set.  
  
1. Open "Settings"  
2. Go to "General"  
3. Scroll down to "Erase Content and Settings"  
4. Once prompted, choose "Erase Content and Settings" again.  
5. Agree with the dialogue, proceed further.   
6. Press the red button asking for confirmation of the erasure.  
7. Enter the current Device Passcode or Password.   
8. Now you will be asked to enter the Screen Time Passcode (if one is set).  
This four digit input form is vulnerable to unlimited bruteforce attacks.  
9. Once the correct Passcode is provided, the "Uploading Data to iCloud"   
screen should appear.   
10. The moment it happens, go back IMMEDIATELY (use the arrow on the upper left   
corner of the screen to stop the process before it begins erasing data)  
11. The device erasure process should now be stopped.  
12. The Screen Time Passcode should now be well-known.  
  
VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo   
  
  
Security Risk:  
==============  
The security risk is estimated as moderate, and context dependent.  
  
Abuse of this vulnerability results in full control over tScreen Time settings   
imposed on the device, making it possible to disarm all the restrictions.   
  
It is worth mentioning, that the Passcode could be shared among other devices  
associated with the same iCloud account. If this is the case, the impact of   
the vulnerability becomes more significant.  
  
Example restrictions provided by Screen Time, that could be then deactivated:  
  
- Harmful content protection (adult / traumatizing content, malicious websites)  
- Restrictions on communication with strangers  
- Device usage time limits (Downtime, daily usage limits).  
- Camera, location and microphone access permissions for specific applications.  
- Device activity monitoring and reporting.  
- Application-specific usage time limits.  
- Application-specific functionality limits.  
- Security settings that require the Screen Time Passcode to access and modify.   
- and possibly more...  
  
  
The attack, when executed properly:  
- can be repeated, in case the Screen Time Passcode gets changed by the parent.  
- can be used to change the Passcode to an arbitrary one, or disable it.   
- can be used to shut down all the system parental control settings on the,  
device, and possibly acquire similar power against other synchronized devices.  
- gives one the silent knowledge of the Passcode, which makes it more stealthy  
and detection resilient.  
  
There are no known protections against this attack, other than an upgrade of   
all the devices running on vulnerable versions, to the latest version.  
  
  
Solution - Fix & Patch:  
=======================  
Patched in iOS 18.0, despite not being acknowledged by the vendor.  
Fixed with a silent rate-limit enforced on the vulnerable input.   
  
  
Vulnerability Disclosure Timeline:  
==================================  
2023-12-21: The vulnerability has been reported to the vendor.  
2023-12-23: The vendor has refused to acknowledge the vulnerability.  
2023-12-27: The vulnerability has been reported again, more details included,  
and real-world impact scenarios, complete with a clear video demonstration.   
2024-01-02: The vendor has refused to acknowledge the vulnerability once again.  
2024-09-16: The vulnerability has been patched in the next major release   
of the vulnerable system (iOS 18.0).  
2024-09-24: Full disclosure of the vulnerability.  
  
  
Credits & Authors:  
==================  
SivertPL (kroppoloe@protonmail.ch)