Document Title:
===============
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass)


Release Date:
=============
2024-09-24


Affected Product(s): 
==================== 
Vendor: Apple Inc.
Product: Apple iOS 17.2.1 (possibly all < 18.0 excluding 18.0)


References:
====================
VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo 

The vulnerability has been patched in the latest release of the operating 
system (iOS 18.0).


Abstract Advisory Information:
==============================
A mitigation bypass / privilege escalation flaw has been discovered in Apple's 
iOS Screen Time functionality, granting one access to modify the restrictions.

It allows a local attacker to acquire the Screen Time Passcode by bypassing the
anti-bruteforce protections on the four-digit Passcode, and in consequence
gaining total control over Screen Time (Parental Control) settings.


Common Weakness Enumeration
====================================
CWE-307: Improper Restriction of Excessive Authentication Attempts
CWE-799: Improper Control of Interaction Frequency


Exploitation Technique:
=======================
Local


Severity Level:
===============
Moderate


Discovery Status:
=================
Full Disclosure


Technical Details & Description:
================================
1. The Screen Time Passcode input is generally immune to bruteforce attacks, 
and the following document reveals a weakness in the implementation of these
mitigations.

2. The Passcode always consists of four digits, therefore the range of values 
an attacker needs to check is low. 

3. The usage of an external HID, particularly a keyboard, 
whether one connected through USB-C, Lightning or Bluetooth, simplifies and
enhances the speed and practicality of the brute force attack.

4. In nearly all cases, the Screen Time Passcode input form is fortified with 
strict mitigations, such as time delay imposed upon reaching
a certain threshold of subsequent failed attempts.

5. This can be noticed when one attempts to manually guess the Passcode in 
"Settings > Screen Time", where multiple consecutive failed attempts trigger
the anti-bruteforce mitigation.

6. The aforementioned mitigation is akin to the one in the Screen Lock input,
with increasingly long delays after every block, making it a solid mitigation 
against bruteforce attacks.

7. In one case, such mitigations are absent, enabling rapid bruteforce attacks
against a low-complexity, four-digit input, suggesting a CWE-307 vulnerability.

8. Because of this case, all the other protections of the Screen Time Passcode 
in practice become null and void.

9. It is possible to create an user friendly, cross-platform software, that
would allow children, or other people under Screen Time, to easily acquire
the code to its settings.

10. It is often the case that such codes are exactly the same on every device
associated with one iCloud account, extending the impact to other devices.


Proof of Concept (PoC):
=======================
Assumptions: Screen Time is enabled, and the Screen Time Passcode is set.

1. Open "Settings"
2. Go to "General"
3. Scroll down to "Erase Content and Settings"
4. Once prompted, choose "Erase Content and Settings" again.
5. Agree with the dialogue, proceed further. 
6. Press the red button asking for confirmation of the erasure.
7. Enter the current Device Passcode or Password. 
8. Now you will be asked to enter the Screen Time Passcode (if one is set).
This four digit input form is vulnerable to unlimited bruteforce attacks.
9. Once the correct Passcode is provided, the "Uploading Data to iCloud" 
screen should appear. 
10. The moment it happens, go back IMMEDIATELY (use the arrow on the upper left 
corner of the screen to stop the process before it begins erasing data)
11. The device erasure process should now be stopped.
12. The Screen Time Passcode should now be well-known.

VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo 


Security Risk:
==============
The security risk is estimated as moderate, and context dependent.

Abuse of this vulnerability results in full control over tScreen Time settings 
imposed on the device, making it possible to disarm all the restrictions. 

It is worth mentioning, that the Passcode could be shared among other devices
associated with the same iCloud account. If this is the case, the impact of 
the vulnerability becomes more significant.

Example restrictions provided by Screen Time, that could be then deactivated:

- Harmful content protection (adult / traumatizing content, malicious websites)
- Restrictions on communication with strangers
- Device usage time limits (Downtime, daily usage limits).
- Camera, location and microphone access permissions for specific applications.
- Device activity monitoring and reporting.
- Application-specific usage time limits.
- Application-specific functionality limits.
- Security settings that require the Screen Time Passcode to access and modify. 
- and possibly more...


The attack, when executed properly:
- can be repeated, in case the Screen Time Passcode gets changed by the parent.
- can be used to change the Passcode to an arbitrary one, or disable it. 
- can be used to shut down all the system parental control settings on the,
device, and possibly acquire similar power against other synchronized devices.
- gives one the silent knowledge of the Passcode, which makes it more stealthy
and detection resilient.

There are no known protections against this attack, other than an upgrade of 
all the devices running on vulnerable versions, to the latest version.


Solution - Fix & Patch:
=======================
Patched in iOS 18.0, despite not being acknowledged by the vendor.
Fixed with a silent rate-limit enforced on the vulnerable input. 


Vulnerability Disclosure Timeline:
==================================
2023-12-21: The vulnerability has been reported to the vendor.
2023-12-23: The vendor has refused to acknowledge the vulnerability.
2023-12-27: The vulnerability has been reported again, more details included,
and real-world impact scenarios, complete with a clear video demonstration. 
2024-01-02: The vendor has refused to acknowledge the vulnerability once again.
2024-09-16: The vulnerability has been patched in the next major release 
of the vulnerable system (iOS 18.0).
2024-09-24: Full disclosure of the vulnerability.


Credits & Authors:
==================
SivertPL (kroppoloe@protonmail.ch)