11 comments

[ 3.2 ms ] story [ 40.4 ms ] thread
This is cool, but seems like a big security flaw on Apple’s part. Most people likely use the same passcode for their device and the restrictions passcode. I imagine this security risk can be mitigated by encrypting the backup, but I still think it’s a flaw in need of fixing.
Restrictions aren't really a security feature.
They’re not, but if someone does use the same passcode, it could open up a vulnerability.

That said, using the same passcode would defeat the purpose for what I believe is the primary use case (I want to loan you my device, so I have to give you the unlock passcode, but I don’t want to give you unfettered access). So I really think having the passcodes match is an edge case. I can see it happening in other use cases, though (e.g. kiosks).

Pretty sure the primary use case is kids, not loaning your device to a friend.
(comment deleted)

  GPS Location, 
  Location Sharing, 
  Microphone Access,
  Contacts,
  Photos,
  Camera,
  Authenticated Accounts,
  Product Purchase Authorization with Attached Credit Cards, 
  Bluetooth Access,
Pretty much everything important that your phone can do. Especially from an opsec perspective, if you ever needed to personally identify the individual the device belongs to, while they’re using it.
The attacker would already have an exfiltrated unencrypted full backup. Passcode’s the least of your worries at that point.

Also I think you’re mistaken about using the same value. Passcodes default to 6 digits. Restrictions PIN is 4.

It’s stored hashed with 1000 iterations of PBKDF1: https://github.com/gwatts/pinfinder/blob/a3e1d1b709ad6c9a109...

Note that this tool extracts the hash from a decrypted iTunes backup. That contains (nearly) all the device data, so by the time an attacker has that, they aren’t going to need much else.

Apple could bind it to the hardware if they wanted to, but that’s going above and beyond, which I’m not sure is any use here.

In the past I have successfully used http://ios7hash.derson.us for iOS 11 restrictions code cracking. I use restrictions to remove some features I don't use and as a fool I have not set the code to 0000 for this one device.

It would be actually quite useful if one could remove the restrictions from the Apple Id page or something like that.

Worked like a charm for me, after a little tweaking of the source code. (My use case was a 70-year-old who couldn't remember which code she used on her phone.)