Brute force attack against restrictions code is possible on iOS

Working on a hack for the blog, I found a security flaw on iOS that allows you to brute force attack the code used for restrictions, despite Apple’s protections. Let me explain.

En français.
Note : iOS 7 correct the flaw.

A few days ago, I came across a post on how to brute force attack the Mac EFI code, using a Teensy 3.0 card that emulates a keyboard. I found the idea interesting, I ordered a card and went to test it on an iOS device.


Once the card received, I started testing it on an iPad, connecting the Teensy via the Camera Kit for iPad. Indeed, it is possible to connect a wired keyboard on the iPad (but not on the iPhone).

I first tested the password of the home screen, but it does not really work: after a few tries, the iPad is locked for 1 minute, then 5 minutes, etc.. Impossible to test the 10,000 options on brute force, then.

Then I decided to test on another section of iOS: the restrictions, allowing for example to block the App Store, camera, etc. .. And there I found a security flaw: when you hit several times a wrong code, the virtual keyboard is locked for 1 minutes, 5 minutes, 15 minutes and 60 minutes after each bad try. But if ever a physical keyboard is used, it is always possible to try a code. It works with my Teensy 3.0 that emulates a USB keyboard, but also with a conventional keyboard or even a Bluetooth keyboard.

It is perfectly possible to program a brute force attack to disable the restrictions. In my example, the system automatically enters a code every 3 seconds, which needs in the worst case a little more than 8 hours to find the code used on the restrictions. Beware, the password must be entered twice: once to enter the menu and a second time to actually disable restrictions.

The video shows the problem: I took a simple code (0015) and just let the device test all the possibilities and find the code.

I obviously sent a bug report to Apple and I will not provide the code used as the flaw is still not corrected.