Apple appears to follow some complex unspoken schedule rolling out iPhone tweaks that gradually exclude biometrics from the security equation. The goal is to make users enter a passcode to unlock the screen instead. If you turn on or restart your smartphone with the Apple logo on it, you’ll need the passcode to access it. In case you have used the Emergency SOS feature, the passcode is required to re-enable Touch ID. If the device has been idle for a couple of hours, there you go again – tap in that secret combo. Connecting your iPhone to a computer is a no-go unless you enter your passcode. If you want to password-protect your encrypted backup, the passcode is also mandatory in iOS 13 and later.
It seems the ultimate security of your smartphone is a matter of using a long and complex passcode. However, this logic is comparable to hypothetical security controls in a building where only the front door is protected. Meanwhile, all the office doors are wide open, the computers aren’t password-protected, and the wireless LAN can be accessed from any device without limitations by simply connecting to the unsecured Wi-Fi network.
Sounds like fiction, doesn’t it? It sure does, but this is exactly what the state of iOS security is like at this point. Essentially, all the defenses boil down to a single layer, the screen lock passcode. The only caveat is that this condition holds as long as the user account is protected by 2FA (two-factor authentication).
What Doors Can an iPhone Screen Lock Passcode Open?
If you know the passcode, you can extract nearly all data from an iPhone, including account access credentials. All it takes is creating a password-protected backup. Wondering what the screen lock passcode has to do with this process? Here is how to create such a backup:
- Connect the iPhone to a computer. In iOS 11 and later, simply tapping the “I agree” button is not enough to establish this type of connection. You additionally need to enter the screen lock passcode.
- Run iTunes or iOS Forensic Toolkit and check if the password option is enabled for backups. If it’s not, you’re good to go: just set your password and create a new encrypted backup. Why does setting a password make a difference in this case? In a nutshell, only password-protected backups contain the Keychain and some other sensitive data.
There is only one thing that stands in your way: since the release of iOS 13, you need to enter the screen lock passcode to set a password for an encrypted backup. If the password has been set and you don’t know it, no problem: in iOS 11 and newer, you can reset the backup password. Guess how you can do it. Right you are – just enter the screen lock passcode.
The iOS screen lock passcode can be leveraged to get full access to passwords stored in the iPhone’s Keychain. Furthermore, the passcode allows you to view all the user’s passwords saved in the Keychain and any third-party password manager that uses the AutoFill feature built into the operating system, such as Roboform.
If you know the screen lock passcode, you can also unlink an iPhone from the user’s iCloud account. It suffices to change the iCloud password in the smartphone’s settings, and the procedure doesn’t require the owner’s original password at all. Changing the iCloud password is a matter of a few seconds and some basic skills. Doing so will instantly disable the Find My iPhone feature.
Moreover, the passcode allows you to decrypt the user’s password database in iCloud, their messages sent and received via SMS and iMessage, and data from the Health app. There is an important prerequisite for this scope of access: the user’s account must be secured with two-factor authentication.
What’s the Role of 2FA in This Exploitation?
Now that you know how much data a criminal can obtain by knowing the passcode, let’s dive into the role of two-factor authentication in perpetrating such a fraud. Here’s the thing: some advanced iCloud features are only accessible if 2FA is enabled. In this scenario, the smartphone itself turns into the critical factor, or piece of evidence, which is mandatory for the following:
1. Resetting the iCloud Password: By the way, it matches the Apple ID account password. Once you reset the iCloud password, you can turn off Find My iPhone by unlinking the device from the iCloud activation lock. Additionally, you can extract the user’s photos from the cloud (as was the case with the notorious “Celebgate” leak), their backups, the call log, and other personal information.
2. Accessing Passwords Saved in iCloud: The passwords stored in iCloud Keychain are encrypted with a key that is contingent on the screen lock passcode. It’s worth mentioning that the passcode for any synced device will do the trick. The passwords simply won’t be synced to the cloud unless two-factor authentication is on.
3. Accessing Health App Data: This information includes details of the user’s physical activities, such as step count, heart rate (if the user wears a smartwatch or fitness tracker), and the like. This data can play into a malefactor’s hands if properly used. Once again, the info generated by the Health app only ends up in the cloud if 2FA is enabled. To decrypt it, you need to enter the passcode.
4. Accessing Screen Time: This feature is quite verbose in terms of the restrictions and stats regarding the use of all iOS devices belonging to the user and his or her kids. Same here: synchronization of this data to the cloud doesn’t work unless 2FA is turned on.
5. Accessing SMS and iMessage: Two-factor authentication is also required for syncing these services to iCloud, and the passcode is necessary to decrypt the information.
These pitfalls might seem serious enough to discourage users from enabling two-factor authentication, but that’s a misconception to a certain extent. Turning on 2FA is a piece of cake as long as you know the iPhone’s screen lock passcode. However, turning it off is extremely hard, if not impossible, these days.
How to Prevent Your Screen Lock Passcode from Being Brute-Forced?
Apple knows about these risks. When you go through the first-time setup of your iPhone or iPad, the device will ask you to enter a six-digit passcode. It used to be four. Well, you can still choose to use a four-digit passcode, but the security facet of this approach is questionable because it may take less than 30 minutes to brute-force it using specially crafted tools. As opposed to this, a six-digit passcode might take up to 19 years to crack, which means it’s very secure.
It’s noteworthy that there are some workarounds to speed up the process. By utilizing AFU (Accelerator Functional Unit), crooks can try hundreds of thousands of the most common strings within a much smaller time frame, plus they can resort to frequency analysis techniques rather than “classic” brute-force mechanisms.
What about thwarting brute-force attacks at the hardware level? Every 64-bit iOS device is equipped with Secure Enclave, a protection subsystem whose hardware component called Secure Element restricts the speed and number of cracking attempts. As of today, Secure Enclave defenses have been circumvented with different degrees of efficiency on all iPhone and iPad generations except for the newest series that uses SoC (System on a Chip) A12.
The relatively secure models include iPhone Xs, iPhone Xs Max, and iPhone XR. Their built-in protection cuts down the speed of brute-force attacks dramatically, allowing for only one such attempt in 10 minutes. As far as I know, unscrupulous makers of cracking tools haven’t been able to get around this limitation yet. The attack speed is multiple times higher for older models, especially in AFU (After First Unlock) mode, which means that the device is currently locked but was unlocked at least once after being powered on.
Can You Disable iCloud Activation Lock Without iCloud Password?
Yes, you can – as long as the device is linked to a user account secured by 2FA. It’s hard to believe that this highly effective technique whose implementation significantly reduced the number of iPhone theft cases can be turned off by simply knowing the passcode.
How to do it? All you need is the iPhone and its screen lock passcode. Go to Apple ID and tap “Password & Security.” Then, select “Change Password”. The device will ask you to enter the passcode. Once you do it, change the iCloud/Apple ID password.
Note that the smartphone owner can still regain access to their account at this point by submitting a password reset request to a trusted phone number. The settings of the “Trusted Phone Number” feature include the phone number receiving verification codes for two-factor authentication. That’s the number that the owner can use to restore control of the account in case a thief changes the Apple ID password.
You can’t delete this phone number if it’s the only one listed under settings. However, there is a workaround. The criminal can add another trusted phone number first and then remove the original one.
Enhancing iOS Security
A single layer of defense is not enough. By the way, the Screen Time feature has a password option of its own – it’s not immaculate but certainly better than nothing at all. What can be done to strengthen the protection of iOS devices overall? I think the following measures could be worthwhile.
1. Revert to iOS 10 logic. There was absolutely no way to reset a local backup password before the iOS 11 release. A user who forgot their password had to back up the data to iCloud and restore the device to its factory settings, which would entail a backup password reset. If you got hold of an iPhone and found out its screen lock passcode, you couldn’t extract the backup. The system allowed you to set a long and very complex password for accessing your backup. This wasn’t an inconvenience because you had to enter it once during the first-time setup and then one more time if you needed to restore the phone to its default settings. Brute-forcing such a long password is a very slow process. The rate can be close to a hundred cracking attempts per second if GPU-based hardware acceleration is in place.
2. Disallow adding or deleting trusted phone numbers without iCloud password verification.
3. Eliminate the option of resetting an iCloud/Apple ID password using the screen lock passcode. In case you have ever tried to modify or reset a Google account password, you probably know that the access restoration process can be both convenient and secure.
4. Disallow turning off Find My iPhone feature after the password has been reset. Here’s another example of how Google handles a similar situation: even if you simply change your account password, you can’t disable the Factory Reset Protection (FRP) feature for three days. This period of time should suffice to do something about the stolen device. Such a restriction is particularly important nowadays, given that thieves don’t only take away a smartphone but they may also coerce the victim to tell them the screen lock passcode. The perpetrators can use this information to change the cloud access password and unlink the device from iCloud in no time.
Is there a way to boost your personal iOS security?
Apple security experts say that enterprise users can take advantage of the Apple Configurator tool that allows them to restrict certain manipulations with their accounts. Regular users should consider password-protecting the Screen Time feature. This isn’t likely to affect the user experience, but no one will be able to reset the password for the encrypted backup. In this case, the device will ask for the Screen Time password in addition to the screen lock passcode. Furthermore, you can configure the system to request the Screen Time password whenever you or somebody else tries to change the password for your account or remove it from your iPhone.