How To Access Screen Time Password and Recover iOS Restrictions Password

August 29th, 2019 by Oleg Afonin
Category: «Did you know that...?», «Elcomsoft News», «Mobile», «Tips & Tricks»

The Screen Time passcode (known as the Restrictions passcode in previous versions of iOS) is a separate 4-digit passcode designed to secure changes to the device settings and the user’s Apple ID account and to enforce the Content & Privacy Restrictions. You can add the Screen Time passcode when activating Screen Time on a child’s device or if you want to add an extra layer of security to your own device.

The 4-digit Screen Time passcode is separate to the main screen lock passcode you are using to unlock your device. If you configure Screen Time restrictions to your usage scenarios, you’ll hardly ever need to type the Screen Time password on your device.

Using the Screen Time password can be a great idea if you want to ensure that no one can reset your iTunes backup password, disable Find My iPhone or change your Apple ID password even if they steal your device *and* know your device passcode. On a flip side, there is no official way to recover the Screen Time password if you ever forget it other than resetting the device and setting it up from scratch. Compared to the device screen lock passcode, Screen Time passwords are much easier to forget since you rarely need it.

In this article, we’ll show you how to reveal your iOS 12 Screen Time passcode (or the Restrictions passcode if you’re using iOS 7 through 11) using Elcomsoft Phone Viewer.

Restrictions Passwords (iOS 7 through 11)

Restrictions passwords (or, rather, restrictions passcodes due to their fixed size of strictly 4 digits) were introduced as means to protect changes to device settings, apps, and the Apple ID account. Restrictions passwords were carried over unchanged all the way to iOS 11.

In these versions of iOS, Restriction passwords were stored on the device in the form of a hash derived from the salted user’s input with the pbkdf2-hmac-sha1 algorithm. Even though 1000 iterations are used to protect the hash, the length and complexity of the passcode were always fixed to exactly 4 digits. As a result, brute-forcing the hash doesn’t take longer than a few seconds on average PCs. All you need to recover the Restrictions password is one of the following:

  • An iTunes backup without a password, or
  • A password-protected iTunes backup with a known password, or
  • A backup downloaded from iCloud, or
  • A file system image obtained with iOS Forensic Toolkit or GrayKey.

Elcomsoft Phone Viewer 4.60 and newer versions can quickly brute-force the Restrictions password in background while the backup is opened. By the time EPV completely loads the backup, the Restrictions password would be already recovered.

In order to reveal the Restrictions password with Elcomsoft Phone Viewer, perform the following steps.

  • Make a local backup of the iOS device using iTunes or iOS Forensic Toolkit, or download a backup from iCloud with Elcomsoft Phone Breaker. For the purpose of recovering the Restrictions password we don’t care if the backup is password-protected or not (however, if the local backup is encrypted with a password, you must know it); you can also work with file system image (.tar or .zip), generated with iOS Forensic Toolkit or GrayKey, respectively.
  • Launch Elcomsoft Phone Viewer and open the local backup or file system image.
  • If the work with backup and it is encrypted, you’ll be prompted for the password. You must then enter the backup password to decrypt the backup.
  • It’ll take a few moments to open the backup. While the backup is being processed, Elcomsoft Phone Viewer detects if the Restrictions password is set, and attacks it in the background. By the time the tool finishes opening the backup, the Restrictions password will be already recovered.
  • The Restrictions password will be displayed on the main window along with other device information.

Screen Time Password (iOS 12)

iOS 12 introduced Screen Time, a much more powerful system compared to Restrictions. The Restrictions passwords were converted to Screen Time passwords. In iOS 12, Apple developers moved away from hashing the password. iOS 12 devices store the original Screen Time password in the device keychain. The record is intentionally untethered: restoring from a password-protected local backup should fully restore the Screen Time password. However, the corresponding record is hidden; you won’t be able to access the Screen Time password when viewing stored passwords on the iPhone itself. You’ll have to make a password-protected local backup in order to decrypt the Screen Time password. You’ll need Elcomsoft Phone Viewer 4.60 or newer and one of the following:

  • A password-protected iTunes backup with a known password.

In order to reveal the Screen Time password with Elcomsoft Phone Viewer, perform the following steps.

  • Make a local backup of the iOS device using iTunes or iOS Forensic Toolkit. If you are using iTunes, try setting a known temporary password. iOS Forensic Toolkit attempts to automatically set a temporary password or “123”.
  • Launch Elcomsoft Phone Viewer and open the local backup.
  • When prompted, enter the backup password.
  • After the backup is opened, the Screen Time password will be displayed on the main screen along with other device information.

Screen Time Passwords in iOS 13

iOS 13 makes use of Screen Time passwords just like iOS 12. However, the exact location of the password has been changed in iOS 13. At this moment, Elcomsoft Phone Viewer won’t help you extract Screen Time passwords from iOS 13 backups.

Screen Time and iCloud

Under certain circumstances, Screen Time passwords may be stored in iCloud. We were able to extract such passwords from the cloud; you’ll need to wait for an updated version of Elcomsoft Phone Breaker to extract them.


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »


Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »