Using Screen Time Password to Protect iPhone Local Backups

September 28th, 2020 by Oleg Afonin
Category: «Mobile», «Tips & Tricks»

The iOS backup system is truly unrivalled. The highly comprehensive, versatile and secure backups can be created with Apple iTunes. For the user, local backups are a convenient and easy way to transfer data to a new device or restore an existing one after a factory reset. For forensic experts, iOS backups are an equally convenient, versatile and easy way to obtain a copy of the user’s data without attempting to break into the device. In malicious hands, the backup becomes a dangerous weapon. Logins and passwords from the Keychain allow hackers accessing the user’s social accounts, messages, and financial information. A backup password can be set to protect local backups, but it can be removed just as easily shall the hacker have access to the physical iPhone and know its passcode. In this article, we’ll discuss how the Screen Time password can be used to further strengthen the protection of local backups.

iTunes backups

In Apple’s land, backups are handled by the iTunes app installed on the user’s computer. The backups contain a lot of important information: a lot of app data, logins with passwords, Apple Watch backups, browsing history, and a lot more. This highly sensitive information can be protected with a password, which is then used to encrypt data before it even leaves the iPhone. The receiving end (the iTunes app, a forensic tool or a hacker’s utility) will only receive a stream of encrypted data that cannot be decrypted without the right password.

The encryption of local backups in iOS is extremely strong. Even the use of hardware acceleration delivers brute-force rates of just a few passwords per second. Accordingly, the brute-force attack is useless even if the user sets a simple 6-character password. However, even if you have a very strong password protecting your backup, photos and media can still be extracted if the iPhone can be unlocked.

Prior to iOS 11, a long and complex backup password was enough to securely protect data. There was no way to delete or change the password without entering the old one. This has changed in iOS 11.

Resetting backup passwords

iOS 11 brought the ability to reset iTunes backup passwords on the iPhone without entering or knowing the old password. If an attacker knows the screen lock password, they can use it to simply reset the backup password. After the reset, one can connect the iPhone to the computer and access the data, including passwords. Apple provides detailed instructions on how to reset your backup password:

With iOS 11 or later or iPadOS, you can make a new encrypted backup of your device by resetting the password. Here’s what to do:

  1. On your device, go to Settings > General > Reset.
  2. Tap Reset All Settings and enter your device passcode.
  3. Follow the steps to reset your settings. This won’t affect your user data or passwords, but it will reset settings like display brightness, Home screen layout, and wallpaper. It also removes your encrypted backup password.
  4. Connect your device to the Finder or iTunes again and create a new encrypted backup using the steps above.

You won’t be able to use previous encrypted backups, but you can use the Finder or iTunes to back up your current data and set a new backup password.

If you have a device with iOS 10 or earlier, you can’t reset the password. 

Protecting backup passwords

As you can see, resetting the backup password is too easy. However, you can add an extra protection layer by setting the Screen Time password.

You can restrict the ability to reset the backup password by simply enabling the Screen Time password. While Screen Time passwords are in fact 4-digit PIN codes, they are still effective against on-device attacks. Since the Screen Time password is rarely used and differs from the device passcode, it is very unlikely that somebody watching from behind your back can pick it up. You will only need the Screen Time password on very rare occasions. You can even set a random code and write it down on a piece of paper.

What happens when you try to reset your backup password with the Screen Time password enabled? iOS will first prompt you for the device passcode, followed by the prompt for your 4-digit Screen Time password. This security measure is quite capable of not only deterring the curious, but also protecting the iPhone from targeted hacking attempts.

Revealing the Screen Time password

The Screen Time password is stored on the device. It is impossible to brute-force it on the iPhone as there will be progressively increasing delays between attempts. After several unsuccessful attempts, the system will limit the rate at which Screen Time passwords are searched by introducing delays of 1, 5, 15, and 60 minutes. After 10 unsuccessful attempts, each subsequent attempt can be made no earlier than in one hour; rebooting the device will not speed up the process. Thus, the 10,000 combinations can be tried in 416 days.

However, you may be able to extract the Screen Time password from the device if you can jailbreak it (and know the device passcode) or if you have an old backup to which you happen to know the password. The point is moot though, as in both cases you may be able to access the user’s data without breaking the Screen Time password.

Method 1: from a backup

In iOS 12, the Screen Time password was stored in the Keychain, which had it in plain text. The Screen Time password had the lowest protection class possible; it was not tied to the device so that restoring a new iPhone from the backup would re-enable the same Screen Time password. To extract the Screen Time password from an iOS 12 device, you will need:

  • Password-protected local backup (password must be known)

Since iOS 13, the Screen Time password no longer appears in local backups. The only way to obtain the password would be using a jailbreak to analyze the content of the device. In iOS 14, the Screen Time is not part of a local backup either. However, one may be able to extract the Screen Time password from iCloud; more information in How to Extract Screen Time Passcodes and Voice Memos from iCloud.

Method 2: via jailbreak

Obviously, the first method will only work if the backup does not have a password of if you know that password, making the whole point moot. However, if you can jailbreak the device, you may be able to extract that password easily. One would need to extract, decrypt and analyze the Keychain in order to discover the password. However, if the Keychain can be extracted and decrypted, there is really no point in accessing the Screen Time password as the data can be extracted via the jailbreak. In addition, the backup password itself can be also extracted from the Keychain: the backup password is also stored in plain text.

Method 3: via extraction agent

An extraction method offered in Elcomsoft iOS Forensic Toolkit does not use a jailbreak. Instead, this extraction method is based on direct access to the file system via an agent app. Using agent-based extraction, one can can perform the full file system extraction and decrypt the keychain without the risks associated with third-party jailbreaks.

One more thing

The Screen Time password is also stored in iCloud, but only if both two-factor authentication and the Screen Time “Share across devices” option are enabled. The password can be retrieved from iCloud with Elcomsoft Phone Breaker. To do this, you need all of the following:

  • The user’s Apple ID and password
  • Second authentication factor
  • Device passcode

Read more about extracting Screen Time passwords in How To Access Screen Time Password and Recover iOS Restrictions Password.

Conclusion

The Screen Time password is an effective way of protecting your backup password. If you set that password, your iPhone will receive an extra layer of protection against a factory reset. Anyone who wants to reset your iPhone or change your iCloud password will have to provide the Screen Lock password first – that’s in addition to your iPhone passcode. For some devices (the iPhone 8, 8 Plus and iPhone X and older models) have a BootROM vulnerability making them relatively easy targets. On newer devices, a combination of a 6-digit passcode, 4-digit Screen Time password and a strong backup password will deliver sufficient security if you keep your system up to date.