Recovering Screen Time Passwords

December 15th, 2020 by Vladimir Katalov
Category: «Mobile», «Tips & Tricks»

The Screen Time password has been long recommended as an extra security layer. By setting a Screen Time password without any additional restrictions, Apple users could easily dodge attempts of changing or removing the screen lock passcode, resetting the iTunes backup password, or removing the activation lock. For a long time, removing the Screen Time password was not possible without either providing the original password or erasing the device. However, Apple had changed the way it works, making it possible to reset the Screen Time password with an iCloud/Apple ID password.

Why Screen Time is important for forensics

Screen Time is a really nice feature that allows keeping track of application usage, limiting the time spent in specific apps and app categories, and doing a lot more, see Use Screen Time on your iPhone, iPad, or iPod touch. At the same time, Screen Time is extremely important for investigations. It’s not just about the app usage analysis that may unveil important evidence. Whether or not Screen Time is enabled, device activities are logged, and can be extracted and analyzed using proper forensic software. It’s the Screen Time password, if one is set and not known, prevents the device settings from being reset.

Why would a forensic specialist need to reset the settings? There are at least two reasons to do that. The first reason is removing the device screen lock passcode, which, in turn, may be required in order to install the checkra1n jailbreak on the iPhone 8, iPhone 8 Plus and iPhone X models with iOS 14, or to perform the direct checkm8-based acquisition available in some forensic products for the same range of devices. We covered this problem (from both sides) in the following articles:

Sometimes, the device passcode cannot be reset due to Apple Pay or third-party configuration settings. If this is the case, the most common solution is to Reset All Settings (which also removes the screen lock passcode), as we described in How to Remove The iPhone Passcode You Cannot Remove.

Another reason to circumvent Screen Time protection is the ability to reset the iTunes backup password. If the Screen Time password is set, accessing the “Reset All Settings” command (the same that is used to remove the screen lock passcode) is blocked until the correct Screen Time password is provided. We described the issue in Using Screen Time Password to Protect iPhone Local Backups. In the course of performing logical acquisition of an iOS device, a password-protected backup may be unbreakable within the required time limits.

Screen Time password recovery

So, what you can do if you desperately need to access the “Reset All Settings” command, but the Screen Time password prevents you from doing so? Several solutions exist, but they do not always work:

There is one option we missed in the above articles simply because it was introduced in iOS at a later time. Specifically, the new option had appeared in iOS 13.4 released in March 2020. Starting with iOS 13.4, you can now reset the Screen Time password through iCloud: If you forgot your Screen Time passcode.

Does it really work? Yes, even better than expected.

Once you set up the Screen Time password (which is optional), you can additionally set up the recovery option via iCloud (also optional).

Why did I say “better than expected”? While we fully expected the feature to work as described if one configured the use of the Apple ID to reset the Screen Time password, we were surprised to learn that you can actually skip that step and get by without entering the iCloud credentials, and… the Screen Time recovery procedure still works. You can test it by enabling the Screen Time passcode and skipping the prompt. Let’s see what happens.

Now open Screen Time and try to change the password, or use any feature that requires the Screen Time password to be entered, but place the device into Airplane mode first. Tap the “Forgot passcode?” link, and… the counter of incorrect attempts will immediately increase:

This is funny; I have not entered anything at all?

OK, let’s connect the device to the Internet and do another try:

Enter the Apple ID and password, and the Screen Time passcode will be reset whether or not you had enabled the recovery option. This means that a Screen Time recovery token, so to speak, is always saved in iCloud. We have seen that before. Apple does save much more data in iCloud than one may believe.

When testing this feature, I once received the following error: “Failed to Provide Apple ID”. I don’t get it. Failed what? And when? What did I do wrong, and how can I make it right?

In conclusion, we finally do have a Screen Time recovery option directly from Apple. And it does work. It does require the user’s iCloud credentials, and that could be a problem if you are doing a forensic investigation: even if you know the user’s Apple ID password, you will need to take the risk of connecting the device to the Internet.

 


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »