Screen Time passcode can be brute-forced via "Erase All Content and Settings" flow (no rate limiting)

App & System Services General
Quappi OP
Created 12h
Replies 0
Boosts 0
Views 32
Participants 1

Dear Screen Time Team!

The Screen Time passcode can be brute-forced without rate limiting by repeatedly attempting guesses through the "Erase All Content and Settings" flow.

This allows unlimited passcode attempts with no delay, lockout, or escalation, effectively defeating the purpose of the Screen Time passcode as a parental control mechanism.

Impact:

  • Children can bypass Screen Time protections by guessing the passcode
  • No rate limiting enables trivial brute-force attacks (especially for 4-digit codes)
  • Undermines trust in Screen Time as a parental control system
  • Creates real-world safety risks for families relying on Screen Time restrictions
  • Publicly shared methods (e.g. on TikTok) increase likelihood of widespread abuse

Steps to Reproduce:

  1. Enable Screen Time and set a passcode
  2. Open Settings → General → Transfer or Reset iPhone → Erase All Content and Settings
  3. When prompted for the Screen Time passcode, enter an incorrect code
  4. Repeat the process with different guesses

Expected Result:

  • After a small number of incorrect attempts, the system should:
    • enforce exponential backoff delays, or
    • temporarily lock further attempts, or
    • require Apple ID authentication
  • Attempts should be rate-limited across system flows

Actual Result:

  • Unlimited passcode attempts are allowed
  • No delay, lockout, or penalty is applied
  • Enables rapid brute-force guessing of the Screen Time passcode

Notes:

  • This appears to bypass standard passcode protections that exist in other parts of iOS
  • The issue is especially severe for 4-digit Screen Time passcodes (10,000 combinations)
  • The attack surface is exposed through a system-level reset flow

Suggested Fix:

  • Introduce global rate limiting for Screen Time passcode attempts across all entry points
  • Apply exponential backoff after failed attempts
  • Require Apple ID authentication after multiple failures
  • Consider enforcing 6-digit minimum passcodes for Screen Time
  • Log and unify attempt counters across system components

Severity: Critical (Security vulnerability enabling brute-force of parental control passcode)

See TikTok: https://www.tiktok.com/@aldanaisthebest12170/video/7615053429500644621

Feedback request: FB22263276

– Frederik

(one sec app)

Replies  0
Boosts  0
Views  32
Participants  1
Screen Time passcode can be brute-forced via "Erase All Content and Settings" flow (no rate limiting)
First post date Last post date
 
 
Q