One day I was testing the security hardening of the corporate iPads of one organization to notice that restrictions such as “cannot use internet, cannot install apps” etc. were locked with a 4 digit admin pin code.

I started trying the most common pins (see http://www.datagenetics.com/blog/september32012/) until I noticed that I was slowed down drastically by a time delay between tries which was even reaching 1 hour after only 4-5 tries.

For non-techies this would be a security control put in place to deter brute force attacks (ie: so an attacker cannot use an automated script to try every possible combination, in the case of a 4-digit code you’ll have 10.000 combinations, {0,9} = 10 digits, 10x10x10x10 = 10 000).

The next thing that came to my mind is an old hacking trick that people used to use to bypass expired licenses which is: set the current date to a future date to trick the software into thinking the license did not expire.

To my surprise this old trick worked on Apple’s iPad and essentially gave me a green light for automated bruteforcing. So I did just that, I brought my keystroke injection USB platform, the Rubber Ducky and started sketching the attack.

I initially thought it would be a 10 min script, but I realized that jumping from the pin code login attempt to the date and time menu item to set it into the future cannot be done using keyboard shortcuts. The trick was do enable a feature on the iPad that is usually used by people with vision disabilities which allows you to effectively shift between menu items using left, right arrows.

So the only part remaining was to translate the  pin codes to right LEFT, RIGHT shifts. After coming up with the algorithm, I managed to create a python script that generated the Rubber Ducky script that bruteforced the iPad’s restrictions code.

You can download and run the code yourself, as I published it on GitHub here: https://github.com/OffensiveBits/iPadRestrictionsCodeBypass/

If you need more details on the Rubber Ducky USB, go here: http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

I also used a lightning connector to USB camera cable to plug in my fake keyboard, this you can buy from any Apple shop:

lighning-to-usb-camera-adapter-2-608x397

For the POC, you can check out the demo at the top of the page.

by Tudor Enache