In recent years, Apple had switched from 4-digit PINs to 6 digits, while implementing blacklists of insecure PIN codes. How do these measures affect security, how much more security do six-digit PINs deliver compared to four-digit PINs, and do blacklists actually work? Let’s try to find out.
Simply put, a PIN code or passcode is the key to the content of an iOS device. While a passcode can be composed of an arbitrary number of alphanumeric characters, PINs are digit-only, fixed length passcodes. In this article we’ll discuss the security of PIN codes.
While some activities can be performed with a biometrically unlocked device (Face ID or Touch ID), a lot of activities require the use of a PIN code. Without a PIN code, most acquisition methods (except manual analysis) may not be available. A PIN code is needed to pair the device to the computer, which is a required pre-requisite to both the advanced logical and low-level extraction methods. The PIN is required even for extracting devices that are vulnerable to checkm8 as without the PIN most user data on the device will remain encrypted. The following table summarizes the differences between unlocking the device with biometrics (Touch ID/Face ID) and PIN code.
Touch ID/Face ID | PIN | |
Unlock BFU device | No | Yes |
Unlock AFU device | Sometimes | Yes |
AFU DEVICES ONLY | ||
Pair with new computer | No | Yes |
Connect to a trusted computer | Yes | Yes |
Make a local backup | Trusted/Lockdown only | Yes |
Access media files | Yes (on device) | Yes |
View saved passwords | Yes (on device) | Yes (on device) |
Reset iTunes backup password | No | Yes (if no Screen Time password) |
Disable iCloud lock | No | Yes |
Use Apple Pay | Yes | Yes |
File system image (low-level extraction) | No | Yes |
Keychain (low-level extraction) | No | Yes |
checkm8 extraction (on compatible devices) | No | Yes (except A11 devices with iOS 16+) |
iCloud Keychain, Health, Messages | No | Yes |
Bypass USB restricted mode | Partial * | Yes |
* While you can unlock the device with biometrics and connect a USB accessory, pairing the device to a computer would still require a PIN.
In the context of forensic investigations, the ability to recover PIN codes can be critical to gaining access to evidence stored on a device. However, with the Erase Data option turned on, there is a risk that all content and settings on the device will be permanently deleted after 10 (or less) consecutive incorrect attempts to enter the passcode. According to Apple, “If the Erase Data option is turned on (in Settings > Touch ID & Passcode), after 10 consecutive incorrect attempts to enter the passcode, all content and settings are removed from storage. Consecutive attempts of the same incorrect passcode don’t count toward the limit. This setting is also available as an administrative policy through a mobile device management (MDM) solution that supports this feature and through Microsoft Exchange ActiveSync, and can be set to a lower threshold.”
The risk of recovering PIN codes with the Erase Data option turned on is high, and experts must carefully balance the need for access to evidence with the potential risk of permanently deleting important information. Therefore, if you are considering attempting to recover a PIN code, be careful not to exceed the allowable number of incorrect attempts. This means you must have a solid understanding of the potential consequences of exceeding the limit, and must exercise reasonable caution when attempting to recover the passcode.
Note that the Erase Data option can be set to a lower threshold through MDM or Microsoft Exchange ActiveSync, which could make it even more challenging to attack a PIN code without losing access to the data.
Apple has a comprehensive article on Passcodes and passwords in which the company explains how escalating time delays discourage brute-force attacks. Quote:
In iOS and iPadOS, to further discourage brute-force passcode attacks, there are escalating time delays after the entry of an invalid passcode at the Lock Screen, as shown in the table below.
Attempts |
Delay enforced |
---|---|
1–4 | None |
5 | 1 minute |
6 | 5 minutes |
7–8 | 15 minutes |
9 | 1 hour |
On devices with Secure Enclave, the delays are enforced by the Secure Enclave. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
With escalating delays, it will take some 416 days to try all possible combinations of 4-digit passcodes, and 114 years to try all possible 6-gidit passcodes. This also means that one can reasonably try the short list of weak passcodes followed by a short list of PINs resulting from the social engineering attempt.
On devices without Secure Enclave full passcode unlock is available with no escalating time delays: iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit. On these devices we can reach the speed of 13.6 passcodes per second, which only requires 12 minutes to try all possible combinations of 4-digit PINs. The enumeration of all 6-digit PINs, however, will take up to 21 hours.
All current Apple devices are equipped with a security co-processor named Secure Enclave Processor (SEP). The SEP is able to enforce the throttling of PIN recovery attempts even if the device is otherwise exploitable (which is the case with devices up to and including the iPhone 8, 8 Plus, and iPhone X that have a bootloader-level vulnerability enabling the attacker to gain the highest possible level of privileges). For some very old devices (such as the 2013 iPhone 5c and older) the lack of SEP makes them susceptible to on-device PIN brute-force.
Notably, some restrictions can also be bypassed on some devices with Secure Enclave for which SEP exploits are available. On these devices, the recovery can be performed much faster. Depending on the device model, its initial state and iOS version, the brute-force rate can range from ~30 passwords per second to ~4 passwords per minute. As far as we know, the latest exploitable chip is the Apple A13 (the iPhone 11 range and iPhone SE gen 2).
The Android security subsystem is quite different from that of Apple devices. For example, various manufacturers offer their own solutions that may replace the classic PIN unlock ranging from the familiar pattern unlock to puzzle-like solutions. The internal implementations also differ. In ARM devices, the closest analogue of SEP is TrustZone implementing a Trusted Execution Environment (TEE). There are various implementations of TEE, many of which have exploits. In particular, one can extract and decrypt user data regardless of the complexity of the screen lock if the device is equipped with a MediaTek SoC. Exploits are also available for many Android smartphones built with other chips. It is impossible to cover all of them in a single article due to the huge variety of manufacturers, models and hardware and firmware variations.
Some PIN codes are weaker than others. According to PIN number analysis (datagenetics.com), these twenty PIN codes represent 26.83% of real-world PIN codes in use:
PIN | Freq | |
---|---|---|
#1 | 1234 | 10.713% |
#2 | 1111 | 6.016% |
#3 | 0000 | 1.881% |
#4 | 1212 | 1.197% |
#5 | 7777 | 0.745% |
#6 | 1004 | 0.616% |
#7 | 2000 | 0.613% |
#8 | 4444 | 0.526% |
#9 | 2222 | 0.516% |
#10 | 6969 | 0.512% |
#11 | 9999 | 0.451% |
#12 | 3333 | 0.419% |
#13 | 5555 | 0.395% |
#14 | 6666 | 0.391% |
#15 | 1122 | 0.366% |
#16 | 1313 | 0.304% |
#17 | 8888 | 0.303% |
#18 | 4321 | 0.293% |
#19 | 2001 | 0.290% |
#20 | 1010 | 0.285% |
Assuming that you know nothing about the suspect, the best attack strategy would be to try these most popular PINs first. In fact, you may try an even larger list of common PIN codes such as those published on github. Besides Apple’s 4-digit and 6-digit blocklists, the authors also created data-driven blocklists that are significantly (10x) smaller (27/29 PINs) and (10x) larger (2740/291,000 PINs) than the iOS 4/6-digit blocklists. Some of those lists are made available by the authors; please visit This PIN Can Be Easily Guessed for more information and download links.
# | Name | Source | Length | Blocklisted |
---|---|---|---|---|
1 | iOS-4-digit | Apple iOS | 4-digit | 274 |
2 | iOS-6-digit | Apple iOS | 6-digit | 2,910 |
3 | DD-4-digit-27 | Top Amitay | 4-digit | 27 |
4 | DD-4-digit-2740 | Top Amitay | 4-digit | 2,740 |
5 | DD-6-digit-29 | Top RockYou | 6-digit | 29 |
6 | DD-6-digit-291000 | Top RockYou | 6-digit | 291,000 |
The most common PIN codes work great if you know nothing about the suspect. However, if you do have some information about them, the best attack strategy would be to try a small list of the most popular PINs first followed by the list of PINs that might be significant for the suspect. Examples of such PINs include:
It is known that some patterns are more common than others for various reasons. For example, 696969 is one of the most common six-digit PINs, or 159753 (a “X” mark over the numeric keypad). There can be many different reasons making certain PINs more likely than the rest, and there are various studies such as PIN number analysis (datagenetics.com), [2003.04868] This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs (arxiv.org) or (PDF) On the Security of Smartphone Unlock PINs (researchgate.net) analyzing the patterns in many details. These studies are interesting reading, but in the end common PIN codes have all been published in the lists of weak PIN codes. There is no need to be too creative when attacking an iPhone PIN code. We recommend the following courses of action.
Cold attack (nothing is known about the owner)
Smart attack/social engineering (some information is known about the owner and/or their surrounding)
A blacklist is a list of unacceptable PINs. Blacklists can be blocking (an unacceptable PIN will be rejected) and non-blocking (the user will be warned, but an unacceptable PIN can still be used). According to a study conducted by Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv back in 2020, iOS maintains non-blocking blacklists for for 4-digits (274 PINs) as well as 6-digits (2910 PINs). The authors concluded that these “relatively small blocklists in use today by iOS offer little or no benefit against a throttled guessing attack“.
On the other hand, these built-in blocklists represent the most commonly used PIN codes, and they are non-blocking, which means that trying PINs from these blocklists may increase probability of a successful unlock. Note that iOS blocklists are already included to many lists of the most common PINs.
Interested in smartphone PIN security? We recommend the following articles:
Analysis of Android lock patterns:
Just for fun: