No bounty for Guided Access Escape

When some of our sons found out about Apple’s Security Bounty, their eyes lit right up, naturally. In our family, limiting screen-time is part of our family culture, and one of the ways we achieve this is through a really cool feature called Guided Access.

Guided Access basically locks an iOS device to a specific app and, optionally, can put a time-limit on it. When you combine it with muting notifications, it really is a wonderful instrument of focus on a task at hand, and eliminates distractions. Otherwise, it takes less than a few seconds before they slip from Duo Lingo to watching a Fortnite YouTuber.

When we (parents) go grocery-shopping, we often leave an iOS device at home on Guided Access on iMessage so they can stay in touch with us. It turns out that there are not one, not two, but three Guided Access escapes possible, as discovered by our children. We took the responsible disclosure path to advise Apple, but their security team was like:

Apple’s response:

Thank you for contacting us. Apple takes all reports of potential security issues seriously.
Features like Guided Access and Restrictions are designed to provide parents and system administrators with the tools to discourage violations of policy by legitimate users. These features are not intended to protect a device against manipulation by a malicious person, and physical security remains an important part of protecting the data on your iPad, iPhone, or iPod touch.

In other words, no bounty. $100,000 would have been nice for an escape… Oh well, we waited a while, figuring for sure in iOS 13.5 this would be fixed, but we see the escapes are still there, so at this point we feel we can disclose it along with mitigation tactics so other parents and caregivers aren’t caught unaware.

The escape

This one is specific to Guided Access mode on iMessage. It can be reproduced following these steps:

  • Enable Guided Access under Settings -> Accessibility -> Guided Access and set a pin, enable/disable FaceID, etc
  • Open iMessage
  • Triple-click Side button to enable Guided Access
  • Under Options, enable Side Button
  • Select Start
  • Tap Side Button (screen will go blank)
  • Tap Side Button (screen automatically goes back to iMessage)
  • Tap on the user at the top
  • Tap on FaceTime

That’s it. The Guided Access escape is granted. In our case, the “home” family iOS device has no passcode, but when on guided access it needs a passcode (without this escape).

The escape lands iOS back on the Home Screen. Sans Guided Access.

Here’s a brief recording on how it’s done:

The second escape is letting the battery expire. On power-up, Guided Access does not resume.

The third escape is a forced power-cycle. Volume Up, Volume Down, Side button – hold until Apple logo appears.

Mitigation

The only way to prevent hostile usage of Guided Access is to have a power-on passcode that is not known by the Guided Access users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: