iPhone is disabled connect to itunes. How to restore without iTunes backup, but I do know the PIN and everything else

Thanks Lyssa. That seems to match what I found here :-

https://support.apple.com/en-ca/HT204306

Do you know if I will be able to restore from a iCloud backup via this method???

As an aside, it is almost unbelievable that Apple would make such hard line decisions that would appear to show such little regard for peoples valuable data. Sure they need protections for brute force PIN entry attempts. But there would be lots of ways of doing this that are less dangerous for the data of unsuspecting users who have paid Apple there hard earned cash without suspecting that Apple would pay such little regard to protecting their data from minor end user errors.

Thanks Lyssa for your feedback. From that I dived into the deep end.

Final update to help others that might follow and be in the same position. I can confirm on IOS 12.2.1 :-

1. As far as I know there is no way to recover from "iPhone is disabled connect to iTunes" without wiping and restoring a recent backup. There might be a way, I just have not been able to clearly find it. If this is correct, and there is no other way of getting it back other than a backup, it would appear if you don't have access to a recent backup, your data will be lost. I noticed that some 3rd party software claimed to be able to get data off a iPhone without a backup, but did not try this because i did have a recent iCloud backup. So the next user with problems might like to hear if anyone has successfully used any 3rd party software to get a backup when they don't areas have one. I suspect there might be all sorts of caveats like the fact that without a way to tell the phone to trust the PC, this software might be useless?
2. I was able to erase the phone (as per the link I posted above), and from there I was able to restore from iCloud backup. Luckily my father had a recent iCloud backup. But obviously anything that is not in the iCloud backup, will not be restored.

So all solved for my father, despite the stress that it has caused him. Because he is elderly, and in Aged Care, his phone is his lifeline to the outside would. So being without his phone for a few days until I could collect it and fix it and return it is a significant stress for him.

I have now played with what is required for someone to get into this state with their phone. I had suspected that it might have been "pocket dialling", but having had a look, this looks possible, but probably unlikely. Pocket dialling could have used up some of his attempts, but not likely all. So I think in my father’s case, it probably was him trying to put is PIN and because of probably a combination of bad memory, or unsteady hands AND because there is no warning that his 10th PIN attempt might be so catastrophic kept trying until his phone was permanently disabled. To me this seems dangerous end users for apple to implement this, this way. The elderly is one place it is a bad idea, but there are no doubt others. What about kids trying to get into Dad’s phone to play a game, and disabling dad's phone. What about the bully in the playground who delights in getting his hands on someone’s phone and disabling it simply by putting in bad PIN attempts? I know LOTS of people who do not have adequate backups of their phones and could potentially lose everything, despite having the phone and the PIN and the apple ID and everything else, but no way to retrieve it without a backup!!!

I appreciate that apple needs to protect people against other maliciously getting into the phone with brute force PIN retries. But there would appear to be lots of options to enable a more sensible default security stance, and perhaps just as importantly the ability to customise the security setting to suit their requirements. Let’s face it my dad has different security requirements than say the president of the united states. But probably different levels of capability to deal with the complexity of added security. Some ideas to consider:-

1. As the easiest level, once people have failed at their 1st 5 attempts, how about a warning that after the 10th failed attempt at logging on, their phone will be disabled permanently, and asking them to acknowledge that before they can do more PIN retries.
2. Why do you need to disable after only 10 wrong guesses? Why not just keep extending the lockout time. Once the lockout time is say 4 hours between retries, it is going to be very unlikely this will be a malicious users easiest way of getting into the phone.
3. why not give the end user the ability to use Apple ID to unlock the phone. If people have good passwords, it will not be practical to brute force the phone this way, and if they do not have adequate passwords on Apple ID account, the there would be a lot of others.

Don't get me wrong, I applaud Apple for taking security seriously. But the way they have implemented this security is a classic case of security working against the end user, and potentially in the interests of the malicious attacker.

Putting this into context, it definitely would not be wise for Apple to allow people to bang away against a PIN as fast as someone could do it, for as long as they want. So it is good that they slow down the speed of the attempts, which reduces any hackers ability to get in by brute force.

So lets do some math on it to find out the risks. I suspect the limit of speed of ability to enter PIN attempts for arguments sake would be 2 per second. So if you have a 6 digit PIN it will take you about 70 hours to have a 50% chance of guessing the password, and 100% chance in 139 hours. If you have a 4 digit PIN, it would only take 1.39 hours to have 100% chance of guessing it at it would 50% chance in only 42 minutes. Now ignoring the fact that this would not be practical attack for most people, but you can see why if security is important, it is important to slow down the speed of the retries. So good move Apple to slow down the retries from successive failures. And with only 10 attempts, unless an attacker has inside information, while it is possible to "get lucky" and guess the PIN in those 10 attempts, it is pretty unlikely.

But does Apple really need to disable the phone after only 10 attempts?? This answer is depends. If you value security over all else, then it is probably a very good idea, because limiting the number and speed of attempts does reduce the risks from the attacker "getting lucky". Note though even this does not eliminate the risk because even with one attempt it is theoretically possible that the attacker gets lucky (not likely, but possible). But for most people, I suspect they will value access to their phone and data more than this and it is overkill to disable after 10 attempts. So lets assume apple allow the 1st 10 attempts as they currently do, but then require 1 hour between each retry after that. I suspect this will be MORE than good enough to deter people trying to gain access via brute force. Lets do the numbers at 1 retry per hour :-

1. for 6-Digit PINs which is the default. Doing the numbers on this, it will take a hacker 114 years to have 100% chance to brute force the phone, or 57 years to have a 50% chance.
2. for 4-digit PINs, which someone has manually selected and assume understand that they are electing convenience over security and so reasonable to assume they are happy to take more risks, of course the risks of brute force goes up. But even then an attacker would have to try for 1.14 years to have 100% chance of successful brute force, and it would take them a bit over 6 months of constant methodical retrying to have a 50% chance of getting in. So clearly it is theoretically possible, but probably not practical or likely to be the way someone gets in, because there will usually be easier ways. And guess what, if you are concerned about this, you can clearly step back to the default 6 digit PINs or set the phone to erase of 10 attempts.

Even with 4 digit PIN, anyone who wanted to get into my phone badly enough, would be VERY unlikely to try a brute force attack that would likely take them 6 - 12 months of constant retries. My guess is they might try a few combinations of common PINs, things that involve yours or your partners birthdays or postcodes if they have access to that sort of information and give up after that. But ignore these things in your PIN as you should and you completely disarm this sort of attack. I think anyone who thought malicious access to your phone was worth a brute force attack would probably be able to think of a quicker and easier way rather than this sort of brute force. eg just pull a gun on you and get you to tell them the PIN, or stand over your shoulder and watch you enter your PIN or setup a camera to record you entering your pin. If if they were going to be prepared to spend that much time, it would probably be easier and quicker for them to mock up and dummy phone that looks like yours, put it in your phone case so it looks like theirs. But the mock up just records your PIN entry attempts and sends it to you and then tells them that their phone is disabled due to wrong pin attempts. Bingo, you have their PIN so you can then get into their phone and do whatever you need before they can figure out what has gone on, and maybe even return their phone without them even knowing they have been hacked. Not easy or trivial, but probably a LOT easier than sitting their methodically entering PIN numbers in their phone for 6-12 months.

So again, it is hard to understand what rational reason Apple default to nuking your phone after 10 failed PIN attempts to provide a level of security that is just not needed by most people. And those that do, will probably know and have other options that protects their data, at the same time manage the risks by ensuring they have adequate data backups for their needs.

Lets hope they rethink this one.