Skip to content

Hide Navigation Hide TOC

Device Lockout - T1446 (9d7c32f4-ab39-49dc-8055-8106bc2294a1)

An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)

Cluster A Galaxy A Cluster B Galaxy B Level
Device Lockout - T1629.002 (acf8fd2a-dc98-43b4-8d37-64e10728e591) Attack Pattern Device Lockout - T1446 (9d7c32f4-ab39-49dc-8055-8106bc2294a1) Attack Pattern 1
Device Lockout - T1629.002 (acf8fd2a-dc98-43b4-8d37-64e10728e591) Attack Pattern Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a) Attack Pattern 2