Tools like those from Cellebrite and Grayshift don’t actually
break iPhones’ encryption; they guess the password. To do so, they
exploit flaws in the software, like Checkm8, to remove the limit
of 10 password attempts. (After about 10 failed attempts, an
iPhone erases its data.) The tools then use a so-called
brute-force attack, which automatically tries thousands of
passcodes until one works.
That approach means the wild card in the Pensacola case is the
length of the suspect’s passcode. If it’s six numbers — the
default on iPhones — authorities almost certainly can break it.
If it’s longer, it might be impossible.
A four-number passcode, the previous default length, would take on
average about seven minutes to guess. If it’s six digits, it would
take on average about 11 hours. Eight digits: 46 days. Ten digits:
If the passcode uses both numbers and letters, there are far more
possible passcodes — and thus cracking it takes much longer. A
six-character alphanumeric passcode would take on average 72 years
It takes 80 milliseconds for an iPhone to compute each guess.
While that may seem small, consider that software can
theoretically try thousands of passcodes a second. With the delay,
it can try only about 12 a second.
The basic thing to understand is that there are effectively two systems on a modern iPhone: (1) the iPhone itself, running iOS; and (2) the Secure Enclave. iOS can be hacked. That’s how these tools remove the 10-passcode-guesses-and-you’re-out limit. But it’s the Secure Enclave that evaluates a passcode and controls encryption, and the 80 millisecond processing time for passcode evaluation isn’t an artificial limit that could be set to 0 by hackers. It’s a hardware limitation, not software.
So, if you’re worried about any of this, the answer is simple: use an alphanumeric passphrase to unlock your iOS device, not a 6-digit numeric passcode.