I'm not too familiar with how iPhone hardware is put together, but is there a possibility of performing a forensic extraction of the flash memory and performing a brute-force attack offline? Or does the conversion of PIN to the storage encryption key happen in the secure enclave, which may resist such forensic meddling?
Each iPhone comes with a unique key burned into the processor. I believe the PIN is cryptographically combined with the unique key to derive the encryption key on device. That makes offline brute-force intractable without knowing the unique key (or somehow getting it out of the chip by looking at it or something, but it won't be easy).
Ah yes, the infallible password that's really small and hard to see. I'm sure the guys at the NSA were all "man we'd need, like, a microscope or some shit to read that!" and just went to lunch and called it a day. There is literally nothing Apple could do to have a key of some sort on their processor that wouldn't be laughably easy for a well funded organization to get access to.
I am no expert in that sort of stuff, so I have no estimate of the difficulty of it. I'd imagine it's too costly to be worth doing on every random iPhone in every random investigation, but if someone really really wants it, then yes. The weakest link most of the time remains the stupid unencrypted iCloud backup.
If you actually care about security, use a long alphanumeric password. It's not a big hassle when you have Touch ID. If you are ever in trouble, try turning the iPhone off immediately or quickly touch your fingerprint reader a few times with a wrong finger or enter the passcode wrong five times (so that Secure Enclave discards the cached decryption key and no longer accepts fingerprints). Also, use Apple Configurator tool to make your iPhone "Supervised" and don't let it pair with any new computer. And disable iCloud backup entirely.
If you really care about security from an organization like the NSA, the only option is either to have it be entirely air gapped or to be entirely open source, including BIOS and UEFI firmware and anything else that might run on the hardware. There are really no feasible options, and especially so in phones.
Not being able to read the key material with a microscope (optical or electron) is a specific design goal for these things. This takes me back more than 30 years to my very first job, the summer between high school and college. I had to disassemble and modify a number of crypto units used in the banking industry. These things had all sorts of mechanisms to make it hard to access the key, including zapping the EPROM containing the key with very high voltage if any of the case intrusion switches were tripped. My boss cheerfully informed me that the previous model had used a small explosive charge, and this new one was a safer alternative!
You probably can, but this isn't to access the phone of some international criminal mastermind but of some guy that was picked up on the corner for peddling drugs. Its not like the NYPD can dump 500,000 or more for every phone they need to access.
What worries me is that this will lead to laws being passed that will criminalize refusal to hand over passwords and encryption keys.
the secure enclave stores the actual encryption key. I'm not sure if it's just unlocked or generated from the PIN, but in either case they can only brute force the actual encryption on the flash and not the pin offline.