The problem is that you are thinking of offline access when encryption is relevant, what I am thinking about is online access, for example let the device boot, connect it to a familiar wifi access point that is modified to redirect the normal iOS traffic to a site that infects the phone with a malware that opens it to unauthorized access. I am not sure if it is feasible though.
So I've been wondering, since the PIN is obviously not a strong cryptographic secret, the way the encryption works is basically security by obscurity.
All an attacker would have to to was clone the contents of the the device's SSD and somehow read the secret key that is embedded somewhere else. I'm not sure how feasible the latter part is, but surely this shouldn't be beyond the capabilities of US three-letter-agencies?
It's much more complicated than that (which is why the FBI needs help). The encryption uses the PIN and a key that is in the phone. If you take the image and try all the PIN combinations you will fail because you don't have the embedded key.
> The UID key is used to create a key called “key0x89b.” Key0x89b is used in encrypting the device’s flash disk. Because this key is unique to the device, and cannot be extracted from the device, it is impossible to remove the flash memory from one iPhone and transfer it to another, or to read it offline. (And when I say “Impossible,” what I really mean is “Really damned hard because you’d have to brute force a 256-bit AES key.”)
Newer phones also include a secure enclave that introduces another key and hardware restrictions on timing. The FBI's request wouldn't make sense for a modern iPhone.
How does "cannot be extracted" work? There must be some physical representation of the key inside the phone, so surely it should be posible to retrieve it somehow (e.g. using a scanning tunnel microscope or whatever)?
I don't know if this is implemented in the iPhone's Security Enclave, but many modern HSMs are designed so that physical tampering (such as extracting the chip for analysis) damages/destroys the data.