[olliej]

No, read the Apple security white paper. Apple can’t install software on the phone without the passcode, and the permanent storage is encrypted by keys held in the Secure Enclave - eg an HSM designed specifically to thwart physical attacks.

All the existing attacks have started with at least a partially unlocked phone.

[anonu]

Maybe that's all true.

But can you discount a scenario where a hardware hookup and brute forces through all possible numeric security codes? Could take less than a minute. Who is to say there isn't a bypass that allows them to do this? Very hard to tell

[olliej]

The secure element is responsible for gating retries, and like all HSMs is designed specifically to prevent tampering, so everything - including retry counts and delays - is theoretically rendered untamperable.

I am aware of two bugs in that logic over the years - I can’t find the articles off the top of my head. One was essentially a TOCTOU bug that could be triggered via voltage spikes to reset the device after you tried to unlock but before it updated the retry count. The other required imaging and restoring the flash between each attempt. I don’t know how that was fixed, but it should hopefully be obvious that That is going to take more than a minute to brute force a 6 digit passcode.