[worthless-trash]

I think that bruteforcing the passcode is an unlikely attack vector, if they do "brute force it" it likely wont be with apples OS running, it would be some kind of custom attack.

[blitzar]

Image device -> run image in emulator -> try 5 passcodes -> get blocked -> reload image -> try 5 passcodes -> get blocked -> ... -> try 5 passcodes -> unlock phone.

[kalleboo]

That's the point of the Secure Enclave, where the password keys are stored. It's designed to be impossible to image. Early attacks relied on pulling the power to the chip after it sent a failure message but before it updated the attempt counter, this is fixed on newer revisions to happen the other way around.

[Am4TIfIsER0ppos]

Are you a hardware engineer at apple speaking in official capacity? Not that I would believe that even you were. Of course the government can read their surveillance device.

[sidoshi]

How do you Image an iphone device?

[einsteinx2]

I assume you can desolder the flash chip and directly dump its contents. Not trivial, but not too difficult for someone with the right skills.

[kalleboo]

That won't give you the encryption keys, which are stored in the Secure Enclave.

[aziaziazi]

Isn’t the Secure Enclave another separate flash chip?

[wkat4242]

Yes but with the controller built in and hardware hardening.

They are designed precisely to prevent this kind of attack.

I bet most of the exploits used by these boxes have nothing to do with the secure element but just bypass security using exploits in standard system or USB code. Most phones will be captured with the OS running but just the UI locked, with all encrypted volumes already mounted.

[filoleg]

Yeah, I had the same question. Because the grandparent comment explanation felt very much like the “…and then draw the rest of the owl” joke.