There has been a lot of discussion in Europe and the US about the ability of law-enforcement and security agencies to open a locked iPhone, with or without Apple’s assistance.
Dan Guido has just posted a careful and detailed analysis on the Trail of Bits Blog. The answer depends on three key factors.
First, whether the iPhone has a Secure Enclave, introduced with the A7 processor and Touch ID. If the iPhone does not, then it is feasible for Apple to install customised firmware/software which would allow it to try a different passcode every 80 ms. With a four-digit passcode and taking, say, 5000 attempts before that guessing succeeds, that would require 400 seconds, although success could of course occur much more quickly, or take up to 800 seconds in all.
If the iPhone does has a Secure Enclave, the next question is whether it is set to wipe the user’s data after ten unsuccessful attempts to enter the passcode. If that is set, then the chances are that no one will be able to guess the right passcode before the data is wiped.
If that is not set, the final question is whether the passcode has four or six digits. Once the first nine attempts have been made to guess the passcode, the Secure Enclave will only accept each further attempt after a delay of one hour. Thus the 5000 attempts which might be required to guess a four-digit passcode would take 5000 hours, or slightly under 30 weeks, with a maximum of rather more than a year.
For a six-digit passcode, 500,000 guesses would take just over 57 years, and all one million would take more than a century.
So if you want to ensure that no one can break into your locked iPhone, you must use an iPhone with a Secure Enclave, that is with Touch ID. You should then either set it to wipe all your data after ten attempts at the passcode, or to use a six-digit passcode.
So long as you don’t forget your passcode, of course.