An update by Ars Technica on Cellebrite’s ability to access the content on otherwise secured iOS devices:
Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.
“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”
Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.
This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.