ElcomSoft has not explained how it hacked the hardware-stored key system in detail for commercial reasons, but the first point of attack appears to have been the user system passcode itself as all other keys are only vulnerable to attack once the device is in an unlocked state.

The company said it had been aided by subtle weaknesses in the security architecture used by Apple, starting with the default passcode length of 4 digits. This yields only 10,000 possible number variations, which the company said most users would likely use to secure their devices without question.

The only limitation in breaking this key using a bruteforce attack was the need to run through the possible combinations on the iPhone or iOS device itself, which took between 10 and 40 minutes, far longer than would have been the case using a desktop PC.