I worked as an IT security consultant before and one of my co-workers had the task of brute-forcing the encryption. Conclusion was that with a newer generation (was it the iPad 3 or iPhone 4S? I don't remember exactly), brute-forcing was very infeasible. It took forever. My bet is on the back door.

How is locking/encryption actually implemented on the iPhone? If you use a 4 digit pin that seems incredibly easy to brute force, unless perhaps the actual encryption key is protected in hardware (and the "wipe after 10 failed attempts" policy is also enforced in hardware)

I don't believe the "wipe after 10 failed attempts" is enforced in hardware, but the actual encryption is. Everything got much better with the 4S/iPad 2 and later. So, if you can get the phone to boot from your replacement image, you should be able to run arbitrary attacks against the encrypted image. This would be complex. Much much easier for Apple, and still doesn't really count as a "backdoor" in the hardware key storage itself. If you could bypass the 10 tries lockout again, you can do ~12 tries/second, so 20 minutes to defeat a simple 4-digit passcode.

I suspect someone could decap the chip itself and extract the key, at the cost of the phone (and burning a bunch of whatever chip they're using in advance to prep for the attack). That probably would be worthwhile for a conference presentation. I'm confident any decent intelligence service which doesn't have Apple's cooperation can do this now, since extracting keys from hardware is a pretty key capability for anyone doing black bag stuff. A friend of mine just started a consultancy in this space, so maybe will look at this for a presentation in 2014 if there's time.

Apple can just sign a ramdisk to boot on that phone and dump the whole flash (decrypted by the phone) over usb.

Bruteforcing 10e3 numerics doesn't take long when your forensic ramdisk doesn't have any rate limiting or auto-wiping.

The rate limiting is the security element's speed (separate from the "too many tries" timeout and the "wipe after 10 tries" thing). Unless the security element itself has a backdoor, even Apple can't go faster than 12 tries per second. It is still about 20 minutes.

But a longer pass phrase (admittedly a ux problem) helps. Plus, rumors of biometrics, which may or may not be implemented in a smart way. A biometric which allows a 4 digit pin, or if it fails, a 16 char alphanumeric, would be proper.

To be honest, I don't remember exactly. I just talked to my colleague for a couple minutes and watched him using his brute forcer and I remember his conclusion that the old iPad could be easily brute forced, but the new one couldn't. Either because the iPad would be wiped after 10 attempts or because the hardware would allow re-entering a PIN only every few seconds. I remember that it was incredibly slow. Sorry ;(

iOS 3 was "instant bypass". iOS 4/5 on everything up to the iPad 2/iPhone 4S was still device-bound, at 4-10 tries/second, but the backoff and wipe logic could be bypassed.

There are no public ways to extract from the newest devices on ios 5 or 6, except for a few corner-case bugs (which were limited, and patched).

Plenty once you jailbreak the phone, or compromise a paired device. I believe the best practice among public attacks is to do that. There are probably various exploits in iOS itself which let you root phones remotely. Beyond that, either secret attacks or hardware attacks, or figuring out how to get the phone to boot from one ramdisk while talking to the security element from before (which is trivial if you can sign stuff as Apple, and may actually be possible otherwise.)