This isn't THAT difficult for Apple to deal with. Nor difficult for me, probably.
Give the user a way to further customize the "number of tries" delays.
I use a pin code (all numeric) on some of my i devices, and a full-blown strong passcode on the company iPhone. Just reducing the "number of tries" by 1 (before forcing a wait) would require Graykey an order of magnitude MORE TIME to crack the pin code. I almost never mistype my password (even complicated ones) more than 2 or 3 times in a row.
Allowing the user to reduce the retry count to 2 or 3 times before increasing the wait would likely make Graykey a waste of time for law enforcement to even bother with it. And maybe offer an option to skip the 1 minute and 5 minute delays, and just go to a 15 minute delay after those 2 or 3 failed attempts.
And although I'm not worried about the strong passcode device, the same thing, if implemented by Apple, would raise the time requirement by another order of magnitude (or more). It would ALREADY take several months for Graykey to crack my company iPhone, and by allowing me to even more quickly engage the delay; well that would just make this Graykey a complete waste of time and money for any law enforcement or ne-er do well to even try.
Now, of course, I could alternatively engage the setting to lock and/or erase the device after a certain number of tries. That's harsh, but it would make Graykey completely useless because Graykey is completely brute-force, which means it only works by trying all possible combinations over time. If it can't guess my password in 10 tries (current rules), then it's done.
[doublepost=1525029989][/doublepost]
...Yes, it's a brute force attack on the password, but the software is being installed on a locked device without a passcode, and this software appears to be bypassing some of the security built into the OS that enforces increasing delays between failed password attempts and erases a device after too many failed attempts. Those are both vulnerabilities without which this device couldn't work.
I think this is FUD (Fear, Uncertainty, Doubt) technique on the part of Grayshift. What better way for them to increase sales than to SAY they can break into even a locked device, just to put everybody on their heels and instill a sense of hopelessness and resignation? I actually don't believe that they have the ability to install any software on a properly locked Apple device. Of course, I can't speak for other OSs and other device makers, but I'd be surprised if it actually works on a properly locked Apple device. But if they can install software on a locked device, then this is an exposure that Apple really does need to close in a future update.
I'm curious about something. How long would it take a machine to try 10,000, 100,000, and 1,000,000 combinations, which would be the max brute force attempts needed respectively for a 4-digit, 5-digit, and 6-digit numeric code?
And...I wonder if a user could make it even harder for Graykey by changing their pin code to a "passcode"....and still use just numeric digits for convenience? It seems to me that this would increase the brute force method needed by simply increasing the entropy of possibilities to include alpha and special characters.