There is confusion over which versions of iOS IP Box is able to unlock in this way. Dominic Chell, who runs MDSec, says Apple plugged the security hole after iOS 8.1. But a US government agent has testified that the hack works on later versions of iOS, too.

The testimony surfaced in a New York court case in December 2015, when a ruling referred to a Department of Homeland Security special agent named David Bauer who told a court that he had unlocked three phones with IP Box. The target phone in the case in question, though, was an iPhone 5 running iOS 8.1.2, which Bauer had not personally unlocked before. He said, however, that law enforcement agents in Bergen County, New Jersey, had successfully unlocked iPhones running later versions of iOS.

A conservative estimate of the number of iPhones vulnerable to IP Box—that is, phones running iOS 8 or earlier—would be over 100 million. It’s difficult to be precise because Apple doesn’t say how many active iPhones are out there, and it’s not entirely clear which versions of iOS are hackable with IP Box. But analysts have estimated that the number of active iPhones stands at between 450 and 475 million.

Apple says that 23% of active iOS devices (including things like iPods and Apple TVS) run iOS 8 or earlier. Applying that ratio to our estimate of active iPhones gives a lower limit of 104 million phones running iOS 8 or earlier:

Although IP Box may work with millions of devices, it’s not a simple process. When MDSec tested IP Box, it took about 111 hours to unlock a phone protected by a four-digit PIN. That’s because it takes 40 seconds for each PIN entry. That’s a lot longer than the 13 minutes it takes to brute-force the PIN if entries were made at the fastest possible speed of 80 milliseconds each, which risks erasing all the phone’s data if the wipe-after-10-attempts feature is on.

What’s more, Apple has given users the option of making passcodes more complex than four digits since iOS 5, which was released in June 2011. Adding two more digits to a passcode means brute-forcing takes 100 times as long.

Bauer’s testimony was highlighted in a ruling issued this week by James Orenstein, a federal judge in New York. Orenstein was considering a government request for Apple’s help in unlocking an iPhone linked to a drug-dealing ring, citing Bauer’s comments as background to the case. The judge ruled in Apple’s favor, which strengthens the company’s position when it comes to the ongoing case in California with the San Bernardino shooter’s phone. That iPhone is running iOS 9, which is almost certainly immune to a brute-force hack, Chell says.

📬 Sign up for the Daily Brief

Our free, fast, and fun briefing on the global economy, delivered every weekday morning.