Stolen iPhone prototypes used for hacking into Apple's vaunted security, even by law enforcement
That unicorn of an iPhone, a "dev-fused" device with stripped security for easier software development and prototyping, has been the culprit behind cracking the hardest Apple encryption nuts in the hacking community and law enforcement alike, it seems.
They are stolen from the factory and development campus... The gray market guys don't even know what they sit on half the time. They are just trading trash for cash. It gives you a new attack surface that's not as heavily fortified. They don't put the metaphorical lock on the door until the walls are built on the house, so to speak.
A months-long investigation by Motherboard has discovered how these units go for many thousands of dollars on the black market, sought after by security researchers in the best-case scenario, through companies that provide cracking for law-enforcement purposes, to the hacking and jailbreaking community that is in the grey area of the industry.
The "dev-fused" iPhones allow root access to almost every nook and cranny of Apple's mobile operating system, but apparently it can also give hints at how Apple safeguards that most sacred of encryption hardware - the Secure Enclave Processor (SEP) that, for instance, keeps scrambled data of your finger or face readings.
The SEP access is unprecedented given that such data is never meant to leave the enclave or the confines of Apple's security team but, fortunately, the hackers that demonstrated access only "leveraged specific prototypes," as per one anonymous jailbreaker. Needless to say, those using dev-fused iPhones with a so-called "Switchboard" engineering OS, do it not only for the sport but to save themselves the work and disappointments if they start hacking from scratch. Some of them go to work for companies that make cell phone snooping tools for various entities, including the police.
They are stolen from the factory and development campus... The gray market guys don't even know what they sit on half the time. They are just trading trash for cash. It gives you a new attack surface that's not as heavily fortified. They don't put the metaphorical lock on the door until the walls are built on the house, so to speak.
The investigation into switchboard iPhones came up with a fairly straightforward way to buy such devices. A security-stripped iPhone X went for $1800, for instance, but an iPhone XR with a full suite of access software and hardware fetched $20,000 at another place. The thing is that such devices are obviously not that hard to obtain, and the Foxconn sticker on some shows that this is an iPhone that may have been lifted straight from the assembly lines.
The folks at Shenzhen's Foxconn factory floors who provide such handsets may not be aware of what is possible with them, claims a local security researcher, but that makes it all the more worrying. The guy that teased the SEP hack was even briefly hired by Apple and then his employment abruptly ended, adding another layer of "dev-fused" mystery.
What the circulation of such prototypes shows, though, is that one should never feel fully secure their iPhone communication is out of limits for forces able and willing to get it. And to think that Apple is of the good ones when it comes to safeguarding their users' data should send a bit of a chill down the spine of any smartphone user.
Things that are NOT allowed: