Hackers using stolen iPhone prototypes to probe security and develop iOS exploits

Posted:
in iPhone edited March 2019
Hackers are taking advantage of "dev-fused" iPhones, meant only for internal usage within Apple, to discover how systems and sensitive components in the smartphone function, with the publicly-unavailable variant now a highly prized tool for security researchers searching for vulnerabilities in the hardware and in iOS.

The Cellebrite Universal Forensic Extraction Device (UFED), an item that may have been created using hacks gleaned from a 'dev-fused' iPhone
The Cellebrite Universal Forensic Extraction Device (UFED), an item that may have been created using hacks gleaned from a 'dev-fused' iPhone


Researchers hunting down potential exploits and issues with the highly-popular iPhone have, over the last few years, discovered a shortcut to finding out how to look closely at the inner workings of the device, while avoiding all of Apple's security processes and systems for preventing the public from accessing elements they cannot see. The method is to effectively acquire an internal version of the iPhone that simply does not have the same level of protections as a consumer-released model.

The version, dubbed "dev-fused" and sometimes called a "prototype," is an iPhone that has not completed the production process or has been reverted to a development state, reports Motherboard. Meant only for use by Apple's engineers, the units have most of their security functions disabled, more so than typical jailbroken versions, giving those in possession of it an opportunity to look at how the software functions unhindered by its security.

The dev-fused units occasionally surface on the gray market, smuggled out of Apple-related facilities illegally, and can end up selling for thousands of dollars to interested parties. Once acquired, the units can be "rooted" and used to find a hack that could be used on consumer iPhones, and has the potential to be used by governments and law enforcement agencies.

It is claimed by multiple report sources that Cellebrite, a security firm that allegedly aided law enforcement officials as part of the investigation into the San Bernardino shooting, has acquired some dev-fused devices as part of its product development. Hackers who may have been among the first to show off information gleaned via a dev-fused device are also said to be working for Azimuth, another security firm known for producing hacking tools for the US, Canadian, and UK governments.

The first main sign that such hardware was becoming available through unofficial channels was via a Black Hat talk in August 2016, where researchers Mathew Solnik, David Wang, and Tarjei Mandt described how the iPhone's Secure Enclave Processor handled data encryption. While the method of discovery was not advised at the time or since, the report's sources believe their discoveries were possible only via the use of a dev-fused unit.

In the case of SEP, as its operating system is encrypted, it cannot be reverse engineered from a normal model, leaving the use of a unit that has yet to be encrypted as the only real way of knowing what is being performed.

A former Apple security team member advised they had queried Wang after the conference about the discovery. The hacker responded "Solnik got a dev-phone and dumped the firmware through standard Apple tools." Another iOS security researcher seemingly corroborated the claim Solnik was in possession of one of the devices.

None of the three people from the talk have commented about the affair.

Apple is said to be aware of the dev-fused unit trading, report sources within the company reveal, with Apple stepping up its efforts to prevent the units from leaving Foxconn and other facilities and into the hands of unauthorized users. Notably, Solnik was hired by Apple to work on its "red team" in 2017 following his talk, but left the company within weeks, for unknown reasons that are apparently "incredibly restricted" even from Apple employees.
forgot username

Comments

  • Reply 1 of 12
    stpatstpat Posts: 13member
    I'm not sure why this article tip toes around the fact that these are stolen units that companies are using to develop these hacks. Apple clearly wouldn't sell these units, nor authorize this type of use, so they must be stolen. 
    forgot usernamewatto_cobra
  • Reply 2 of 12
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    stpat said:
    I'm not sure why this article tip toes around the fact that these are stolen units that companies are using to develop these hacks. Apple clearly wouldn't sell these units, nor authorize this type of use, so they must be stolen. 
    Headline: "Hackers using stolen iPhone prototypes to probe security and develop iOS exploits"

    Given that it's said in the third word of the headline, and the third word in total regarding the issue, I'm not sure where you get "tip-toes."
    edited March 2019 Solimuthuk_vanalingamgatorguyvukasikaLatkocaladanianwlymforgot username1STnTENDERBITSindieshack
  • Reply 3 of 12
    marklarkmarklark Posts: 30member
    Stpat might be referring to the phrase "The dev-fused units occasionally surface on the gray market"... Sort of tippy-toeing.
    vukasikawatto_cobra
  • Reply 4 of 12
    They are not just stealing from Apple. They are stealing from all of us...😡
    vukasikaSgt Storms(trooper)watto_cobra
  • Reply 5 of 12
    SoliSoli Posts: 10,035member
    marklark said:
    Stpat might be referring to the phrase "The dev-fused units occasionally surface on the gray market"... Sort of tippy-toeing.
    I agree with Mike that they made it clear in the headline, but I also agree with you that gray market isn't the correct term. Since it's stolen equipment it's a black market sale—nothing gray about it.
    edited March 2019 applesnorangeswlymSgt Storms(trooper)watto_cobraradarthekat
  • Reply 6 of 12
    Why doesn’t Apple have better security for these prototypes?
    vukasikaLatkocaladanianwatto_cobra
  • Reply 7 of 12
    lkrupplkrupp Posts: 10,557member
    Why doesn’t Apple have better security for these prototypes?
    Because it’s China and a third party manufacturer. It should be relatively easy to plant a mole into the workforce to do this. If there’s money to be made someone will be willing to do it. 
    bigmikeCarnagewatto_cobra
  • Reply 8 of 12
    snow66snow66 Posts: 15member
    So based on this article... STOLEN iPhone prototypes are being used by hackers to create exploits that law enforcement agencies are taking advantage of to get data off encrypted iPhones. If this is true then law enforcement has determined it is OK to pay companies for services they have because the company knowingly acquired and used stolen goods. Not the type of activity I want out of law enforcement. Looking at it from the other side, do we think law enforcement is doing their best to help Apple track down the stolen devices?
    applesnorangeswatto_cobraradarthekat
  • Reply 9 of 12

    snow66 said:
    So based on this article... STOLEN iPhone prototypes are being used by hackers to create exploits that law enforcement agencies are taking advantage of to get data off encrypted iPhones. If this is true then law enforcement has determined it is OK to pay companies for services they have because the company knowingly acquired and used stolen goods. Not the type of activity I want out of law enforcement. Looking at it from the other side, do we think law enforcement is doing their best to help Apple track down the stolen devices?
    You bring up a very interesting point. 

    I guess as long as law enforcement perceives that they need these devices they are willing to "look the other way."

    There's a word for that.  And a legal precedent.


    watto_cobra
  • Reply 10 of 12
    snow66 said:
    So based on this article... STOLEN iPhone prototypes are being used by hackers to create exploits that law enforcement agencies are taking advantage of to get data off encrypted iPhones. If this is true then law enforcement has determined it is OK to pay companies for services they have because the company knowingly acquired and used stolen goods. Not the type of activity I want out of law enforcement. Looking at it from the other side, do we think law enforcement is doing their best to help Apple track down the stolen devices?
    Assuming you're referencing law enforcement in the America's and the EU, what exactly do you think they can do about theft in China?  If you're referencing law enforcement in China, how much do you think they care about a stolen phone... that isn't even reported missing?
    watto_cobra
  • Reply 11 of 12
    indieshackindieshack Posts: 328member
    Interesting article - I must confessed to being surprised that this development hardware is able to leave a facility (presumably we are talking about Cupertino?) since Apple seems like the kind of company which would have procedures in place to prevent it.
    watto_cobra
  • Reply 12 of 12
    SoliSoli Posts: 10,035member
    snow66 said:
    So based on this article... STOLEN iPhone prototypes are being used by hackers to create exploits that law enforcement agencies are taking advantage of to get data off encrypted iPhones. If this is true then law enforcement has determined it is OK to pay companies for services they have because the company knowingly acquired and used stolen goods. Not the type of activity I want out of law enforcement. Looking at it from the other side, do we think law enforcement is doing their best to help Apple track down the stolen devices?
    Assuming you're referencing law enforcement in the America's and the EU, what exactly do you think they can do about theft in China?  If you're referencing law enforcement in China, how much do you think they care about a stolen phone... that isn't even reported missing?
    I’m confused as to why you’re focusing on theft in China when he’s talking about the ethical aspect of buying a product that was designed using stolen equipment to be used on lawbreakers. I cant knowingly ride in a stolen car and then say “but I didn’t steal it, I only benefited from its theft,” without risk of persecution. Whether Cellebrie buys stolen iPhones in China, the US, or in International waters shouldn’t make a difference to an ethical organization.
    watto_cobraradarthekat
Sign In or Register to comment.