iPhone Prototypes Find Their Way to Hackers and Researchers Alike
Have you ever wondered about how hackers or security researchers can figure out where the hidden flaws in iOS lay? For years, that’s been a big question, from concerns about how companies such as Cellebrite and GrayKey found their way into iOS to how researchers were able to examine how the Secure Enclave works. Thanks to a report by Motherboard picked up by Cult of Mac; we now have a better idea of what’s behind it all: internal prototypes somehow stolen from Apple and then re-sold on the gray market.
What are these prototypes? Called “dev-fused” devices, these are iPhones used by Apple employees and developers within the company to test features, hunt for bugs, and otherwise prepare the next iteration of hardware or software for the public. To allow the developers to do all these things, dev-fused units typically have many of iOS’s built-in security features disabled. Most notable, according to the report, is the word that dev-fused devices do not have system-level encryption running on the Secure Enclave, the processor which handles all the phone’s fingerprint and facial recognition processing.
With layers of security disabled, it’s far easier for potential “black hats” to uncover flaws in the device that they could then use to launch attacks on live iPhones. Where are all these dev-fused units coming from, though? That’s a good question, and not one that’s easy to answer. Presumably, there are plenty of these devices floating around inside of Apple, and perhaps someone claims to “lose” one from time to time. What we do know is that these handsets make their way into the hands of resellers both in the US and overseas in China. Typical retail prices are steep at nearly $2,000 — but that’s a price well worth paying if you’re a company like Cellebrite.
The good guys use these units too, though, to probe for vulnerabilities before the bad guys get to them. As valuable a service that is, however, it would seem to be in Apple’s best interest to clamp down on the flow of unsecured prototypes into the gray market. Why they haven’t made a move against these resellers yet isn’t clear, though someone suggested to Motherboard that the company simply had bigger things to focus on than businesses who aren’t leaking brand new hardware. So far, at least, no major publicly disclosed vulnerabilities have been directly attributed to the use of a dev-fused device.