The Prototype iPhones That Hackers Use to Research Apple?s Most Sensitive Code - Motherboard

Since the Black Hat talk, dev-fused iPhones have become a tool that security researchers around the world use to find previously unknown iPhone vulnerabilities (known as zero days), Motherboard has learned.Dev-fused iPhones that were never intended to escape Apple’s production pipeline have made their way to the gray market, where smugglers and middlemen sell them for thousands of dollars to hackers and security researchers. During Motherboard’s months-long investigation, I spoke to two dozen sources—security researchers, current and former Apple employees, rare phone collectors, and members of the iPhone jailbreaking scene—about the underground trade of dev-fused iPhones and their use in the iPhone hacking community. Panaetius did not want to be identified given that he has also used dev-fused devices and is worried Apple may go after him.A person who formerly worked in Apple’s security team told Motherboard that he approached Wang after the talk at the conference. When he asked Wang how they managed to study the SEP, Wang told him that “Solnik got a dev-phone and dumped the firmware through standard Apple tools.” An independent iOS security researcher, who spoke on condition of anonymity in order not to damage his reputation within the jailbreaking community, said “Solnik was full of dev-fused [iPhones],” at the time of the SEP talk. You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tvAnother iOS security researcher, who also asked not to be identified, said he saw Solnik’s dev-fused devices and the proprietary cables used to work on them in the lead up to the SEP talk at Black Hat. Solnik, Wang, and Mandt, did not respond to multiple requests for comment. “If you are an attacker, either you go blind or with a few thousand dollars you have all you need,” Luca Todesco, one of the most well-known iOS security researchers in the world, told Motherboard, referring to people who buy dev-fused iPhones. “Some people made the second choice.”Other researchers in the community told Motherboard that dev-fused devices are widely used in the iPhone hacking scene by researchers looking for zero day vulnerabilities. “As long as you don’t break [Apple’s] balls, or show an iPhone 11 prototype, or an unreleased device, they’re most likely cool with that.”On the back of dev-fused iPhones seen by Motherboard, there’s a QR-code sticker, a separate barcode, and a decal that says “FOXCONN,” referring to the factory that makes iPhones and other Apple products. He also claimed to have sold “a lot of” dev-fused iPhones to security researchers.“I don't know how to get SEPROM,” Mr. White told me in an online chat, using another technical term for the SEP. “But I know that their research needs my equipment.” THE DEVICES THAT ESCAPE SHENZHENThough it’s possible to buy dev-fused iPhones from various sources, it’s not like there’s a huge supply of them. In a Hacker News thread prompted by a Motherboard investigation on the iPhone bug bounty program, former iPhone jailbreaker and current security researcher Will Strafach wrote that “Apple has dev-fused devices which use separate development certificates and keys.” An entry in the unofficial iPhone wiki also briefly mentions prototype devices. When reached via Twitter, Krstić said that he could not talk about anything work related, and instead joked I could ask him about his “borderline-encyclopedic knowledge about preparing steak.”But despite being essentially a secret from the public, security researchers and hackers have known about and used these devices for years.“They are very popular among security researchers,” said a person who’s familiar with the supply chain of smuggled iPhones in China, who spoke on condition of anonymity to avoid putting his associates in China at risk. “They are stolen from the factory and development campus,” a person who sells these devices on Twitter told Motherboard.At times, Huang said, even the people who sell dev-fused devices in Shenzhen aren’t aware of how valuable they can be to hackers and security researchers.