
Prototype iPhones That Hackers Use to Research Apple’s Most Sensitive Code - runesoerensen
https://motherboard.vice.com/en_us/article/gyakgw/the-prototype-dev-fused-iphones-that-hackers-use-to-research-apple-zero-days
======
jd20
> The phone boots into an operating system known as “Switchboard,” which has a
> no-nonsense black background and is intended for testing different
> functionalities on the phone.

I think the article confuses the meaning of "dev-fused" hardware, with what OS
is actually installed on the phone. When I used to work at Apple, I always
understood "dev-fused" to mean a device on which you could install unsigned
builds of iOS.

Internally, Apple puts out new builds of iOS daily. The engineers building
features on top of iOS need to install these builds, to do their work. A
normal iPhone from a store won't take these unsigned builds, hence the need
for these dev-fused devices. There are regular builds like what a customer
would get, debug builds with lots of logging and debugging checks enabled, and
even bare-bones builds like switchboard, for employees who are not UI-
disclosed or work in factories. As someone building higher-level iOS features,
all my dev-fused devices just ran a normal looking iOS, unlike what the
article describes.

> Two people showed Motherboard how to get root access on the phone we used;
> it was a trivial process that required using the login: “root” and a default
> password: “alpine.”

Oh boy, that sure brings back memories!

~~~
therein
How about PurpleRestore? :)

I binge-read all of luna and the "other" internal wiki back in the day. :)

~~~
liquid9
I love doing this occasionally, its just really interesting seeing the
internal tools.

Is there any videos/screenshots of PurpleRestore and similar tools? I've
searched and can only find a single picture and descriptions.

~~~
therein
Same here, that's why I sometimes wish I had saved some screenshots for my own
use or even for sharing but I have a feeling Apple would have hunted me down
for it. That's probably why we don't see so many of them in the wild. Even in
the orientation you'll hear stories about how seriously they take their
ability to surprise and delight, with an emphasis on the surprise. :)

The best source I can find was this:
[https://www.theiphonewiki.com/wiki/Apple_Internal_Apps](https://www.theiphonewiki.com/wiki/Apple_Internal_Apps)

With this fascinating discussion of Apple insiders talking about exactly the
same apprehension imprinted in their minds:
[https://www.theiphonewiki.com/wiki/Talk:Apple_Internal_Apps](https://www.theiphonewiki.com/wiki/Talk:Apple_Internal_Apps)

Here are some things I remember:

The "purple" series of tools are basically for managing dev-fused iPhones
[https://www.betaarchive.com/imageupload/2017-02/1487521492.o...](https://www.betaarchive.com/imageupload/2017-02/1487521492.or.21729.PNG)

I also remember there being two internal wikis for development and having
access to both. Maybe one is called luna and the other is just straight out
called purple?

You get root on the device simply by authenticating as root with password
alpine. Sometimes you'll get your hands on iDevices with weird specs like
3.75GB of RAM etc.

There is also AppleConnect which is Apple's internal single-sign on.

What I find fascinating the most is honestly how I am unable to find _recent_
screenshots of these software. They are all screenshots of really old versions
with outdated UI.

Apple must have a special way of taking these down or doing offensive-SEO and
burying them in results because while I was able to find search results for
"apple luna internal wiki", I am no longer able to.

------
Despegar
>In 2017, however, Solnik was hired by Apple to work on its security team,
specifically on the so-called red team, which audits and hacks the company’s
products. His talk at Black Hat had apparently impressed the folks at
Cupertino. A few weeks later, however, he abruptly left the company, according
to multiple sources.

>The full story of Solnik’s short stint at Apple is a closely-guarded secret.
Motherboard spoke to dozens of people and was unable to confirm the specifics
around his leaving the company; one source within Apple told me information
about Solnik is “incredibly restricted,” and another confirmed that even
within Apple, few know exactly what happened.

Why hire someone that was previously selling "offensive security tools and
exploits to governments" into a sensitive role like that? It's incredibly
naive to think that just because you're employing them now that they are
actually loyal to you. Surely the insider threat is greater than any expertise
that person has. Just pay them a bug bounty for specific information and keep
them at arms length. Finding high integrity security researchers to hire is
more important than raw talent.

~~~
evolvedcleaning
Money talks, if they paid him enough they could buy his loyalty

Similar parallels exist in many walks of life. Those guarding assets need
incentives to be loyal

In a case of a potentially bad actor/blackest hat, you make them an offer they
can’t refuse. Take lots of money and stay quiet, or we will unleash our
government pit bulls.

~~~
golergka
Not all people have money as their only and highest motivation. For many, once
they get at a comfortable level, other things become more important.

------
mikepurvis
Mathew Solnik is not impressed, full text:

"The article that has been published regarding me is a complete hit piece. It
provides no hard evidence and is based on pure rumor. It’s sad to see the
publication stope to such levels. This is not worth any further response and
will get none. End of Story."

[https://twitter.com/msolnik/status/1103395763068043264](https://twitter.com/msolnik/status/1103395763068043264)

~~~
lawnchair_larry
No hard evidence of what exactly? His reply doesn’t make much sense. Other
than maybe he doesn’t think it looks flattering when you’re abruptly let go
from 2 jobs and your consulting venture doesn’t pan out.

~~~
tptacek
This is pretty silly. Solnik could probably get drunk, spin round in a circle
100 times quickly, and fall ass-backwards into better consulting gigs than
almost anyone on HN.

------
saagarjha
There are some issues with the article:

> I used one of these devices and obtained “root” access on it, giving me
> almost total control over the phone; gaining root access allows researchers
> to probe many of the phone’s most important processes and components.

Root access does not give total control on iOS. There are many other things
that stand in the way of "full access".

> “Switchboard devices” are another term for some dev-fused phones, which
> refers to the proprietary operating system they run.

No. Development-fused devices can run iOS; "Switchboard devices" are devices
that have not had iOS flashed on them and are still running Switchboard.

------
gok
> “They are stolen from the factory and development campus,” a person who
> sells these devices on Twitter told Motherboard.

Haha yeah that and employees' homes and cars being burglarized.

~~~
kbenson
Which makes me wonder why even go with one story over the other. They both
contain theft, so if you accept that there was theft, then it's illegal to buy
them, and illegal for them to sell them knowing that. I guess maybe it's so
they look less like a common criminal and more like a white-collar criminal
that only steals from super rich companies?

------
gruez
>He’s defensive when I ask how he got the phones.

>“Well, I didn’t steal any device. I actually paid for them,”

Sounds like the "it fell off a truck" excuse.

~~~
Someone1234
It could be more nuanced than that.

Some Chinese manufacturers have been known to have a "night shift." Which is
to say that during the day they produce a manufacturer's products, and during
the night they produce an off-label or unauthorised version. These phones all
had Foxconn labels on them, there was no Apple branding or logos. It is
possible they were unauthorized but not "stolen." As I said, it is a nuance,
and one I imagine Apple's legal team wouldn't be distracted by.

PS - I am in no way defending anything. Just simply explaining there's other
possible explanations for how unauthorised devices exist.

~~~
wmf
That doesn't really work for Apple products because they require unique
components (like the SoC) that can't be bought anywhere and presumably the
inventory is tracked carefully (e.g. 10,000 A12s go into the factory and
~10,000 iPhones go out).

~~~
bpye
What about iPhones that "failed" QC?

------
abalone
Is there any info on how GrayKey worked? My understanding is that in recent
models the SEP was supposed to prevent that kind of brute forcing of passcodes
at the hardware level — and also enforce a secure boot chain that prevents
loading hostile firmware (which it looks like GrayKey did based on screen
shots). This would seem to involve an exploit of the SEP which is very
serious... or was there some simpler exploit?

Anyone?

~~~
earenndil
I believe that graykey was able to try passcodes at a faster-than-should-be-
allowed rate, which does indicate a flaw but not a serious one.

~~~
saagarjha
That sounds plenty serious to me.

~~~
thisacctforreal
There is a hard limit of 80ms per attempt, from the number of PBKDF2
iterations tuned for the secure enclave.

~~~
abalone
It's much more than that. According to Apple's iOS security whitepaper, the
SEP is supposed to enforce escalating time delays in between attempts -- up to
_one hour_ after the 9th attempt. And survive restarts.

It certainly seems like GrayKey bypassed a fundamental SEP protection, which
would constitute a very serious flaw. The SEP protections are supposed to be a
whole 'nother level (which is what this article gets at.. it's Hard to even
get at the firmware).

If that aspect of the SEP is compromised, what else about it is? This is extra
disturbing because Apple's "fix" was to disconnect unauthorized peripherals --
not, apparently, a fix to the SEP itself. This is why I am stunned there was
not more coverage of this. It's smoke that indicates a really fundamental flaw
in the SEP.

[1]
[https://www.apple.com/business/site/docs/iOS_Security_Guide....](https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf)
(page 18)

------
briandear
Those phones aren’t “grey market,” they are black market.

~~~
bch
Less important, but also colour-related and entertaining, the mixed metaphor
“white elephant in the room”.

------
strictnein
I was wondering if they were talking about Jin, and yeah, it's the first line
of the article.

Worth a follow, if not simply to see some interesting prototype hardware and
tools pop up from time to time.

[https://twitter.com/Jin_Store](https://twitter.com/Jin_Store)

------
xhruso00
Wonder how would they re-sell dev-fused Apple car ;)

~~~
neop1x
they would re-sell the motherboard from it

