Hackers using stolen iPhone prototypes to probe security and develop iOS exploits

The Cellebrite Universal Forensic Extraction Device (UFED), an item that may have been created using hacks gleaned from a 'dev-fused' iPhone

Researchers hunting down potential exploits and issues with the highly-popular iPhone have, over the last few years, discovered a shortcut to finding out how to look closely at the inner workings of the device, while avoiding all of Apple's security processes and systems for preventing the public from accessing elements they cannot see. The method is to effectively acquire an internal version of the iPhone that simply does not have the same level of protections as a consumer-released model.

The version, dubbed "dev-fused" and sometimes called a "prototype," is an iPhone that has not completed the production process or has been reverted to a development state, reports Motherboard. Meant only for use by Apple's engineers, the units have most of their security functions disabled, more so than typical jailbroken versions, giving those in possession of it an opportunity to look at how the software functions unhindered by its security.

The dev-fused units occasionally surface on the gray market, smuggled out of Apple-related facilities illegally, and can end up selling for thousands of dollars to interested parties. Once acquired, the units can be "rooted" and used to find a hack that could be used on consumer iPhones, and has the potential to be used by governments and law enforcement agencies.

It is claimed by multiple report sources that Cellebrite, a security firm that allegedly aided law enforcement officials as part of the investigation into the San Bernardino shooting, has acquired some dev-fused devices as part of its product development. Hackers who may have been among the first to show off information gleaned via a dev-fused device are also said to be working for Azimuth, another security firm known for producing hacking tools for the US, Canadian, and UK governments.

The first main sign that such hardware was becoming available through unofficial channels was via a Black Hat talk in August 2016, where researchers Mathew Solnik, David Wang, and Tarjei Mandt described how the iPhone's Secure Enclave Processor handled data encryption. While the method of discovery was not advised at the time or since, the report's sources believe their discoveries were possible only via the use of a dev-fused unit.

In the case of SEP, as its operating system is encrypted, it cannot be reverse engineered from a normal model, leaving the use of a unit that has yet to be encrypted as the only real way of knowing what is being performed.

A former Apple security team member advised they had queried Wang after the conference about the discovery. The hacker responded "Solnik got a dev-phone and dumped the firmware through standard Apple tools." Another iOS security researcher seemingly corroborated the claim Solnik was in possession of one of the devices.

None of the three people from the talk have commented about the affair.

Apple is said to be aware of the dev-fused unit trading, report sources within the company reveal, with Apple stepping up its efforts to prevent the units from leaving Foxconn and other facilities and into the hands of unauthorized users. Notably, Solnik was hired by Apple to work on its "red team" in 2017 following his talk, but left the company within weeks, for unknown reasons that are apparently "incredibly restricted" even from Apple employees.