> The phone boots into an operating system known as “Switchboard,” which has a no-nonsense black background and is intended for testing different functionalities on the phone.
I think the article confuses the meaning of "dev-fused" hardware, with what OS is actually installed on the phone. When I used to work at Apple, I always understood "dev-fused" to mean a device on which you could install unsigned builds of iOS.
Internally, Apple puts out new builds of iOS daily. The engineers building features on top of iOS need to install these builds, to do their work. A normal iPhone from a store won't take these unsigned builds, hence the need for these dev-fused devices. There are regular builds like what a customer would get, debug builds with lots of logging and debugging checks enabled, and even bare-bones builds like switchboard, for employees who are not UI-disclosed or work in factories. As someone building higher-level iOS features, all my dev-fused devices just ran a normal looking iOS, unlike what the article describes.
> Two people showed Motherboard how to get root access on the phone we used; it was a trivial process that required using the login: “root” and a default password: “alpine.”
Specifically, developer-fused hardware allows for stuff like setting boot arguments and having them actually get passed to the kernel. Basically, it lets you get in the way of and modify the "chain of trust" that the bootloader → kernel → userland processes normally ensures.
To be honest, I think the daily builds are signed by B&I as well, so you can install them on production hardware provided you have valid AppleConnect credentials (which I think just authorizes the install). You just won't be able to debug the kernel, etc.
EDIT: I just looked at some of your other comments. I think you mean well and have some impressive knowledge for someone not working on those things, but some of it is also guesswork about very complex details that even internal people can get wrong, so I think publicly claiming conjecture as if it were fact is more misleading than you mean it to be.
I'm mostly basing my comments on my knowledge of what the jailbreak community has made public so mistakes are likely me misremembering or not fully understanding something. Is there something in particular that I got wrong?
Very impressive indeed. And the GP is right about many employees even getting these little details wrong. The answer is definitely a lot more complicated.
As far as I remember, the AppleConnect aspect of it is only if you want to connect to the corp NFS where they have the IPSW. And beyond that I think I was able to use PurpleRestore on production silicon by switching the device connected to the host at the right point in time and leaving my phone in a really odd state that had shocked everyone at the Apple store I brought it to. They were so confused that I had to explain to them where I work for them to calm down.
Same here, that's why I sometimes wish I had saved some screenshots for my own use or even for sharing but I have a feeling Apple would have hunted me down for it. That's probably why we don't see so many of them in the wild. Even in the orientation you'll hear stories about how seriously they take their ability to surprise and delight, with an emphasis on the surprise. :)
I also remember there being two internal wikis for development and having access to both. Maybe one is called luna and the other is just straight out called purple?
You get root on the device simply by authenticating as root with password alpine. Sometimes you'll get your hands on iDevices with weird specs like 3.75GB of RAM etc.
There is also AppleConnect which is Apple's internal single-sign on.
What I find fascinating the most is honestly how I am unable to find recent screenshots of these software. They are all screenshots of really old versions with outdated UI.
Apple must have a special way of taking these down or doing offensive-SEO and burying them in results because while I was able to find search results for "apple luna internal wiki", I am no longer able to.
>In 2017, however, Solnik was hired by Apple to work on its security team, specifically on the so-called red team, which audits and hacks the company’s products. His talk at Black Hat had apparently impressed the folks at Cupertino. A few weeks later, however, he abruptly left the company, according to multiple sources.
>The full story of Solnik’s short stint at Apple is a closely-guarded secret. Motherboard spoke to dozens of people and was unable to confirm the specifics around his leaving the company; one source within Apple told me information about Solnik is “incredibly restricted,” and another confirmed that even within Apple, few know exactly what happened.
Why hire someone that was previously selling "offensive security tools and exploits to governments" into a sensitive role like that? It's incredibly naive to think that just because you're employing them now that they are actually loyal to you. Surely the insider threat is greater than any expertise that person has. Just pay them a bug bounty for specific information and keep them at arms length. Finding high integrity security researchers to hire is more important than raw talent.
Money talks, if they paid him enough they could buy his loyalty
Similar parallels exist in many walks of life. Those guarding assets need incentives to be loyal
In a case of a potentially bad actor/blackest hat, you make them an offer they can’t refuse. Take lots of money and stay quiet, or we will unleash our government pit bulls.
In the case of a black hat selling exploits to governments, that government can always outbid a company. They can offer to pay more plus not kill/imprison his family members.
Wow, this sounds incredibly, personally familiar. This is such an Apple thing to do. In fact hearing about Solnik, I feel better about talking about things because I always thought giving out details narrowed things down a little too much.
Let me guess what happened to Solnik. He got to work one day to find out his meetings for that day was cancelled. Then got an iMessage asking him to come to a different building instead to meet with Global Security Operations. :)
This is never about Apple finding something against you. It is about Apple now deciding you are too risky to employ as you constitute an internal threat because you read too much or you put one and one together and told someone something you're not supposed know because you're not disclosed on it.
Apple probably let him keep his bonus and all the RSUs he was promised, as a demonstration of "good faith".
"The article that has been published regarding me is a complete hit piece. It provides no hard evidence and is based on pure rumor. It’s sad to see the publication stope to such levels. This is not worth any further response and will get none. End of Story."
I notice he didn't deny the use of dev mode debug devices. I personally don't see what the big deal is apart from implying magical hacker skills - reverse engineering even from a debug device is still impressive work.
No hard evidence of what exactly? His reply doesn’t make much sense. Other than maybe he doesn’t think it looks flattering when you’re abruptly let go from 2 jobs and your consulting venture doesn’t pan out.
This is pretty silly. Solnik could probably get drunk, spin round in a circle 100 times quickly, and fall ass-backwards into better consulting gigs than almost anyone on HN.
> I used one of these devices and obtained “root” access on it, giving me almost total control over the phone; gaining root access allows researchers to probe many of the phone’s most important processes and components.
Root access does not give total control on iOS. There are many other things that stand in the way of "full access".
> “Switchboard devices” are another term for some dev-fused phones, which refers to the proprietary operating system they run.
No. Development-fused devices can run iOS; "Switchboard devices" are devices that have not had iOS flashed on them and are still running Switchboard.
Which makes me wonder why even go with one story over the other. They both contain theft, so if you accept that there was theft, then it's illegal to buy them, and illegal for them to sell them knowing that. I guess maybe it's so they look less like a common criminal and more like a white-collar criminal that only steals from super rich companies?
Some Chinese manufacturers have been known to have a "night shift." Which is to say that during the day they produce a manufacturer's products, and during the night they produce an off-label or unauthorised version. These phones all had Foxconn labels on them, there was no Apple branding or logos. It is possible they were unauthorized but not "stolen." As I said, it is a nuance, and one I imagine Apple's legal team wouldn't be distracted by.
PS - I am in no way defending anything. Just simply explaining there's other possible explanations for how unauthorised devices exist.
That doesn't really work for Apple products because they require unique components (like the SoC) that can't be bought anywhere and presumably the inventory is tracked carefully (e.g. 10,000 A12s go into the factory and ~10,000 iPhones go out).
Is there any info on how GrayKey worked? My understanding is that in recent models the SEP was supposed to prevent that kind of brute forcing of passcodes at the hardware level — and also enforce a secure boot chain that prevents loading hostile firmware (which it looks like GrayKey did based on screen shots). This would seem to involve an exploit of the SEP which is very serious... or was there some simpler exploit?
It's much more than that. According to Apple's iOS security whitepaper, the SEP is supposed to enforce escalating time delays in between attempts -- up to one hour after the 9th attempt. And survive restarts.
It certainly seems like GrayKey bypassed a fundamental SEP protection, which would constitute a very serious flaw. The SEP protections are supposed to be a whole 'nother level (which is what this article gets at.. it's Hard to even get at the firmware).
If that aspect of the SEP is compromised, what else about it is? This is extra disturbing because Apple's "fix" was to disconnect unauthorized peripherals -- not, apparently, a fix to the SEP itself. This is why I am stunned there was not more coverage of this. It's smoke that indicates a really fundamental flaw in the SEP.
I think the article confuses the meaning of "dev-fused" hardware, with what OS is actually installed on the phone. When I used to work at Apple, I always understood "dev-fused" to mean a device on which you could install unsigned builds of iOS.
Internally, Apple puts out new builds of iOS daily. The engineers building features on top of iOS need to install these builds, to do their work. A normal iPhone from a store won't take these unsigned builds, hence the need for these dev-fused devices. There are regular builds like what a customer would get, debug builds with lots of logging and debugging checks enabled, and even bare-bones builds like switchboard, for employees who are not UI-disclosed or work in factories. As someone building higher-level iOS features, all my dev-fused devices just ran a normal looking iOS, unlike what the article describes.
> Two people showed Motherboard how to get root access on the phone we used; it was a trivial process that required using the login: “root” and a default password: “alpine.”
Oh boy, that sure brings back memories!