Researchers and Hackers Use Rare Dev-Fused Prototype iPhones to Unlock Security Secrets

If you've ever wondered how security researchers and hackers manage to bypass Apple's protections and security features to uncover iPhone vulnerabilities and other sensitive info, Motherboard is out today with a new report that has an answer.

Hackers and security researchers use rare "dev-fused" iPhones created for internal use at Apple. These dev-fused iPhones have not finished the production process and have many security features disabled. Motherboard describes them as "pre-jailbroken devices."

A dev-fused ‌iPhone‌ image shared with Motherboard by collector Giulio Zompetti
Dev-fused iPhones are smuggled out of Apple where they can sell for thousands of dollars on the gray market. These iPhones are incredibly valuable due to the fact that they can be used to locate vulnerabilities able to impact release versions of the ‌iPhone‌.

On the back of dev-fused iPhones seen by Motherboard, there's a QR-code sticker, a separate barcode, and a decal that says "FOXCONN," referring to the factory that makes iPhones and other Apple products. Otherwise, the phones look like normal iPhones. That standard ‌iPhone‌ experience ends when the phone is turned on. When booted up, you briefly see a command line terminal. And then when it loads, gone are the sleek icons and colorful backgrounds of iOS.

Motherboard spent months researching dev-fused iPhones, talking to more than two dozen sources ranging from security researchers and Apple employees to rare phone collectors and jailbreakers, and found that researchers, hackers, and high-profile companies like Cellebrite or GrayKey use these dev-fused iPhones to uncover bugs that can later be exploited by law enforcement agencies.

A dev-fused ‌iPhone‌ was, for example, used in 2016 to study the Secure Enclave Processor, and security researchers were able to uncover valuable details on how it works. These dev-fused iPhones are stolen property and illegal to possess, but are apparently "widely used" in the ‌iPhone‌ hacking scene.

"If you are an attacker, either you go blind or with a few thousand dollars you have all you need," Luca Todesco, one of the most well-known iOS security researchers in the world, told Motherboard, referring to people who buy dev-fused iPhones. "Some people made the second choice."

Motherboard was able to find someone on Twitter who sells dev-fused iPhones, with a dev-fused ‌iPhone‌ X priced at around $1,800. The seller said that he's provided dev-fused iPhones to several security researchers and that he believes major security firms that hack iPhones also use them. Other sellers offer dev-fused iPhones at higher prices, and Motherboard found an iPhone XR priced at $20,000.

Dev-fused iPhones are paired with a proprietary Apple cable called Kanzi that can cost upwards of $2,000, that, when plugged into a Mac, provides access to internal Apple software that offers root access to the phone.

Most of these devices seem to be stolen from and smuggled out of factories like Foxconn in China. Apple is apparently "well aware" of the fact that dev-fused devices are available. Apple has "ramped up efforts" to keep these devices from leaving Foxconn and does go after dev-fused ‌iPhone‌ sellers.

Motherboard's full report can be read over on the Motherboard website, and it is a fascinating look at the world of ‌iPhone‌ hacking for anyone who is interested in how ‌iPhone‌ vulnerabilities are uncovered.