Most such devices (e.g. "development kit" devices for game consoles) look very different than the release product. Usually in such a way that it'd be impractical to use them casually for your personal needs.

In other cases, e.g. Android/Chromebooks, there's a common, immutable early chain-of-trust that stays the same between production and development devices (or in this case, between rooted and unrooted devices); which pops up a message during boot warning that a device is currently a development/rooted device, and therefore should not be trusted for production use-cases. It could just-as-well also say "DO NOT BUY THIS PHONE ON THE SECONDARY MARKET; IT HAS BEEN TAMPERED WITH, AND CANNOT BE TRUSTED WITHOUT FACTORY RE-VERIFICATION" — and then users told repeatedly in the company's messaging to look for messages at boot before buying.

Most, maybe, but look at all of the Developer Transition Kits Apple has been distributing - they’re Mac Mini bodies with Apple Silicon inside. There’s no reason to think this won’t be an iPhone chassis with modified guts.

This will likely be an iPhone that looks identical to a production one, both inside and out. Perhaps there will be a serial number on it or something.

I agree, but I think there are non-technical people who would happily buy a cheap iPhone on Craigslist or Facebook and enter in all their iCloud or banking info without rebooting or looking at warnings.

Who is honestly going to buy this highly sought-after iPhone, backdoor it and flip it for a discount on Craigslist in an attempt to what, hack a random person? And you can just prevent that by doing something simple like disabling the App Store…

First, my argument only applies to when these are common and not highly sought after (see the top level comment I replied to). Not necessarily a random person, but having an easily obtainable rooted iPhone would absolutely enable targeted attacks against wealthy/famous people.

Think of it like a classic USB drop attack but a bit more expensive: you install your remote management code on a phone, box it up like new, and drop it at the door of someone wealthy's house. I'd bet they would happily assume it's a wrong delivery and start using it if it's an upgrade over their current phone.

Again, if you make the research iPhones unmistakable people will figure it out. And yeah, people ignore strange markings or click through warnings, but if you make it impossible to do the thing they want to do then they literally cannot ignore it.

You'd just download the IPA manually and self-sign it or whatever. Basically just make it unmistakable that this device is not normal and block normal people from being able to use it as normal without realizing it's a development device.

I doubt they would cost the same as regular iPhones.

Does it matter what they cost if scammers could net tens/hundreds of thousands for a single one? (Assuming they pick targets right)

People with tens/hundreds of thousands of dollars are buying iPhones from random third parties?

It's easier than that. You simply modify the special phone to broadcast the unlock PIN being entered in realtime. You set the background to the same wallpaper as the target's phone.

You swap it physically for the target's phone on the table, netting you the target device.

Moments later, when they pick up a phone that looks just like their own and enters a PIN several times, you now have both their phone (from when you swapped it) and the PIN to unlock it (from the broadcast), allowing you full use of the device, offline, at your leisure. The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

> The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

You might as well let the user in while you’re at it, so it’s truly undetectable.

> Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

Someone in Shenzhen is spinning up their CNC machine as you speak to change that to “you could probably show it to a Genius and they wouldn’t be able to tell at a glance”.

You couldn’t, without the data on the stolen target phone. The attack ends with the victim in physical possession of the security research device.

I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

> I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

Wouldn't that be costly from an assembly perspective? Economies of scale and all that.

Idk, this all seems much too spy-novel-esque for me. You could also install a hidden camera in the victim's room, or modify the phone to capture the video-out signal.

Apple is retaining ownership of the devices, as mentioned in the article. They are not for sale. The per-device cost is not hugely relevant.

It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

> It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

Do you know of any instances where this happened with devices that can be rooted? (Computers, most Android phones, iPhones vulnerable to Checkm8)

Barton Gellman wrote about this very thing happening to his iPad (remote jailbreak/root) when he was working with Snowden, in his book Dark Mirror.

The leveraging of Android malware for espionage (corporate and military both) is well-documented in the media.

So get a regular iPhone, disable the lock-screen timer, slap an app on it that mimics the unlock screen. No specialty hardware needed.

You could do that with jailbroken phones today.

A scam that requires an individually targeted bespoke device that nets tens or hundreds of thousands (how does that even work? how would the proceeds be exfiltrated untraceably?) is just a really expensive way to have a very short career as a scammer.