Factory fresh just means fresh from the factory, not necessarily in the factory. The attack targets phones in their manufactured state with the OS and vendor firmware installed. In other words it's not an attack that depends on end user software (Apps) being installed, or on user behaviour, or even on features of the mobile network.
By supply chain, when they say mail orders and other shipments, they just mean between the vendor and the customer. In this case the use of "supply chain" could be miss-understood, this is a post-factory attack which would be carried out in transit, probably at a US border.
We have seen that done before to shipments of devices such as computers and network gear that have been intercepted and hacked before delivery to a suspect, or a target organisation or country.
I don't think this can be reasonably construed as evidence for Apple conniving with the CIA. In fact I still don't think that would make any sense from a CIA perspective. The factories aren't even in the US. Apple employees aren't background checked or sworn agents, they're a potential security risk. Why involve them if you don't need to?
Alright then they probably aren't infected straight from the factory. However Apple is definitely collaborating with NSA as are other major US tech companies.
By supply chain, when they say mail orders and other shipments, they just mean between the vendor and the customer. In this case the use of "supply chain" could be miss-understood, this is a post-factory attack which would be carried out in transit, probably at a US border.
We have seen that done before to shipments of devices such as computers and network gear that have been intercepted and hacked before delivery to a suspect, or a target organisation or country.
I don't think this can be reasonably construed as evidence for Apple conniving with the CIA. In fact I still don't think that would make any sense from a CIA perspective. The factories aren't even in the US. Apple employees aren't background checked or sworn agents, they're a potential security risk. Why involve them if you don't need to?