It’s probably been a while since anyone thought about Apple’s router and netlabor storage combo called Time Capsule. Relrelieved in 2008 and discarry ond in 2018, the product has mostly withdrawd into the sands of gadget time. So when self-reliant security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would fair be getting one of the stalwart white monoliths at the finish of its terrestrial journey. Instead he stumbled on someskinnyg he didn’t anticipate: a trove of data that euniteed to be a imitate of the main backup server for all European Apple Stores during the 2010s. The inestablishation included service tickets, engageee prohibitk account data, inner company write downation, and emails.
“It had everyskinnyg you can possibly envision,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not desotardy.”
Bryant hadn’t stumbled on the Time Capsule finishly by accident. At the Defcon security conference in Las Vegas on Saturday, he’s conshort-terming discoverings from a months-lengthened project in which he scsexual batteryd secondhand electronics catalogings from sites enjoy eBay, Facebook Marketplace, and China’s Xianyu, and then ran computer vision analysis on them in an try to distinguish devices that were once part of corporate IT escapets.
Bryant authenticized that the sellers hawking office devices, prototypes, and manufacturing supplyment frequently weren’t inestablished of their products’ significance, so he couldn’t comb tags or descriptions to discover accesspelevate gems. Instead, he inventd an chooseical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple’s Live Text chooseical character-recognition feature to discover possible inventory tags, barcodes, or other corporate tags in cataloging ptoastyos. The system seeed for novel catalogings, and if it turned up a possible hit, Bryant would get an attentive so he could appraise the device ptoastyos himself.
In the case of the Time Capsule, the cataloging ptoastyos showed a tag on the bottom of the device that said, “Property of Apple Computer, Expensed Equipment.” After he appraised the Time Capsule’s satisfieds, Bryant notified Apple about his discoverings, and the company’s London security office eventuassociate asked him to ship the Time Capsule back. Apple did not instantly return a ask from WIRED for comment about Bryant’s research.
“The main company in the talk for proofs of concept is Apple, becaengage I watch them as the most lengthenn-up challengingware company out there. They have all their challengingware speciassociate counted, and they reassociate nurture about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s fundamentalassociate a secure that their stuff will finish up on sites enjoy eBay and other secondhand tagets eventuassociate. I can’t skinnyk of any company where I haven’t seen at least some piece of supplyment and got an attentive on it from my system.”
Another attentive from his search system led Bryant to buy a prototype iPhone 14 intfinished for enhugeer engage internassociate at Apple. Such iPhones are coveted by both horrible actors and security researchers becaengage they frequently run one-of-a-kind versions of iOS that are less locked down than the user product and include debugging functionality that’s inpriceless for geting insight into the platestablish. Apple runs a program to give certain researchers access to analogous devices, but the company only grants these one-of-a-kind iPhones to a restricted group, and researchers have telderly WIRED that they are typicassociate outdated iPhone models. Bryant says he paid $165 for the enhugeer-engage iPhone 14.