What happens to an enterprise device when it’s retired? Ideally, it’s decommissioned—whether that means wiped of all data and recycled, or outright destroyed.
But with so much hardware to go around, an awful lot of gear can slip into the ether. At DEF CON 32 in Las Vegas this August, Snap Security Engineer Matthew Bryant presented a method that allowed him to identify e-commerce listings for wayward IT assets en masse—including some of Apple’s.
Employing tools like Cloudflare Workers and reverse-engineered APIs, Bryant bypassed rate limiting and scraped 50 million listings from sites like eBay and Xianyu (Chinese shopping platform Taobao’s secondhand market). Bryant hoped they contained clues, like barcodes, indicating anything unusual or sensitive about the devices.
“The challenge is that the secrets we want are probably not outright in the item description,” Bryant told the audience. “Maybe the seller doesn’t even know what they’re selling.”
To extract data from images in bulk, Bryant tested several optical character recognition (OCR) tools. Tesseract, an open-source OCR model, had difficulty with the “very chic, gray-on-the-silver design” used by manufacturers like Apple, Bryant said. Vision, Google Cloud’s OCR API, worked well but was too expensive, he added.
“I looked at the pricing, and I was like, ‘Oh, I need four, seven images,’” Bryant added. “Wait, so for a million images, that’s $1,500, and we’re doing millions of images. So yeah, that’s not really tenable.”
Bryant settled on a bespoke solution—an HTTP server running Apple’s iOS OCR app on multiple phones. That app runs on any iPhone with a GPU acceleration chip, first introduced in 2020, which Bryant acquired as cheaply as $40 each.
The mobile processors struggled with his roughly 250 million scraped images, but “none of the iPhones are exploded yet,” Bryant said. His method located a bevy of potential loot; some he obtained from US resellers, while others he obtained from domestic Chinese resellers using drop-shipping methods.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Among his purchases were prototype iPhone 14s, useful for exploit debugging, and numerous unlocked iPhones belonging to organizations like CVS, the Hertz Corporation, and the US Navy. One big find? A Time Capsule device originating from an Apple office clearance sale.
“There was data on the device, things like internal credentials, internal support tickets, sales reports and figures, internal documentation, apps, repair guides, internal emails, bank account information, passport ID scans,” Bryant said. “And I swear this last one is true—dank internal memes from these Apple stores in Europe.”
Bryant also bought a hard drive originating from Foxconn, Apple’s Taiwanese manufacturing partner. Whoever drilled a hole in it missed the hard drive platter, which he said ended up containing “really tasty” materials like internal Apple QA and prototype testing software and factory credentials.
Apple requested the return of the Time Capsule and Foxconn device when notified, according to Bryant, who said he used Apple as an example because it is a mature hardware company known for zealously guarding trade secrets.
“If it affects them, we can be pretty sure any other company is affected as well,” Bryant said. “It’s very challenging to do this right, [especially] across many countries and to deliver this final product.”
The resellers didn’t appear to be deliberately selling corporate secrets, he concluded. Instead, many of the devices appeared to have been diverted into the vast sea of used, commodity hardware.
“If you have your stuff going to e-waste, a lot of people sort of assume it’s gonna be destroyed,” he added. “But then you get people on the e-waste side who are like, ‘Why are they throwing away 50 good iPhones? This could be resold right now.’”