Apple Security Research Device
The Apple Security Research Device is a specially fused iPhone that allows security researchers to perform research on iOS without having to defeat or disable the platform security features of iPhone. With this device, a researcher can side-load content that runs with platform-equivalent permissions and thus perform research on a platform that more closely models that of production devices.
To help ensure that user devices aren’t affected by the security research device execution policy, the policy changes are implemented in a variant of iBoot and in the Boot Kernel Collection. These fail to boot on user hardware. The research iBoot checks for a new fusing state and enters a panic loop if it’s being run on non-research-fused hardware.
The cryptex subsystem allows a researcher to load a personalised trust cache and a disk image containing corresponding content. A number of in-depth defence measures have been implemented that are designed to ensure that this subsystem doesn’t allow execution on user devices:
launchddoesn’t load the
cryptexdlaunchd property list if it detects a normal customer device.
cryptexdaborts if it detects a normal customer device.
AppleImage4doesn’t vend the nonce used for verifying a research cryptex on a normal customer device.
The signing server refuses to personalise a cryptex disk image for a device not on an explicit allow list.
To respect the privacy of the security researcher, only the measurements (for example, hashes) of the executables or kernel cache and the security research device identifiers are sent to Apple during personalisation. Apple doesn’t receive the content of the cryptex being loaded onto the device.
To avoid having a malicious party attempt to masquerade a research device as a user device to trick a target into using it for everyday usage, the security research device has the following differences:
The security research device starts up only while charging. This can be using a Lightning cable or a Qi-compatible charger. If the device isn’t charging during startup, the device enters Recovery mode. If the user starts charging and restarts the device, it starts up as normal. As soon as XNU starts, the device doesn’t need to be charging to continue operation.
The words Security Research Device are displayed below the Apple logo during iBoot startup.
The XNU kernel boots in verbose mode.
The device is etched on the side with the message “Property of Apple. Confidential and Proprietary. Call +1 877 595 1125”.
The following are additional measures that are implemented in software that appears after boot:
The words Security Research Device are displayed during device setup.
The words Security Research Device are displayed on the Lock Screen and in the Settings app.
The Security Research Device affords researchers the following abilities that a user device doesn’t. Researchers can:
Side-load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components
Start services at startup
Persist content across restarts
research.com.apple.license-to-operateentitlement to permit a process to debug any other process on the system, including system processes.
research.namespace is respected only by the
RESEARCHvariant of the AppleMobileFileIntegrity kernel extension; any process with this entitlement is terminated on a customer device during signature validation.
Personalise and restore a custom kernel cache