Apple Security Research Device
The Apple Security Research Device is a specially fused iPhone that allows security researchers to perform research on iOS without having to defeat or disable the platform security features of iPhone. With this device, a researcher can side-load content that runs with platform-equivalent permissions and thus perform research on a platform that more closely models that of production devices.
To ensure that user devices aren’t affected by the security research device execution policy, the policy changes are implemented in a variant of iBoot and the Boot Kernel Collection. These fail to boot on user hardware. The research iBoot checks for a new fusing state and enters a panic loop if it’s being run on nonresearch fused hardware.
The cryptex subsystem allows a researcher to load a personalized trust cache and a disk image containing corresponding content. A number of defense in-depth measures have been implemented to ensure that this subsystem doesn’t allow execution on user devices:
launchdwon’t load the
cryptexdlaunchd property list if it’s unable to detect the research fuse.
cryptexdaborts if it doesn’t detect the research fuse.
The entitlement that grants
cryptexdthe ability to mount a disk image is honored only by the research kernel cache. The relevant code path isn’t compiled into the release kernel cache.
The signing server refuses to personalize a cryptex disk image for a device not on an explicit allow list.
To respect the privacy of the security researcher, only the measurements (for example, hashes) of the executables and the security research device identifiers are sent to Apple during personalization. Apple doesn’t receive the content of the cryptex being loaded onto the device.
To avoid having a malicious party attempt to masquerade a research device as a user device to trick a target into using it for everyday usage, the security research device has the following differences:
The security research device starts up only while charging. This can be using a lightning cable or a Qi-compatible charger. If the device isn’t charging during startup, the device enters Recovery mode. If the user starts charging and restarts the device, it starts up as normal. As soon as XNU starts, the device doesn’t need to be charging to continue operation.
The words Security Research Device are displayed below the Apple logo during iBoot startup.
The XNU kernel boots in verbose mode.
The device is etched on the side with the message “Property of Apple. Confidential and Proprietary. Call +1 877 595 1125.”
The following are additional measures that are implemented in software that appears after boot:
The words Security Research Device are displayed during device setup.
The words Security Research Device are displayed on the lock screen and in the Settings app.
The Security Research Device affords researchers the following abilities that a user device doesn’t:
Side-load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components.
Start services at startup.
Persist content across restarts.