It’s probably been a while since anyone thought about Apple’s router and network storage combo called Time Capsule. Released in 2008 and discontinued in 2018, the product has mostly receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would just be getting one of the stalwart white monoliths at the end of its earthly journey. Instead he stumbled on something he didn’t expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.
“It had everything you can possibly imagine,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not empty.”
Bryant hadn’t stumbled on the Time Capsule completely by accident. At the Defcon security conference in Las Vegas on Saturday, he’s presenting findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China’s Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.
Bryant realized that the sellers hawking office devices, prototypes, and manufacturing equipment often weren’t aware of their products’ significance, so he couldn’t comb tags or descriptions to find enterprise gems. Instead, he devised an optical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple’s Live Text optical character-recognition feature to find possible inventory tags, barcodes, or other corporate labels in listing photos. The system monitored for new listings, and if it turned up a possible hit, Bryant would get an alert so he could assess the device photos himself.
In the case of the Time Capsule, the listing photos showed a label on the bottom of the device that said “Property of Apple Computer, Expensed Equipment.” After he evaluated the Time Capsule’s contents, Bryant notified Apple about his findings, and the company’s London security office eventually asked him to ship the Time Capsule back. Apple did not immediately return a request from WIRED for comment about Bryant’s research.
“The main company in the talk for proofs of concept is Apple, because I view them as the most mature hardware company out there. They have all their hardware specially counted, and they really care about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff will end up on sites like eBay and other secondhand markets eventually. I can’t think of any company where I haven’t seen at least some piece of equipment and got an alert on it from my system.”
Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for developer use internally at Apple. Such iPhones are coveted by both bad actors and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging functionality that’s invaluable for gaining insight into the platform. Apple runs a program to give certain researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the developer-use iPhone 14.
Finally, Bryant says that manufacturing and assembly-line devices can be particularly revealing and can also be found on secondhand markets—especially platforms in China, since so many electronics are assembled in the country. Bryant was curious to see if he could find any equipment that had formerly been used in a Foxconn factory where iPhones are notoriously assembled. By analyzing Chinese listings with his computer vision system, Bryant says he was able to piece together how Foxconn’s asset management system works and how the company labels its devices—particularly those used on the factory floor. Eventually he found a Mac Mini that had a bunch of the Foxconn tags on it and had seemingly been used on a Foxconn quality-and-assurance testing line. But the computer was simply listed for parts, because the photos clearly showed that it had a large drill hole running through the device.
After examining schematics of various generations of Mac Minis, though, Bryant concluded that it was possible the drill had missed the magnetic tray where data would be stored on the hard drive. He took a chance and ordered the computer from China and assessed it himself. Bryant isn’t a hardware expert, but once he received the device, it also seemed to him that the physical destruction had likely not achieved its goal. So he sent the Mac Mini to a forensics lab in Los Angeles, which was ultimately able to recover all the data from the drive.
“It had the internal software that Apple uses on their factory line to do testing, including special interfaces for communicating with prototypes and QA units,” Bryant says. “And the computer also contained credentials for Foxconn and logs.”
Bryant again reported his findings to Apple and returned the Mac Mini to them.
The project contains a warning for companies, both about the inevitability of having some device attrition and the importance of taking asset management and deprovisioning seriously. For hackers and eagle-eyed deal seekers alike, though, rogue corporate devices may be a new item for the shopping list.