Anika Begay
It’s probably been a while since anyone gave a second thought to Apple’s router and network storage combo called the Time Capsule. Launched in 2008 and discontinued in 2018, the product has mostly disappeared into the sands of gadget time. So when independent security researcher Matthew Bryant recently purchased a Time Capsule from the UK on eBay for $38 (plus more than $40 for shipping to the US), he thought he was just getting one of the sturdy white monoliths at the end of its earthly journey. Instead, he stumbled upon something he hadn’t expected: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included support tickets, employee bank account details, internal company records, and emails.
“It had everything you could possibly imagine,” Bryant tells WIRED. “Files had been deleted from the drive, but when I did the forensic analysis, it was definitely not empty.”
Bryant didn’t stumble upon the Time Capsule entirely by accident. At the Defcon security conference in Las Vegas on Saturday, he will present the results of a months-long project in which he scraped second-hand electronics listings from sites like eBay, Facebook Marketplace, and Xianyu in China, then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.
Bryant realized that salespeople selling office equipment, prototypes, and manufacturing equipment often weren’t aware of the importance of their products, so he couldn’t sift through tags or descriptions to find business gems. Instead, he devised an optical character recognition processing cluster by linking together a dozen old second-generation iPhone SEs and using Apple’s Live Text optical character recognition feature to find possible inventory tags, barcodes, or other business labels in listing photos. The system would monitor new listings, and if it found a possible match, Bryant would receive an alert so he could evaluate the device photos himself.
In the case of the Time Capsule, listing photos showed a label on the bottom of the device that read, “Property of Apple Computer, Expected Equipment.” After assessing the Time Capsule’s contents, Bryant informed Apple of his findings, and the company’s London security office eventually asked him to send the Time Capsule back. Apple did not immediately respond to a request from WIRED for comment on Bryant’s research.
“The main company that’s being discussed for proof of concept is Apple, because I see them as the most mature hardware company out there. They have all their hardware counted in a special way and they’re very concerned about the security of their operations,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff is going to end up on sites like eBay and other used marketplaces eventually. I can’t think of any company where I haven’t seen at least one piece of equipment and had my system alert me.”
Another alert from his research system led Bryant to purchase a prototype iPhone 14 intended for internal developer use at Apple. Such iPhones are coveted by both attackers and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging features that are invaluable for gaining insights into the platform. Apple runs a program to give researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers told WIRED they are typically older iPhone models. Bryant says he paid $165 for the iPhone 14 for developer use.
