It’s been a long time since anyone thought about Apple’s all-in-one router and network storage, Time Capsule. Launched in 2008 and discontinued in 2018, it’s all but disappeared into the sands of gadget age. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the UK on eBay for $38 (plus $40 for shipping to the US), he assumed he was just getting his hands on the sturdy white monolith after its passing. Instead, he stumbled upon something different: a trove of data that appeared to be copies of the main backup servers for all of Apple’s European stores from the 2010s. The information included service tickets, employee bank account data, internal company documents, emails, and more.
“It had everything you could possibly imagine on it,” Bryant told WIRED. “The files had been removed from the drive, but when I did the forensic investigation, it was clearly not empty.”
Bryant’s stumble on the time capsule wasn’t pure coincidence: On Saturday at the Defcon security conference in Las Vegas, he’ll present the results of a months-long project in which he collected listings for used electronics from sites like eBay, Facebook Marketplace and China’s Xianyu, then ran computer vision analysis on them to try to detect devices that were once part of a company’s IT fleet.
Bryant found that sellers touting office equipment, prototypes, and manufacturing facilities were often unaware of the importance of their products, and couldn’t comb through tags and descriptions to find the gems for their companies. Instead, he devised an optical character recognition processing cluster that connected together 12 second-generation iPhone SEs and used Apple’s Live Text optical character recognition feature to look for inventory tags, barcodes, and other company labels in listing photos. The system monitored new listings, and if there was a potential hit, Bryant was alerted and could evaluate the equipment photos himself.
In the case of the Time Capsule, the listing photo showed a label on the bottom of the device that read, “Equipment owned by Apple Computer, purchased at expense.” After examining the Time Capsule’s contents, Bryant reported his findings to Apple, and the company’s London security office ultimately asked that the Time Capsule be returned. Apple did not immediately respond to WIRED’s request for comment on Bryant’s investigation.
“The proof-of-concept conversation centers around Apple because I think they’re the most mature hardware company. They have special control over all their hardware and they care very much about the security of their operations,” Bryant says. “But if you’re a Fortune 500 company, your products are almost guaranteed to end up on sites like eBay or other second-hand markets. I can’t think of a company that hasn’t at least seen some equipment and had their systems alert them.”
Another alert from the search system led Bryant to purchase a prototype iPhone 14 for internal Apple developers. These iPhones are popular with both malicious users and security researchers because they often run a special version of iOS that is less locked down than consumer versions and includes debugging features that are invaluable for understanding the platform. Apple has a program in place that gives certain researchers access to similar devices, but the company only grants these special iPhones to a select group of people, and the researchers told WIRED that they are often older iPhone models. Bryant said he paid $165 for the developer iPhone 14.
