People with tens/hundreds of thousands of dollars are buying iPhones from random third parties?

It's easier than that. You simply modify the special phone to broadcast the unlock PIN being entered in realtime. You set the background to the same wallpaper as the target's phone.

You swap it physically for the target's phone on the table, netting you the target device.

Moments later, when they pick up a phone that looks just like their own and enters a PIN several times, you now have both their phone (from when you swapped it) and the PIN to unlock it (from the broadcast), allowing you full use of the device, offline, at your leisure. The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

> The target is now confused why their phone isn't unlocking, and may not detect the attack for hours.

You might as well let the user in while you’re at it, so it’s truly undetectable.

> Apple really should put these audit devices in a big, boxy, couldn't possibly-be-mistaken-for-an-iPhone case.

Someone in Shenzhen is spinning up their CNC machine as you speak to change that to “you could probably show it to a Genius and they wouldn’t be able to tell at a glance”.

You couldn’t, without the data on the stolen target phone. The attack ends with the victim in physical possession of the security research device.

I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

> I was thinking that the board might need to be larger, too, to make sure it couldn’t easily be transplanted.

Wouldn't that be costly from an assembly perspective? Economies of scale and all that.

Idk, this all seems much too spy-novel-esque for me. You could also install a hidden camera in the victim's room, or modify the phone to capture the video-out signal.

Apple is retaining ownership of the devices, as mentioned in the article. They are not for sale. The per-device cost is not hugely relevant.

It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

> It sounds like a spy novel because spies spy on people who use regular, everyday hardware. A rooted iPhone is an extremely useful tool to that end.

Do you know of any instances where this happened with devices that can be rooted? (Computers, most Android phones, iPhones vulnerable to Checkm8)

Barton Gellman wrote about this very thing happening to his iPad (remote jailbreak/root) when he was working with Snowden, in his book Dark Mirror.

The leveraging of Android malware for espionage (corporate and military both) is well-documented in the media.

So get a regular iPhone, disable the lock-screen timer, slap an app on it that mimics the unlock screen. No specialty hardware needed.

You could do that with jailbroken phones today.

A scam that requires an individually targeted bespoke device that nets tens or hundreds of thousands (how does that even work? how would the proceeds be exfiltrated untraceably?) is just a really expensive way to have a very short career as a scammer.