It’s probably been a while since anyone thought about Apple’s router-and-network storage combo called the Time Capsule. Released in 2008 and discontinued in 2018, the product has largely receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently purchased a UK Time Capsule on eBay for $38 (plus more than $40 to ship it to the United States), he thought he’d just be getting one of the trusty white monoliths at the end of its earthly journey. Instead, he stumbled upon something he didn’t expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.
“It had everything you could possibly imagine,” Bryant tells WIRED. “Files had been deleted from the drive, but when I did the forensic analysis, it was definitely not empty.”
Bryant didn’t stumble upon the Time Capsule by chance. At the Defcon security conference in Las Vegas on Saturday, he will present the results of a months-long project in which he scraped listings for used electronics from sites like eBay, Facebook Marketplace and China’s Xianyu, then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate computing teams.
Bryant realized that sellers offering office devices, prototypes, and manufacturing equipment were often unaware of the significance of their products, so he couldn’t sift through labels or descriptions to find corporate gems. Instead, he devised an optical character recognition processing cluster by stringing together a dozen dilapidated second-generation iPhone SEs and leveraging Apple’s Live Text optical character recognition feature to find potential inventory labels, barcodes, or other corporate tags in listing photos. The system monitored new listings, and if it found a potential hit, Bryant received an alert so he could evaluate the device photos himself.
In the case of the Time Capsule, photos of the listing showed a label on the bottom of the device that read, “Property of Apple Computer, discontinued equipment.” After assessing the Time Capsule’s contents, Bryant notified Apple of his findings and was eventually asked by the company’s security office in London to return the Time Capsule. Apple did not immediately respond to a request from WIRED for comment on Bryant’s investigation.
“The main company that is looking at doing proofs of concept is Apple, because I think they are the most mature hardware company out there. They have a special account of all their hardware and they are very concerned about the security of their operations,” Bryant says. “But for any Fortune 500 company, it’s basically a guarantee that their products will end up on places like eBay and other secondhand marketplaces. I can’t think of a company where I haven’t seen at least some equipment and received an alert from my system about it.”
Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for use by Apple developers. These iPhones are coveted by malicious actors and security researchers alike because they typically run special versions of iOS that are less well-protected than the consumer product and include a debugging feature that proves invaluable for gaining insight into the platform. Apple runs a program to give access to similar devices to certain researchers, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the iPhone 14 for developer use.