Determining if a device has been deeply compromised

Question

Level 1

4 points

Determining if a device has been deeply compromised

I support people who routinely travel to China on business and are high profile. We give them burner devices to carry when they go.

Is there a way to determine if those devices have been compromised in any way? We wipe them and reconfigure them after each trip, but I'd like to be able to determine if there's any remnant of a compromise. Like is there a standard bit count or memory usage that a newly setup iOS 17 iPhone 15 MUST have? Or is that different each time? Can I use configurator to help determine this?

iPad

Posted on Mar 5, 2024 12:50 PM

Reply

Answer 1

Mar 5, 2024 1:10 PM in response to 65ponyboy

There is no easy way to tell. There are ways to detect Pegasus-type spyware, but it evolves regularly. At one time iMazing claimed to be able to detect it; I haven’t checked recently.

To be safe afterwards you need to perform a DFU restore→How To Put An iPhone In DFU Mode, The Apple Way

Reply

Answer 2

Mar 5, 2024 5:42 PM in response to 65ponyboy

Correct. The 3 ways of updating:

Settings/General/Reset all settings and content just erases user data, but leaves iOS, which may have been hacked.
Restore using iTunes or Finder (on Mac Catalina or later). This uses the current installation of iOS to load a new installer, than then overwrites the current installation with the new one, but, if the current installation is hacked, this does not guarantee a clean installation.
DFU mode doesn’t use the current iOS; instead, it uses a primitive read-only core firmware to install a completely new iOS. This is probably how the first installation of iOS on a new phone is done.

Reply

Answer 3

65ponyboy Author

Level 1

4 points

Mar 5, 2024 2:01 PM in response to Lawrence Finch

So DFU Mode re-writes every line of code? That should ensure that there's no carry over malware at least!

Reply

Determining if a device has been deeply compromised

Similar questions