It’s well known that Apple is one of the most secretive companies on the planet, constantly trying to keep its product plans under the tightest of wraps until its executives take the stage to wow onlookers with the newest iPhones, iPads, and Macs. Despite Apple’s best efforts, however, a steady stream of information leaks out whenever the company has a new product in the pipeline, and it’s a regular cat-and-mouse game between Apple’s security teams and employees in its supply and manufacturing chains who are often willing to take some pretty big risks to reveal Apple’s most closely-guarded secrets.
A new report from The Information reveals just how far Chinese factory and warehouse workers are willing to go, along with Apple’s continuing — and often futile — efforts to increase its security and secrecy in order to combat these leaks.
The report tells a number of stories revealing that factory workers have hidden iPhone parts in their belt buckles and bras, hoping that security guards won’t pat them down in those areas, and have even dug tunnels to bypass security checkpoints and get components to the outside world.
An Audacious Theft
The Information tells the tale of how one warehouse employee managed to steal thousands of iPhone 5C casings from a factory in China back in 2013, several weeks before the product was announced. The employee, who had a security guard in on the plot as well, was able to use falsified documents to drive a truck filled with the colourful shells right out of the gates, according to sources.
Before the iPhone 5C, Apple had only produced the iPhone in basic white and black colours; this previously-unreported incident was how much of the tech blogosphere got an early look at Apple’s foray into colourful iPhone casings, and sources have said that this is “one of the most devastating leaks” that every came out of Apple’s supply chain, completely spoiling the big reveal that the company had originally planned for.
Apple’s New Product Security Team
That particular theft was a wake-up call for Apple, which realized it had to much more seriously crack down on security among its supply chain. In response, the company deployed a new crack team of employees in China, known as the New Product Security team, or NPS, which were given the responsibility of monitoring security at all of its most sensitive suppliers.
Made up of former U.S. military and intelligence experts with specialized security backgrounds who were fluent in Chinese and familiar with the Chinese market, the NPS team became the company’s front line of defence against leaks. The core team of security experts was backed up by a larger group of security auditors, which Apple expanded from a small group of 10 employees who had been doing infrequent spot-checks a couple of times a year, to a whole army of auditors that began visiting factories on a weekly basis.
The core NPS team at one point had more than 30 members, and although it’s been downsized a bit as a result of its success in stopping most leaks, it’s still the largest of its kind compared to Apple’s competitors. NPS investigators and auditors assess more than 100 factories that handle the company’s unreleased products, assigning weekly scores that determine whether they qualify to continue working for Apple. Any given supplier can be cut off on a moment’s notice if its security score drops below a certain threshold, so managers within Apple’s supply chain are highly incentivized to proactively deal with security issues without delay.
Most of the work of Apple’s NPS team is focused on stopping physical leaks (theft) or electronic leaks (photos) of iPhone parts such as glass, metal, and plastic casings, which are often used to reveal the dimensions and features of an upcoming iPhone. While individuals behind these leaks do so for different reasons — some just want notoriety on social media while others are intent on making a buck by selling them to accessory makers who want a head start on producing cases or local business who want to build counterfeits — Apple takes a zero-tolerance approach to any and all leaks.
Still, the amount of money that can be made from leaking a mere iPhone enclosure makes it worth the risk for many employees, who could earn a year’s salary for being able to provide a physical case to competitors or accessory makers. Factory workers have hidden sensitive parts in crawl spaces, mop water, tissue boxes, shoes, and discarded metal shavings in hopes of being able to retrieve them when under less scrutiny by security guards, and have tried to smuggle them out under clothing in areas where guards won’t check.
Security caught one woman who hid dozens of glass screens under her bra after they noticed her walking strangely, and Apple’s NPS investigators once discovered factory workers digging a tunnel in a hidden corner of a room. “People were chipping away little by little at the wall ‘Shawshank Redemption’ style,” as one source put it.
It’s not just factories either. Apple has also found leaks among companies that are supposed to be destroying prototypes and defective parts, and Apple’s supplier security policies now require that an NPS-certified Apple employee be present when scrap is destroyed so that they can sign off on it. Packaging and printing contractors have also been the source of leaks, such as when a worker was able to sneak an iPhone into a printing factory to get shots of an iPhone X instruction manual prior to that device’s release.
Since many of the physical parts stolen from Apple’s factories end up on the Chinese black market, members of Apple’s NPS team also regularly go undercover to attempt to ferret out, buy back, and trace stolen parts.
In one case, Apple discovered that a Chinese business was offering repair classes for technicians on how to fix the iPhone X screen — long before the product had been announced. Apple’s NPS team secretly enrolled a contractor in the class, and was able to trace the source of the leaks.
In 2014, Apple’s investigators discovered and purchased 180 iPhone 6 enclosures on the black market, returning them to the security chief at the plant where they were being produced, who was able to identify the two employees responsible, one of whom was an engineer who had setup the inventory tracking system to make the stolen parts appear as if they were indefinitely in the process of being manufactured.
Dealing with the Leakers
Sadly, Apple’s culture of secrecy makes it difficult for the company to successfully prosecute the leakers, since the company needs to provide detailed descriptions of stolen parts to Chinese law enforcement, and of course it’s rarely willing to put its unreleased product designs on the public record. Under Chinese law, thieves only face penalties based on the street value of the parts they’ve stolen, not their value as intellectual property.
Most of the time, Apple doesn’t involve local law enforcement at all, since it’s hesitant to draw undue attention to unreleased products. However, in all cases, the offenders naturally lose their often-lucrative jobs (by Chinese standards), and may have difficulty finding other employment.
Security Challenges Remain
Despite its efforts in closing up many of the more glaring security holes, Apple still faces challenges in balancing its record on human rights with strict security protocols. Apple’s biggest supplier, Foxconn, once suggested that employees could be made to wear skintight suits in order to eliminate the possibility of parts being smuggled in clothing, however Apple rejected the idea as too invasive.
Despite this, however, female employees at Foxconn are required to wear metal-free bras to get past metal detectors (Foxconn even sells special bras in shops outside its factory gates), and while pregnant workers have complained about the use of metal detectors at facilities where new products are made, Apple hasn’t backed down on its security policies, which say no exceptions are made for pregnancy, forcing workers who are concerned about this to request a transfer to a less sensitive area.
Apple has also faced challenges with some suppliers — especially those from large competitors such as Samsung — where NPS team members and auditors have been denied access for fear of Apple stealing their trade secrets. Samsung, for instance, made the display for the iPhone X, but was initially unwilling to let an Apple security manager inspect the facility where the screens were being made. A compromise was eventually reached that granted the security auditor with access to walk through the facility — as long as they didn’t actually stop.
Enforcing Security Policies
While Apple’s NPS team has managed to crack down on most of the egregious physical leaks — preventing components and photos from leaving factories and warehouses is relatively simple — electronic leaks are becoming more and more of a threat. It was leaked schematics that first revealed the triple-lens camera system that will be coming to this year’s iPhones, for example.
Whiel the NPS team still manages physical security, the handling of electronic leaks and corporate espionage of this nature is handled by a separate team that’s managed directly out of Apple’s headquarters, and is bolstered by a whole range of policies that regulate how components are stored, and discarded, and how information is processed.
For example, containers used to store parts must be opaque and sealed with serial-numbered tamper-evident stickers. Trash bags have to be clear and screened for metal before leaving the security zone in a plant, all components must have unique and traceable security numbers, and inventory must be counted daily and scrapped parts reconciled weekly. It’s a level of accounting and security that rivals the U.S. Mint.
Similarly, Apple also mandates requirements for computer networks used by suppliers that compares to the kind of networks used to process classified Top Secret information by the government, demanding that manufacturing systems be physically separate from other networks, and that schematics and drawings of unreleased products be on another firewalled network inside the first network. Apple’s CAD files that contain drawings of components are also watermarked and include unique “colorbar” patterns that discourage screenshots. The use of third-party storage services and public e-mail services is also naturally prohibited.
Suppliers are also forbidden from referring to Apple by name — or even by project code — anywhere in their buildings, and under the terms of their agreements with Apple, they bear the cost for security investigations and pay penalties if any leaks are traced back to them. As a result, suppliers are well-motivated to increase their own site security, no matter how much it costs, routinely spending millions of dollars to implement systems such as facial recognition for secure areas, and employing hundreds of security guards.
Still, with so many competitors, accessory makers, black marketeers, and even simply Apple fans with an insatiable appetite for the latest news on Apple’s upcoming products, it’s fair to say that Apple is going to continue to face an uphill battle in completely stopping the tide of leaks.