How sloppy security exposed Apple’s super-secret product plans

By

This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products. Photo: Jim Merithew/Cult of Mac
This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products. Photo: Jim Merithew/Cult of Mac

Incredibly sloppy security at one of Apple’s key suppliers exposed some of Cupertino’s most closely guarded secrets to anybody who could conduct a simple Google search.

For months, one of Quanta Computer‘s internal databases could be accessed using usernames and a default password published in a PowerPoint presentation easily found on the Web.

Quanta, based in Taiwan, is the world’s largest notebook manufacturer. In addition to Apple, Quanta assembles laptops and ultrabooks for dozens of companies, including Dell, Hewlett-Packard, Sharp and Sony. The company is also supposedly assembling the upcoming Apple Watch and the long-rumored iPad Pro, though no official announcements have been made.

The security lapse comes at a time of rapidly accelerating hacking incidents and cyberattacks, from credit card breaches and celebrity nude selfie leaks to the damaging theft of Sony’s most sensitive corporate data. The fact that the confidential plans of a company as secretive as Apple can be laid bare through a series of security missteps illustrates just how difficult it is to safeguard information in the digital era.

The path to Quanta’s database started last September when, on the eve of the big Apple Watch launch event, an anonymous Reddit user posted drawings and details of the super-secret device.

The images showed a chunky square housing in two different sizes. Up to this point, no definitive leaks had occurred, and the Apple community was skeptical. It didn’t look like an Apple device. But the leak turned out to be true, and predicted many details revealed by Apple the following day.

One of Quanta's internal databases can be accessed with details found via simple Google search. Screenshot: Cult of Mac
One of Quanta Computer’s internal databases, which holds detailed information about Apple’s product pipeline, could be accessed with some savvy Google searching. Screenshot: Cult of Mac

The information was gleaned from photographs of one of Quanta’s internal PowerPoint presentations. The document is not the only one floating around online, either: Several other confidential Quanta documents have been published online, and at least one gives details and login information for an internal Quanta database containing detailed schematics that appear to show other upcoming Apple products. The details can be found with a simple Google search.

A quick search for the phrase “Quanta confidential” and “.ppt” — the PowerPoint file extension — pulls up a presentation entitled “Quanta PDM system for Restricted Substances Investigation,” among several others Cult of Mac hasn’t yet dug through. The document is mirrored in several places, or was.

The document dates from January 15, 2013. It describes a Quanta database for managing the environmental aspects of products and components. The PowerPoint presentation appears to have been made to show Quanta’s customers how to log in and use the system.

Incredibly, it includes a link to the database and details of the usernames and default password for at least two customers, including Foxconn, Apple’s main manufacturing partner in China:

please input your account number default in username:Supplier Code+ three digital numbers
web page default password for ‘agile’ ,please change it after log in
Supplier Code+ three digital code
(for example) FOX111

A source, who Cult of Mac promised not to identify, demonstrated to us how anyone could log into the system using one of the usernames and the default password named in the document.

It appears that Quanta set up the same simple default password for all of its customers, and that some customers did not change the default after logging in for the first time.

Cult of Mac informed Apple and Quanta of the security problem. Apple declined to comment, and Quanta has not responded to our queries, but it appears Quanta has now disabled the accounts in the PowerPoint document and/or changed the default password.

Paul Ferguson, vice president of Threat Intelligence at IID, an internet security firm, said in general the use of the same default password is “a very stupid thing to do.”

“All organizations — large and small — should brush up on good security practices, and start using them actively,” he said.