Have Your iPhone 6 Repaired, Only To Get It Bricked By Apple (theguardian.com) 410
New submitter Nemosoft Unv. writes: In case you had a problem with the fingerprint sensor or some other small defect on your iPhone 6 and had it repaired by a non-official (read: cheaper) shop, you may be in for a nasty surprise: error 53. What happens is that during an OS update or re-install the software checks the internal hardware and if it detects a non-Apple component, it will display an error 53 and brick your phone. Any photos or other data held on the handset is lost – and irretrievable. Thousands of people have flocked to forums to express their dismay at this. What's more insiduous is that the error may only appear weeks or months after the repair. Incredibly, Apple says this cannot be fixed by any hard- or software update, while it is clearly their software that causes the problem in the first place. And then you thought FTDI was being nasty ...
Solution! (Score:5, Insightful)
Sell your bricked piece of shit and buy an Android phone, which does not have this problem.
Solved.
Re:Solution! (Score:5, Insightful)
“I was in the Balkans covering the refugee crisis in September when I dropped my phone. Because I desperately needed it for work I got it fixed at a local shop, as there are no Apple stores in Macedonia. They repaired the screen and home button, and it worked perfectly.”
Re: (Score:2, Insightful)
Dude in the Balkans could have his phone repaired at an Apple shop when he got home, right?
Not trying to be a dick or anything, but honestly - using a gray-market security-related part *should* get that result. If my device is stolen, I'd want that to happen - if only to prevent some schmuck from plugging in something with hacked firmware to bypass the fingerprint sensor.
Re:Solution! (Score:5, Informative)
I had someone email me about this nine months ago, and I suggested he go to an Apple Authorized service facility.
He replied and said the nearest one is a six hour, $1200 flight away.
No home button for him I guess.
Re: (Score:3, Informative)
False analogy: Lotus didn't exploit security vulns to run. The dodgy fingerprint sensor did.
Re: (Score:3)
Even if it's a genuine Apple fingerprint sensor, the phone still bricks itself. The sensor has a code, and if it changes your phone becomes a paperweight unless Apple waves its magic wand over it.
In other words, fail to pay Apple for the repair and your expensive phone commits suicide.
Re: (Score:3)
Undoubtedly this was not done for security reasons, but to ensure their control over the phones and to make sure the "geniuses" keep their job.
Re: Solution! (Score:3, Insightful)
When I worked at Apple, I was astonished at what they charged for parts, a motherboard that I could have gotten an equivalent (but, not compatible) board brand new from ASUS for around $60-90 Apple was charging $695 for a refurbished board! Apple was charging a $600 premium for the part because they knew you couldn't get it anywhere else. Fuck you Steve Jobs!
Re: (Score:3, Insightful)
Have you ever worked outside the desktop computer industry? Like, at all? Computer parts tend to be incredibly cheap because the Chinese are competing with the Koreans to make an extremely standard part for as little money as physically possible.
Everywhere else this is not the case. Either you have to pay for your own manufacturing plant to get the correct part, or you have to cannibalize it from something that used that exact part. The manufacturer will always charge you the "I just spent $500 million sett
Re:Solution! (Score:5, Funny)
Go back and complain to the company that botched the repair and stop complaining about the company that made your OS more secure.
Yeah. A phone that won't boot is pretty fucking secure.
Re: (Score:3, Insightful)
a phone that wont boot when a different fingerprint device is installed is working properly
Re: (Score:3)
Re:Solution! (Score:5, Insightful)
This should have failed gracefully. The phone should have de-functioned the fingerprint scanner to just a home button, and asked for a PIN/password, which all iPhones pre-5S have been able to do without issue. Forcing the device to an inoperative state because one component was replaced is not ethical, nor needed.
Re: (Score:2)
All Androids? Really? Care to cite evidence? Or are you just making shit up
Re:Solution! (Score:4, Interesting)
Maybe a good thing (Score:3, Insightful)
Probably to prevent hardware attacks on phone encryption
Re:Maybe a good thing (Score:4, Insightful)
I did some reading, and it appears to be the fingerprint sensor. The sensor itself has an encrypted channel to the mainboard. If the cable is damaged or the sensor is replaced/not working, it doesn't sync up properly.
So it makes sense to refuse to work with a different sensor. Else, someone could unlock your phone by simply bypassing the sensor.
OTOH, this appears to still happen if the phone itself is reset to a factory image. It doesn't seem to be that much of a security risk if instead of refusing to work, the phone, after being reset, would renegotiate encryption with the sensor. There's no data to be stolen in that scenario. And there's other mechanisms to prevent a stolen phone from having resale value.
Re:Maybe a good thing (Score:5, Insightful)
So just disable the fingerprint part of the button, no need to brick a device.
Re:Maybe a good thing (Score:5, Insightful)
OTOH, this appears to still happen if the phone itself is reset to a factory image. It doesn't seem to be that much of a security risk if instead of refusing to work, the phone, after being reset, would renegotiate encryption with the sensor. There's no data to be stolen in that scenario. And there's other mechanisms to prevent a stolen phone from having resale value.
It's still a security risk. You could imaging intercepting new iPhones, replacing the fingerprint sensor with a compromised one containing a backdoor, then reimaging the phones, putting them back in the box, and selling them to your target. After your target loads their sensitive data on to them, you could then retrieve it using the compromised sensor.
I agree this is somewhat contrived and Apple is likely just looking to block third party repairs, but it still is a valid security risk.
Re: (Score:3)
It's shitty that Apple hordes the parts and requires you to go through them for repairs, but even if they didn't, I can see why third part
Re:Maybe a good thing (Score:5, Insightful)
I did some reading, and it appears to be the fingerprint sensor. The sensor itself has an encrypted channel to the mainboard. If the cable is damaged or the sensor is replaced/not working, it doesn't sync up properly.
So it makes sense to refuse to work with a different sensor. Else, someone could unlock your phone by simply bypassing the sensor.
No. Refusing all access to your device because one small component is damaged does not make sense. Not using that component to do the unlock - and making you use the non-fingerprint method - is what would make sense.
Re: (Score:3, Insightful)
Good security sometimes makes no sense to the casual observer. Security is hard to do right and easy to screw up. I'd want to find out why the feature is there in detail and from a security person who knows what he or she is talking about before jumping to conclusions.
Re:Maybe a good thing (Score:4, Insightful)
Re: (Score:3, Interesting)
The sensor does not do the decryption or authentication. The attack vector would be a sensor that has been replaced with a mechanism that replays a snapshot of the phone owner's fingerprint and sends that down the wire to the mainboard. Apple is attempting to curtail that type of attack by authenticating the physical sensor to the mainboard.
So disable the sensor if it's found to be invalid. You don't destroy a $500 phone. What if the sensor goes bad? New phone? Seriously people.
Re:Maybe a good thing (Score:5, Insightful)
Makes no sense. The flash memory is encrypted and the key is stored in a secure area of the CPU. The CPU is hardened so that you can't exact the key with an electron microscope or by de-capping it. It might be possible to get that key, but only with specialist equipment and unpublished vulnerabilities.
Replacing the fingerprint sensor won't get you anywhere. To unlock the phone after boot you need the passcode. Okay, say you keep it powered up while replacing the sensor. So what, you still need to send the phone the fingerprint data that matches the owner's finger, so it got you nothing.
We I were being generous I'd suggest that Apple just screwed up and made the list of "panic, erase key!" events a bit too long. More likely they just want to discourage people from getting third party repairs, because they know you have money and they want it.
Re: (Score:3)
Making thousands of legitimate customers suffer because of the mere possibility of an attack that obscure isn't "security," or even "security theatre." It's just plain malice.
Re:Maybe a good thing (Score:4, Interesting)
1. Steal phone.
2. Lift owner's print from the phone.
3. Replace sensor with device that sends data of your choice.
3. Feed fingerprint image to unlock device.
The owner's fingerprints are generally all over a phone.
Getting away with it? (Score:5, Insightful)
If Apple gets away with this we may see more vendors doing the same thing to the stuff we own.
Re:Getting away with it? (Score:5, Insightful)
You don't own it, and you know you don't own it. You merely paid money for the right to use the hardware under the terms of their license.
Your ownership of these things ended some years ago as far as they're concerned.
This is no different from Microsoft deciding it's their computer, and they'll do whatever the fuck they want with it.
Consumers have more or less had the concept of ownership yanked out from underneath them, and had it replaced with a licensing agreement which the company can change at will.
Re: (Score:2)
Re: (Score:2)
Re:Getting away with it? (Score:5, Insightful)
Can't find the right moderation. Where's "+1 Shaking My Head Sadly At The State Of The Tech World"?
Re: (Score:2)
Does MS brick any products if you repair them?
I have never heard of this.
Re: (Score:2)
Not really, but change enough hardware in your PC and you'll end up with "Your license is not Genuine". A call to MS solved this issue in all cases where that happened to me, but still.
Re:Yes. Yes MS does brick hardware if you are not (Score:4, Informative)
That's not bricking. Bricking would be MS rendering components in the computer or the entire computer unusable.
Re: (Score:3)
I must disagree.
There are two distinct scenarios: upgrades and repairs.
If you end up replacing every component in your PC over time, it's legitimate to say that it's a new computer. In practice, it's tied to the motherboard.
On the other hand, if you just replace the motherboard with an identical model (or similar, they don't care about those details), you can speak to a support person and they'll activate the new board for you in a minute.
Re: (Score:3)
Re: (Score:3)
You're still free, however, to either put some of the old components back so that that's no longer the case, or boot Linux on the thing instead.
Or buy another Windows license, or call Microsoft and tell them what happened......
There are plenty of options in the Windows case that aren't available in the iOS case.
Re: (Score:3)
Re: (Score:2)
Re: (Score:3, Informative)
It's not a question of ownership. It's a question of warranty. He still owns his (now-bricked) phone.
In this case, the dude dropped his phone, gets it repaired at some no-name shop with dodgy parts, then complains when the security loophole the dodgy parts used got closed. If anything, the fault lies with the shop that did the repair.
Hell, Apple told him they'd do out-of-warranty replacement for it (not sure what that costs, but likely still less than full price), and that's because the problems began when
Re: (Score:3)
Sure, but bricking the phone instead of just disabling the sensor is quite evil.
Re: (Score:2)
If this ever become widespread, there would be a law introduced to curb it. We already got a law protecting aftermarket parts and non-vendor service station for cars: http://eur-lex.europa.eu/legal... [europa.eu]
Re:Getting away with it? (Score:4, Informative)
We have a law like that in the US too (and for all products -- which should include iPhones -- not just cars): the Magnuson-Moss Warranty Act [wikipedia.org].
Re:Getting away with it? (Score:5, Informative)
Warrantors cannot require that only branded parts be used with the product in order to retain the warranty.[7] This is commonly referred to as the "tie-in sales" provisions,[8] and is frequently mentioned in the context of third-party computer parts, such as memory and hard drives.
Re: (Score:2)
Yeah, well, you'll excuse me if I don't think in a few years they'll be able to use copyright law, the DMCA/TPP, and EULAs to close that loophole.
Just like how the printer companies want you locked in as a revenue stream, you can bet your ass lawyers are standing by trying to figure out how.
And you can also bet politicians who are bought and paid for will deliver it to them. Because all signs point towards idiot politicians signing over everything to corporate interests to line their own fucking pockets.
La
Re: (Score:2)
Laws to protect consumers? No fucking way.
We occasionally still get them in Europe. But I expect TTIP will put paid to that.
Apple always gets away with it. (Score:5, Interesting)
Apple always gets away with it and the other vendors don't follow, because they don't have customers who will eat up anything.
Let me give you an example just from my experience. My 3rd iPhone 4S in a row has failed in the same exact way: wifi/gps disabled. Just do a quick google about the "grayed out wifi" problem, you will find thousands of posts and also a lot of iPhone 4/4S phones on ebay with that fault. Only the first of the 3 failed within warranty in my case and all three where always in an office and used once a week for testing/debugging (that's why I kept replacing it, I test on various devices). People have actually pinpointed the problem: the overheat detection of the wifi/gps module fails and the software disables it. In fact, this disabling was a "feature" introduced with iOS 6 IIRC, so people who had stayed with iOS 5 did not get the issue. For any other company there would have been a recall, since it would have been an easy class action otherwise, and even a software patch would fix it. But apple is happy with customers getting a new phone and their average customer doesn't mind much.
Ooh, another example, my boss, who you would call a dedicated Apple fan, had bought a mac mini 5-6 years ago. After 6 months it started killing his keyboards. He went through a few expensive/fancy keyboards before figuring out it was the mac mini and so he took it to the Apple store (Manhattan) where they diagnosed a faulty MB and told him it would take a week to have it replaced. He left it there, got a call about a delay and finally went to get it almost two weeks later. Instead of returning a fixed mac mini they told him they had voided the warranty because they found "dust" inside!!! And the only solution they offered was a 10%-off a new mac mini!!! And he took it!!! Bought the same thing, at a 10% discount!!! He didn't even flinch, I mean, I only found out because I asked, he did not find it interesting enough to mention. My jaw dropped when I heard it, I told him there is no such thing as warranty voided because of "dust", that if the device maker thinks they should not have dust they put a little filter in the computer intake (I do that in my custom builds), that a 6-month old mac mini in a no-pet no-smoke office would not have any dust anyway (and even if it did, why would it fail when decade old dusty components work fine). For all my arguments his response was "the apple genius told me my warranty is voided there is nothing I can do". He actually believed they were right. Even after I showed him the warranty which of course does not mentions dust he though they were right somehow...
Re: (Score:3)
Just look at the number of people defending Apple here, inventing fanciful excuses for them. Apple loves bricking third party hardware, I mean just look at the decade long war on cheaper cables. Every OS update bricks a few more, forcing you to buy the really expensive Apple ones. Apple laptops like to reject third party chargers...
The message is clear. Buy our really expensive accessories and servicing, or expect your hardware to be bricked.
Re:This is what real choice looks like (Score:4, Interesting)
At present, the OS will disable apple pay when it finds that the finger print scanner fails to negotiate key exchange correctly; this potentially ends up with a tech support call to apple, or a social media posting saying, "why does my apple pay keep screwing up?".
Now consider what happens when there are a large number of field-repaired phones with knock-off fingerprint scanners. They appear to work fine, but some features are broken in subtle ways. The customer is confused; they may not relate it to the repair they had done; it creates an impression of an unreliable product and an expensive customer support nightmare. Clearly, apple want to stop this before it becomes endemic.
With the OS doing a full power-on self test on the security infrastructure, such a fault would be detected at the first reboot after the damage occurred, or after a repair using an incorrect part was performed. The security failure can now be easily attributed to the damage/repair, even by users of social media and journalists. This ensures that repairers don't perform half-assed repair jobs which can lead to incomplete or faulty operation (on what is marketed as a premium product).
Damned if you do, damned if you don't (Score:4, Insightful)
It sounds like Apple fixed a security bug in an SU, closing a hole which allowed attackers to replace the touch ID sensor to gain access to user data. Had Apple not made this move, we'd instead be seeing an article about how Apple products are insecure and the NSA could get access to your secure date just by replacing some hardware components. Then everyone would be up in arms, demanding this exact software change, and complaining about how Apple is reactionary and not proactive in fixing security issues.
Of course, "Apple fixes vulnerabilities in iOS 9" is not really a catchy flambait title for an article.
Re: (Score:3)
Why should the touch ID sensor need to, or be actually doing, store any data or provide authentication?
What you're saying is that you can replace the fingerprint sensor and thus fool the device into thinking you provided ANY fingerprint, without any knowledge of that fingerprint? Sound inherently INSECURE to me. I could steal Barack Obama's iPad, change the sensor, and order a coffee on his credit card without having to enter a single credential or knowing what his fingerprint looks like.
Compare and contr
Re:Damned if you do, damned if you don't (Score:5, Insightful)
You could replace the fingerprint sensor with something that could provide arbitrary fingerprints, possibly based on a collection you have made of them. Then use your collection to buy stuff. Requires no memory in the sensor at all. This is much faster than creating molds of fingerprints and applying them to the sensor. I can see Apple not wanting to tolerate replacing things tied in to your CC #.
Replacing a battery seems less defensible to me, if that aspect is true. It's hard to argue this is tied in to any trust chain.
Re: (Score:2)
With a finger print scan you could limit the number of scans before you lock out that mode of authentication. You then have to verify with an actual password. There should be no way to brute force the fingerprint scanner. You can maybe get 6-10 through before it should lock out, that's all assuming your database even has something close to what's stored in the phone.
Re: (Score:3)
Or just do whatever they are doing now, but don't accept fingerprint input from compromised readers - instead of bricking the whole phone.
Re:Damned if you do, damned if you don't (Score:5, Informative)
It's not the fingerprint sensor itself that decides. The fingerprint sensor sends an image of the fingerprint to the Secure Enclave, which is a chip on the device that handles all of the encryption. The secure enclave itself does the analysis and makes the decision. This line of communication between the fingerprint sensor and the secure enclave is encrypted with a key exchange between the sensor and the secure enclave. This pairs your specific secure enclave with the Touch ID sensor. There is anti-replay techniques involved here as well.
The point of pairing the sensor to the secure enclave is so that someone can't open up the phone, install a sniffer on the bus between the secure enclave and the sensor to then collect the fingerprint data for later collection and replay it to the secure enclave to get it to unlock. It also prevents someone from just replacing the touch ID sensor to provide a known good fingerprint to the secure enclave via a hardware hack. You have to, in theory, have an authorized finger pressed up against a trusted sensor.
Re:Damned if you do, damned if you don't (Score:5, Informative)
Why should the touch ID sensor need to, or be actually doing, store any data or provide authentication?
Because the encryption key for the device is stored in an NVRAM knapsack in the touch sensor. The CPU uses a public key to establish an encrypted connection via the bus which connects it to the touch sensor, and then sends a block down to decrypt the contents of the knapsack, and then uses that to decrypt the user data key that's stored in the NVRAM attached to the CPU, and then uses that to decrypt the user data.
By forcing a pairing of the touch sensor with the CPU, it means you can not do a two stage attack by topping just one chip, you'd have to top both chips, and if you did that, your half-of-a-key-pair that you obtained wouldn't work with another device.
The way Apple handles this in the repair cases is it just replaces your device guts with completely new device guts (so that your cheesy engraving is not taken away -- and neither are your scratches in non-critical areas), and pops a new sensor chip (with an uninitialized PROM) into the device, and sends those guts to someone else as a refurbish.
But that does mean that third party repair for either of the two components is theoretically possible, but practically speaking, Apple will not sell you the chip you need to replace to do the same repair that an authorized service center would do. On the other hand... it means that Apple won't get the blame if you put in some third party battery or charging circuitry, and burn down your damn house because you wanted to save $5 or whatever.
Re:Damned if you do, damned if you don't (Score:5, Insightful)
Or instead of Error 53 they could just disable Touch ID and require you to enter you PIN code.
Which would make sense since you need the PIN to enable Touch ID in the first place, as it's automatically turned off when the phone first starts and if the phone isn't unlocked for over 48 hours.
No, this is solely to brick the phone if you dare not pay for overpriced Apple repairs.
Re: (Score:2, Interesting)
So, to avoid a hardware attack on the TouchID system, Apple should require using the passcode system that is vulnerable to shoulder-surfing attacks.
Excellent plan, AC!
Re:Damned if you do, damned if you don't (Score:4, Informative)
Apple already treats the PIN as more secure than Touch ID. If you find an iPhone with the fingerprint reader, try opening it with your finger. After a while the phone will lock into "Touch ID disabled" state and require the PIN. At this point the only way to reenable Touch ID is with the PIN.
Re: (Score:2, Insightful)
The idea that an attacker would somehow get hold of your phone, take it to pieces, change the sensor and replace it where you left it without you noticing is fanciful to say the least. It would be much easier to get hold of your real fingerprint, of which you leave a copy in thousands of different places every day, and use that to access your device.
Re: (Score:2)
Re: (Score:3)
Well If I broke my keyboard I wouldn't be able to login to my computer either... But I've got more than a half dozen spare keyboards on hand so that's not an issue. Not being able to use a another keyboard because the original had a security key set by MomCorp would be awful.
Someone could place a sniffer in the device. Seriously? Now tell me if its so secure why is it that apple itself can replace the part when no one else can.
Context On the Issue (Score:5, Informative)
This error occurs if the repair involves the TouchID sensor. Sense this stores data required for the fingerprint authentication, the device will refuse to function for security reasons if it thinks it's been tampered with, which seems to be a reasonable precaution for a device component that can authenticate you across the device and also external services including financial transactions.
A better option would be to instead disable TouchID if tampering is suspected, but this isn't a case of Apple just arbitrarily making iPhones not work if you get a third-party repair like the story suggests.
Re:Context On the Issue (Score:5, Informative)
Apple's response, by way of MacRumors: [macrumors.com]
An Apple spokeswoman commented on the issue, referring to protective security features intended to prevent "malicious" third-party components from potentially compromising a user's iPhone as the main reason for the "error 53" message.
We protect fingerprint data using a secure enclave, which is uniquely paired to the touch ID sensor. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the pairing is re-validated. This check ensures the device and the iOS features related to touch ID remain secure. Without this unique pairing, a malicious touch ID sensor could be substituted, thereby gaining access to the secure enclave. When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.”
She adds: “When an iPhone is serviced by an unauthorized repair provider, faulty screens or other invalid components that affect the touch ID sensor could cause the check to fail if the pairing cannot be validated. With a subsequent update or restore, additional security checks result in an ‘error 53’ being displayed If a customer encounters an unrecoverable error 53, we recommend contacting Apple support.
Re: (Score:2, Insightful)
Fiendish villainy! How should we punish these monsters!!!? Won't someone think of the children!!!??
Also, I have this 14-step procedure that they should have thought of in advance to avoid this problem....of enabling 3rd party "repairs". Because why wouldn't a company want to spend a huge amount of time to enable their competitors? Because they're monsters. That's the only explanation.
And they're even more villainous for "lying" to everyone. They said only good things about their products. Why didn't
Re:Context On the Issue (Score:4, Insightful)
When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.
Which is achieved by making the phone completely inoperable? Sounds like overkill, especially if the touch ID itself is configured by first entering the PIN. Sounds like it would be perfectly reasonable for it to fall back to PIN, unless of course the goal is to generate a new sale by bricking the phone.
Re: (Score:2)
If there is a way for Apple to re-validate it, you can be sure that the NSA/GCHQ knows about it, so it's not really a security feature.
Just look at this bullshit:
When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.
What they meant to say was "When iOS detects that the pairing fails, it bricks your phone and destroys all your data." If it really just disabled a few features until you took it to the Apple shop and had them re-validate it, it wouldn't be so bad.
Re: (Score:2)
Replying to undo accidental downmod
Re: (Score:3)
> Sense this stores data required for the fingerprint authentication, the device will refuse to function for security reasons if it thinks it's been tampered with
Bullshit. Why would it only 'break' after an iOS update instead of the next time you used it?
Re:Context On the Issue (Score:5, Interesting)
Because there was a flaw in the security before the update that allowed you to swap out the Touch ID sensor. The update patched a flaw and then the phone noticed a problem with the trust of the hardware.
Re: (Score:2)
Re: (Score:2)
OS processes the information but if you're spoofing the sensor, you can make it see whatever you want it to see and thus come to the desired conclusion.
Still doesn't explain why they didn't just deactivate the device instead of bricking the phone, or why they wait until an iOS upgrade to do it.
Re: (Score:2)
The sensor doesn't process the fingerprint information, but when the encryption of the underlying filesystem is setup, it creates a trust relationship between the secure enclave (dedicated crypto chip) and the Touch ID sensor. This is a security measure to make sure that you are accessing your data on trusted hardware. The whole thing is actually done entirely in hardware in the dedicated crypto chip.
Re: (Score:3)
Re: (Score:3)
the detection is part of iOS 9. it detects the change once you install iOS 9. this could happen days or "weeks or months" or years after the repair, but that's a kind of silly and misleading way to describe it.
You think it's YOUR phone? (Score:3, Interesting)
Prevents MTM hardware attacks (Score:2)
This prevents MTM hardware attacks on your phone. The interesting question is "how is apple authenticating its hardware?" I mean, it's just a screen and a button with a cable, right?
Re: (Score:2)
Re: (Score:2)
There's actually a chip on the home button to go along with the finger print sensor. That chip has an ID number and it is what is "paired" with the ID on the mainboard.
I have a 5s with a battery that was failing so I was looking into replacing it. Looked a little too complicated to do myself, but saw a whole bunch of articles about the home button from people who had problems with it when they accidentally ripped the cable.
Re: (Score:2)
The fingerprint sensor has a dedicated encrypted bus with the secure enclave (dedicated crypto chip). The secure enclave then pairs itself with the fingerprint sensor (key exchange).
A few considerations: (Score:2)
Obvious solution is obvious. (Score:3, Interesting)
Re: (Score:2)
If you've been doing automatic backups, you don't lose any more than a day's worth of data. No different than losing your phone, or having it get destroyed somehow.
Magnuson Moss Warranty Act? (Score:5, Insightful)
The provisions for the FTC and the resultant class action provisions could get expensive.
Laugh (Score:2)
Never fails to amuse when people "lose all their photos".
Simple Solution - Stop Trusting Them (Score:3)
Personally, I don't trust the updates that come out for my Samsung phone. My last phone had the GPS functionality reduced by an official upgrade. There were other things after that upgrade that were removed causing me to loose some data. I now will not install the upgrade that has been in the notification bar for the last year. I am planning on putting Cyanogenmod on there because I do trust them to do upgrades that are good for the customer. But the official ones from Sprint and Samsung, no-way. If the Apple fans stopped trusting their beloved company perhaps they would be in a better position. Of course it isn't as easy to mod the Apple and still have access to the apps, so they are more stuck because of their initial decision.
On a side note, I trust Microsoft even less and never install their updates on my system. I have less fear from viruses and malware than I do from the update coming from Redmond. And with the amount of spying being built into their recent versions of their OS they have become a gaming system only for me. If I want to have a work computer to do things on, it will be Linux. If I want to play games on my big screen tv, I can use Windows. I guess I'm not too worried about them spying on which game I am playing. As the linux gaming environment improves perhaps that will change, but it still seems that the video cards work better and Windows.
Apple used a TPM chip to protect their product (Score:2)
Many years ago, Apple used the TPM (Trusted Platform Module) chip to protect their product from the consumer. Microsoft uses is only now to protect their UEFI chips, My PC motherboard still doesn't require one and a selling point for me.
And no you don't fix a product who's TPM chip turned against them.
Um.... duh? (Score:5, Insightful)
Apple has made it abundantly clear that they are selling a *secure* device. Always on encryption, etc etc.
How would you expect such a device to behave when it is compromised with unauthorized components? A phone with 3rd party components could do pretty much *anything*, including sending everything on the device to an unknown third party, without your knowledge or consent.
Heck, this sort of "problem" just makes me appreciate Apple's commitment to security even more.
My only complaint is that the phone doesn't brick soon enough. It should brick itself immediately upon the next boot up.
Violation of the Magnuson-Moss Warranty Act (Score:5, Informative)
The federal minimum standards for full warranties are waived if the warrantor can show that the problem associated with a warranted consumer product was caused by damage while in the possession of the consumer, or by unreasonable use, including a failure to provide reasonable and necessary maintenance.
There is clearly an implied warranty that updates won't be malicious, even after the warranty period. The phone wasn't damaged by the consumer - Apple chose to brick it willingly. Even if the phone was out of warranty, they don't have the right to purposefully damage it, any more than a car company can claim lack of responsibility because an oil change was done at a competitor, unless they can show that the product's failure was because of the competitor's actions.
Definitely not a violation. (Score:3)
This was a case of an un-authorized service which creates a security hole.
well, screw that (Score:3)
First I've heard of this. I have a very small side business replacing batteries, headphone jacks, buttons, screens in mobile devices -- I have the factory tools and know where to get the parts. I don't really make any money off it. I got into it mostly from being offended by the electronic waste these devices represent. A handheld shouldn't become useless just because a $3 part has failed, and the cost to fix through regular channels should not approach 50 - 100% of the replacement cost.
But if Apple is going to brick the device after I've fixed it, I can't in good faith make the attempt. Instead, I'll have to recommend that the customer buy something else -- something actually repairable.
Not defending Apple, but... (Score:3)
There is the possibility that Apple discovered some TLAs have been fucking with their TouchID and using it to steal fingerprints/bypass TouchID.
Otherwise, Apple typically prefers to have good user interaction rather than bad interaction, and they have to know that if they brick enough people's devices, it's going to be extremely bad press, and reduce the chances of people immediately upgrading when new versions come out - which is a number they really like to keep as high as possible!
To balance that bad press, against people hacking TouchIDs, and them falling on the "lets keep it secure" side, I can see that happening.
Re: (Score:3)
It doesn't matter.
Consumer law trumps any EULA, signed consensually or not.
Apple tried to only give you one year's warranty in the EU, the EU told them that's not how it works. Now everybody gets a "free" 2-year warranty. Amazing, that, given that's its compulsory under EU law on such goods.
Just because you signed something, just because Apple says something, just because they can point at a line on a piece of paper, does NOT mean that's the end of the matter. By far.
Re: (Score:2)
Read the EULA. Read the instructions. Apple will replace your phone if under warranty. It is stated very clearly that your iPhone IS NOT SERVICEABLE, either by you or by anyone who is not Apple. Don't like it? Buy something else.
Buy something else is the right choice, but there is a difference between voiding a warranty and bricking a device. If the EULA says the device will be bricked if you repair it yourself, then you have a point.
Re: (Score:3)
RTFA ass-hole. No one serviced the fucking iPhone, it stopped working after the update. Person dropped phone, screen had hairline crack but phone still worked, phone got update, error 53. Phone still under warranty, no one touched it, but Apple will not repair or replace. Some customer service there.
“I was in the Balkans covering the refugee crisis in September when I dropped my phone. Because I desperately needed it for work I got it fixed at a local shop, as there are no Apple stores in Macedonia. They repaired the screen and home button, and it worked perfectly.”
Zoom in.
RTFA ass-hole. No one serviced the fucking iPhone
I got it fixed at a local shop
Closer.
No one serviced the fucking iPhone
fixed at a local shop
Pan left on the suspect and zoom again.
ass-hole
There we go!
Re: (Score:2)
Oh, get off your high horse ... every damned bit of consumer electronics is moving in this same damned direction.
Microsoft is trying desperately to replicate the same thing, likely so is Samsung, and in some ways Google is too, and probably everybody else is too.
Here's a simple decision tree: if it's sold by a corporation, nobody gives a fuck about your rights, they care about their revenue stream.
And if Apple didn't implement some form of tamper protection for their devices people would freak over that ..
Re: (Score:2)
Yes, and that's a reason to fight against it even harder!
Re: (Score:2)
Re: (Score:2)
If they can't do a proper repair such that it doesn't brick your phone, then they are at fault, no?
Should one be able to break through the trust hardware and cause a security vulnerability instead?
The only functional difference between a 'proper repair' and a 'third party repair' is typically just $$$$$$$.