Slashdot Mirror

← Back to Stories (view on slashdot.org)

The iPhone 7 Has Arbitrary Software Locks That Prevent Repair (vice.com)

Posted by msmash on from the things-going-south dept.

Jason Koebler, reporting for Motherboard: Apple has taken new and extreme measures to make the iPhone unrepairable. The company is now using software locks to prevent independent repair of specific parts of the phone. Specifically, the home buttons of the iPhone 7 and iPhone 7 Plus are not user replaceable, raising questions about both the future repairability of Apple products and the future of the thriving independent repair industry. The iPhone 7 home button will only work with the original home button that it was shipped with; if it breaks and needs to be replaced, a new one will only work if it is "recalibrated" in an Apple Store.

13 of 199 comments (clear)

  1. But people will keep buying them... by Anonymous Coward · · Score: 4, Insightful

    ...so this'll continue unabated. Just like how gamers bitch and moan about unfinished games being released, and then still go out and buy the latest call of duty on release day.

    1. Re:But people will keep buying them... by Tharkkun · · Score: 1, Insightful

      Did it occur to you that maybe if a repair shop can intercede with the authentication mechanism, so can govt. spooks (think Chinese Govt vs. Political Activists) as well as hackers after your apple pay info, or other sensitive data stored in your keychain? The independant repair industry for a $1000 product that has a practical life beyond the warranty period of just a year or two, for just a few specific parts is far, far, FAR less important that data security and protection from absolutely everyone. So while most people will not think twice about it and say "Fuck Apple.". No. Fuck you. Go buy an Android any ass-hat can repair then. I prefer my iPhone to be as secure as they can practically make it, while keeping it relatively functional.

      It's not secure from the Feds. They broke into that iPhone in Texas by compromising it and bypassing the encryption altogether. They also haven't released the details of how they did it. So your using security by obscurity instead of Android where everything is transparent. Might as well install windows on your phone instead.

  2. All the more reason by Anonymous Coward · · Score: 2, Insightful

    to never buy apple products.

    Nuff said.

  3. Not a terrible thing by mrbluejello · · Score: 5, Insightful

    This does not seem unreasonable. I say this because the home button is also a fingerprint reader, which is a security device. If a shop installs some kind of 3rd party button there, the security of the device could be compromised.

    Apple's garden is walled. It keeps the users in, but also keeps the bad things out.https://apple.slashdot.org/story/17/04/07/1734249/the-iphone-7-has-arbitrary-software-locks-that-prevent-repair#

    1. Re:Not a terrible thing by EndlessNameless · · Score: 5, Insightful

      The issue is that the fingerprint sensor is trusted to neither store fingerprint data nor replay finger presses.

      If you accept data from untrusted sensors, an attacker could replace the sensor with a device that will store valid finger scans and retransmit them when triggered by the attacker.

      So you need both trusted firmware and a secure pairing process to ensure the device is not compromised in this manner.

      While I suspect this move is mostly motivated by a desire to obstruct third-party repairs, there is also a legitimate security concern with this particular component.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Not a terrible thing by msauve · · Score: 3, Insightful

      Then the proper behavior is to simply ignore the new fingerprint reader, and force the user to always use a passcode.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  4. Secure by design by krisbrowne42 · · Score: 5, Insightful

    You mean the fingerprint scanner that interacts directly with the secure enclave chip outside the OS? The one that could be misused by various actors if replaced with act-alike hardware? I'm not sensing the problem here - Feature not a Bug.

    1. Re:Secure by design by nbvb · · Score: 4, Insightful

      You are 100% correct. Don't feel the trolls - this is clickbait headlines and a BS story. If you believe in security, this is a good thing.

  5. Need federal right-to-repair laws... by TWX · · Score: 3, Insightful

    ...and laws that establish fair-use guidelines for software that's required for hardware to function. Unfortunately this is something that would have to be grassroots and widespread, no one party would ever make any headway on this unless there were an outcry from constituents, and even then it would be hard to overcome corporate counter-push.

    We've seen this kind of problem with conventional cars and light trucks, with heavy trucks, with farm implements, with major consumer appliances, and the prolifieration of this mindset is only getting worse as more and more functions can be software-tied.

    The laws need to say that software bundled into the device is considered part of the device, and may not be used to encumber the right to service or repair the device, and that for such software that is also intended to communicate with other software, the vendor must continue to support and maintain that code for bugfixes and security vulnerabilities for the realistic lifespan of the device and must provide a reasonable means for the owner to install such an update.

    Yes, this would increase the cost of the device originally, as the concepts for update must be turned into an actual process, but on the other hand if that means that the device can function for longer then it's net effect on the consumer should be small as they can continue to service and repair devices for longer than if vendor-created blocks stop them from doing so.

    --
    Do not look into laser with remaining eye.
  6. Re: It's for your own safety, trust us you dumb fu by tepples · · Score: 3, Insightful

    The button itself doesn't need to "do[] the pass/fail decoding on the fingerprint" for a successful attack. It need only replay the signals sent by a previous pass.

  7. Not an ARBITRARY lock at all by jarrowwx · · Score: 5, Insightful

    Imagine a world where in order to unlock your phone all I have to do is open it up and swap out your home button with one that will let any finger unlock the phone. The original poster is trying to paint Apple as some kind of bad guy trying to take away the viability of the repair market. The truth is, they are trying to keep their phones secure by preventing an obvious attack vector. Thank you, Apple.

  8. Re: It's for your own safety, trust us you dumb fu by mrchaotica · · Score: 1, Insightful

    EPA regulations require emission controls on tractors to be tamper-resistant

    And that's asinine by itself, because the EPA is infringing on tractor owners' property rights in order to prevent the "possibility" of those owners violating air pollution laws. Essentially, the EPA apparently considers any modification of the tractor to be an attempt or conspiracy to violate the Clean Air Act, despite the fact that, since there are plenty of other reasons someone might want to modify their tractor, neither the act nor the intent has necessarily occurred.

    Moreover, because writing software is an act of expression, preventing the tractor owner from doing so is prior restraint of the owner's freedom of speech.

    In other words, that EPA regulation should be considered unconstitutional because it violates both the First Amendment and the Fifth Amendment.

    If the EPA wants to enforce the Clean Air Act, then they should go after people who actually violate the act, not destroy everyone's fundamental rights!

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  9. Re: Hey Apple... by ewanm89 · · Score: 5, Insightful

    They are saying you could replace it with one that records the data from the sensor and then replays it later at the attackers whim. Making and using a jelly finger is a much better, easier, cheaper and more covert attack vector and so you are correct that the excuse is bull for the real reason of stopping people replacing commonly failing parts in their electronic devices without paying the corporate overlords their cut.