Slashdot Mirror

← Back to Stories (view on slashdot.org)

The iPhone 7 Has Arbitrary Software Locks That Prevent Repair (vice.com)

Posted by msmash on from the things-going-south dept.

Jason Koebler, reporting for Motherboard: Apple has taken new and extreme measures to make the iPhone unrepairable. The company is now using software locks to prevent independent repair of specific parts of the phone. Specifically, the home buttons of the iPhone 7 and iPhone 7 Plus are not user replaceable, raising questions about both the future repairability of Apple products and the future of the thriving independent repair industry. The iPhone 7 home button will only work with the original home button that it was shipped with; if it breaks and needs to be replaced, a new one will only work if it is "recalibrated" in an Apple Store.

30 of 199 comments (clear)

  1. But people will keep buying them... by Anonymous Coward · · Score: 4, Insightful

    ...so this'll continue unabated. Just like how gamers bitch and moan about unfinished games being released, and then still go out and buy the latest call of duty on release day.

    1. Re:But people will keep buying them... by jeremyp · · Score: 2

      That was an iPhone 5. There's no evidence (yet) that the FBI could do the same thing with a 7.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
  2. All the more reason by Anonymous Coward · · Score: 2, Insightful

    to never buy apple products.

    Nuff said.

  3. It's for your own safety, trust us you dumb fucks. by Anonymous Coward · · Score: 5, Informative

    Former phone repair tech here, it's been this way since TouchID became a thing, with the iPhone5S I think?

    I hate to claim "it's not a bug, it's a feature" but this is done to make sure you cannot replace the home button with one that will send a "correct" signal for an incorrect fingerprint.

    Home buttons have been tied to the motherboard they shipped with as long as the iPhone has had fingerprint readers, this is not new.

  4. Not a terrible thing by mrbluejello · · Score: 5, Insightful

    This does not seem unreasonable. I say this because the home button is also a fingerprint reader, which is a security device. If a shop installs some kind of 3rd party button there, the security of the device could be compromised.

    Apple's garden is walled. It keeps the users in, but also keeps the bad things out.https://apple.slashdot.org/story/17/04/07/1734249/the-iphone-7-has-arbitrary-software-locks-that-prevent-repair#

    1. Re:Not a terrible thing by dgatwood · · Score: 5, Interesting

      This does not seem unreasonable. I say this because the home button is also a fingerprint reader, which is a security device. If a shop installs some kind of 3rd party button there, the security of the device could be compromised.

      Actually, it does seem unreasonable. The proper behavior would be to detect the unknown reader and purge all fingerprints from the secure enclave, forcing the user to set up fingerprint recognition again after unlocking with the passcode. That would mean that the user would be alerted to the fact that the hardware was altered (thus preventing surreptitious swapping as a targeted attack) while still allowing the device to be repaired by swapping hardware at the user's request.

      The current situation is exactly the sort of behavior that got car manufacturers a very nice set of laws that mandate repair part availability, etc. Keep going down this path, and Apple will earn the consumer electronics industry a similar set of regulations, and none too soon.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Not a terrible thing by Phoenix · · Score: 2

      The problem with this way of thinking is that once the device is one generation out, Apple will not fix the device. They'll only sell you a replacement.

      Case in point. Shattered my iPad Air screen a while back. Took it to Apple and they said that they don't repair screens for anything but what they're selling on the floor. MEANING...that if I had an iPad Air 2...they would have replaced the screen.

      They did offer to sell me a replacement iPad Air for twice as much as the local Zagg kiosk would charge to replace the screen and $75 more than one would have cost me on Ebay.

      I do see your point about security...but what do you do when the iPhone 8 comes out and they won't touch the 7 with a 12-metre cattle prod?

      --
      -- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
    3. Re:Not a terrible thing by EndlessNameless · · Score: 5, Insightful

      The issue is that the fingerprint sensor is trusted to neither store fingerprint data nor replay finger presses.

      If you accept data from untrusted sensors, an attacker could replace the sensor with a device that will store valid finger scans and retransmit them when triggered by the attacker.

      So you need both trusted firmware and a secure pairing process to ensure the device is not compromised in this manner.

      While I suspect this move is mostly motivated by a desire to obstruct third-party repairs, there is also a legitimate security concern with this particular component.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    4. Re:Not a terrible thing by msauve · · Score: 3, Insightful

      Then the proper behavior is to simply ignore the new fingerprint reader, and force the user to always use a passcode.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:Not a terrible thing by MachineShedFred · · Score: 2

      The iPhone 7 doesn't have the mechanical button any more. It's just the fingerprint reader. So if the fingerprint reader is locked out, so is the not-a-button that servers as a home button.

      I'll refrain from putting some snarky idiot question on the end of this post, as I hope the irony has already caught up.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    6. Re:Not a terrible thing by yodleboy · · Score: 2

      yes, because every consumer should be aware of all the ways, large and small, that Apple is willing to screw them over. It's never Apples fault for being a bunch of greedy asshats, it's everyone else's fault for holding it wrong, squeezing too hard, owning too long, not going through Apple for every possible repair and just generally not letting Apple make all the decisions for your own good.

      The groveling passivity of Apple apologists is disgusting.

    7. Re:Not a terrible thing by msauve · · Score: 2

      So, you think the home function only works for a registered finger. You're dumber than you sound.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  5. Secure by design by krisbrowne42 · · Score: 5, Insightful

    You mean the fingerprint scanner that interacts directly with the secure enclave chip outside the OS? The one that could be misused by various actors if replaced with act-alike hardware? I'm not sensing the problem here - Feature not a Bug.

    1. Re:Secure by design by nbvb · · Score: 4, Insightful

      You are 100% correct. Don't feel the trolls - this is clickbait headlines and a BS story. If you believe in security, this is a good thing.

    2. Re:Secure by design by omnichad · · Score: 2

      Fingerprints are not the primary security on the device. "Recalibration" (pairing) should require no more than entering the PIN and/or logging into the associated iCloud account.

  6. Need federal right-to-repair laws... by TWX · · Score: 3, Insightful

    ...and laws that establish fair-use guidelines for software that's required for hardware to function. Unfortunately this is something that would have to be grassroots and widespread, no one party would ever make any headway on this unless there were an outcry from constituents, and even then it would be hard to overcome corporate counter-push.

    We've seen this kind of problem with conventional cars and light trucks, with heavy trucks, with farm implements, with major consumer appliances, and the prolifieration of this mindset is only getting worse as more and more functions can be software-tied.

    The laws need to say that software bundled into the device is considered part of the device, and may not be used to encumber the right to service or repair the device, and that for such software that is also intended to communicate with other software, the vendor must continue to support and maintain that code for bugfixes and security vulnerabilities for the realistic lifespan of the device and must provide a reasonable means for the owner to install such an update.

    Yes, this would increase the cost of the device originally, as the concepts for update must be turned into an actual process, but on the other hand if that means that the device can function for longer then it's net effect on the consumer should be small as they can continue to service and repair devices for longer than if vendor-created blocks stop them from doing so.

    --
    Do not look into laser with remaining eye.
  7. Security, yes? by American+AC+in+Paris · · Score: 5, Interesting

    As I understand it, this is a security measure, not an "arbitrary" lock. The home button is part of the Secure Enclave. If you let third parties make modifications to the Secure Enclave, it ceases to be secure.

    --

    Obliteracy: Words with explosions

  8. Re: It's for your own safety, trust us you dumb fu by tepples · · Score: 3, Insightful

    The button itself doesn't need to "do[] the pass/fail decoding on the fingerprint" for a successful attack. It need only replay the signals sent by a previous pass.

  9. Not an ARBITRARY lock at all by jarrowwx · · Score: 5, Insightful

    Imagine a world where in order to unlock your phone all I have to do is open it up and swap out your home button with one that will let any finger unlock the phone. The original poster is trying to paint Apple as some kind of bad guy trying to take away the viability of the repair market. The truth is, they are trying to keep their phones secure by preventing an obvious attack vector. Thank you, Apple.

  10. Re:It's for your own safety, trust us you dumb fuc by Lead+Butthead · · Score: 2

    Actually this is illegal. There are laws in place that let you repair your own equipment. If I owned an iphone I would just take them to court and watch them lose.

    They can have the case tied up in court for years. You'll go bankrupt just paying your landshark.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  11. Re: Hey Apple... by Lab+Rat+Jason · · Score: 5, Informative

    This is a re-post article... and the reason for it has already been made clear: If you can replace the fingerprint scanner, you can trick the phone into giving you access. This is why apple locks the hardware together. Not that I'm an Apple fanboi or anything, and I do think that people should have a choice, but perhaps that choice should be that apple will "unlock" all your hardware if you so request, and then you can put any hardware in there you like, knowing that you assume all risk. I imagine they'll never do that because it's just more work for them, and they have a reputation to protect even in the resale market. But if I'm apple and I face a decision on whether to lock hardware (so I can advertise as having a very secure device) or not (so I can advertise having a hackable device), I at least want my advertising strategy to align with my build strategy.

    But there you go, knowing is half the battle.

    --
    Which has more power: the hammer, or the anvil?
  12. Read the article before commenting (!) by JasonKoebler · · Score: 2, Informative

    Hey, author of the article here ... this is distinct from the 5S / 6 / 6S software lock and is not "old," it's a different thing that is explained in the article! Imagine that.

  13. Re: Hey Apple... by ewanm89 · · Score: 5, Insightful

    They are saying you could replace it with one that records the data from the sensor and then replays it later at the attackers whim. Making and using a jelly finger is a much better, easier, cheaper and more covert attack vector and so you are correct that the excuse is bull for the real reason of stopping people replacing commonly failing parts in their electronic devices without paying the corporate overlords their cut.

  14. Re: Hey Apple... by gmack · · Score: 2

    There is no need to disable the whole button, only the unlock functionality. You can still have the return to home button work without compromising security.

  15. Re: It's for your own safety, trust us you dumb fu by Maury+Markowitz · · Score: 2

    >Essentially, the EPA apparently considers any modification of the tractor

    You can modify all sorts of crap on a JD tractor. Tires get changed all the time. You can change the entire cab if you want.

    You just can't screw with the engine controls. Contrary to your line of argument, doing that has a very high probability of changing its emissions (like 100%).

    > In other words, that EPA regulation should be considered unconstitutional

    Then get a lawyer and sue them, and see if the court agrees with your asinine argument. And then we can put it on the list along with other nerd arguments like:

    There's NO WAY Bell can stop our Blue Boxes!
    There's TOTALLY ILLEGAL for the government to spy on all our comms!
    There's NO WAY they can patent computer code!
    No one will ever get sued when using BitTorrent!
    etc.

  16. Re:It's for your own safety, trust us you dumb fuc by MachineShedFred · · Score: 2

    On iPhone 7, the home button isn't a real button anymore - it's just more touch sensitive space.

    The old models probably still had software that triggered on the manual button click which is completely separate from the fingerprint reading / encoding software, and that software probably still exists for older models in the most modern versions of the OS. However, that button doesn't exist any more, so only the fingerprint software with the lockout ever gets used on iPhone 7. It's entirely possible that Apple didn't mean for it to be this way, or it was discovered at some point and they didn't care enough to do anything about it.

    That said, it's still shitty.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  17. Re: It's for your own safety, trust us you dumb fu by mrchaotica · · Score: 4, Interesting

    You just can't screw with the engine controls. Contrary to your line of argument, doing that has a very high probability of changing its emissions (like 100%).

    No.

    First of all, merely "changing" the emissions does not necessarily mean making the vehicle violate the emission standards. For example, if the owner made modifications elsewhere -- such as by switching to a cleaner fuel, like biodiesel -- it's entirely possible for there to be different settings that optimize the engine operation while still maintaining equal or better emissions. For that reason alone the EPA rule is overreaching.

    Second, the ECU performs an increasingly large number of functions beyond just things that affect emissions. That means the bullshit emissions argument is used as an excuse to DRM all the other computerized functions in the tractor, up to and including things like GPS tracking or self-driving modes. Even worse than that, John Deere has argued that the DRM infection means the farmer only "licenses" the entire fucking tractor , including the hardware parts!

    Therefore, this claim of yours:

    You can modify all sorts of crap on a JD tractor. Tires get changed all the time. You can change the entire cab if you want.

    ...is not true, at least from John Deere's perspective. If this sort of tyranny is allowed to stand, there would be nothing stopping John Deere from requiring farmers to obtain its permission even to change the fucking tires (using only John Deere "licensed" parts), in exactly the same way e.g. Lexmark tries to pretend it's illegal to use third-party ink.

    And then we can put it on the list along with other nerd arguments like: There's NO WAY Bell can stop our Blue Boxes! There's TOTALLY ILLEGAL for the government to spy on all our comms! There's NO WAY they can patent computer code! No one will ever get sued when using BitTorrent! etc.

    Fuck off with your strawman arguments!

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  18. Yep. by XSportSeeker · · Score: 2

    I'll give people the benefit of doubt, but it sounds like a whole ton of commenters here are going on with guesswork.

    First of all, no, it's not easy in any way shape or form to create a rogue touch ID reader that would "send signals" allowing the iPhone 7 to be unlocked.
    It'd already be plenty hard for someone to open up a phone and replace it surreptiously, let alone coming up with new hardware that would be compatible.

    Do you guys even know how the TouchID reader works? Well, neither do I of course... it's proprietary. But here's an overview:
    http://edition.cnn.com/2013/12...
    http://edition.cnn.com/2013/09...
    https://support.apple.com/en-u...

    Basically, it works like a very specific and proprietary camera/microscope. It detects fine detailed fingerprint information, converts it into code and sends it to the SoC to be processed via software.
    Nothing is processed on the button itself, and even if it was, you wouldn't be able to easily figure out what it did - or it'd be unsecure by definition.

    But again, the hardware is very proprietary. You'd probably need insider knowledge of production to even come close to making something that would work like it, and it'd be expensive as hell to reproduce one. The companies that makes these things have secretive processes that not only would be incredibly hard to figure out, it'd be outright impossible to reproduce without proper technologies.

    Do people even realize how much easier it'd be to just chop up someone's finger and bypass the whole thing anyways?

    Even if you couldn't go to such extremes, it'd be easier for hackers and malicious actors to try to reproduce an entire detailed human finger complete with ridges, pores and whatnot (at it's current stage) than creating some rogue device that could bypass the security enclave somehow.
    And you cannot retrieve information from previous fingerprints used for authentication because they are encrypted in the phone storage, not in the reader.

    The only likely scenario where Touch ID could be used to steal fingerprints, depending a lot on how it works, would be to use an original unit modified to store readouts, and then creating new hardware that would send those into the system. But that's quite unlikely... if not outright impossible. Again, it depends on how exactly the reader works. Note though how no one every did anything like this, because it just doesn't make sense. iPhones will always have easier vulnerabilities to explore to retrieve data.

    It's always good to note though that fingerprint sensors should NEVER be used as the sole authentication method if you have sensitive information inside the phone. Because, like I said, it's a matter of finding a way to make a very detailed reproduction of your finger. With 3D print technology and camera technology always improving, it'll be doable at some point in time.
    It was already done for the iPhone 6, though not something that just anyone could do:
    http://www.cultofmac.com/29688...

    Apple is already facing a class action lawsuit regarding the so called Error 53, related to iPhone 6 bricking the phone if the Touch ID was replaced, so it really doesn't look good for them to repeat the whole deal for the iPhone 7.
    https://www.macrumors.com/2016...
    Australia's consumer protection agency also just filled a lawsuit:
    http://www.ubergizmo.com/2017/...

    And you know, the company has backtracked because the very same excuses some commenters are making here were not enoug

  19. Re: Hey Apple... by BorgDrone · · Score: 4, Informative

    Which is exactly what they did

  20. So, by BitztreamNotARealNam · · Score: 2

    How's life in the hypocrite lane?