Error53, Iphone6 is Bricked

[tulak]

I prefer dumb cellphone, and my new to me 4 years ago ipod touch 4th gen (it was very cheap and sold to me by next door neighbor who was fed up with apple) until it dies, then I'm done with apple. The device only contains music and videos for my figure skating endeavors. It was maximally annoying enough to deal with apple's sync feature. Fortunately VLC is a wonderful app.

Excellent. It sounds like you know what you like.

With a couple minor exceptions, all those things can be done with any inexpensive 2 or 3 prior generations Android phone.

True. I never implied that you can't do most of these things with other, cheaper smartphones. I like the Apple experience. I come from years of Windows and have gradually converted. Apple really has a knack for small details, to the point where I find the extra cost is worth it for me.

I'll give an example. I've been trying to simplify my TV setup at home for over a decade. We have multiple TVs and haven't had cable in over a decade. I went from using a Windows Media Center computer with media center extenders to each TV for OTA, to using Amazon FireTV/Rokus. I finally ditched the media center PC with a Tablo setup, which works reasonably well for OTA content. I was never impressed with Amazon's FireTV, but the Roku we have works reasonably well and it has all the apps I need (Netflix, Amazon Prime, PBS, Tablo).

So now Apple has released an AppleTV with apps. I'm thinking this could be a great product, but it doesn't have the apps I need. But I'm curious and decided to pick one up to play around with it. After I hooked it up, I was impressed. What impressed me the most? The remote control. Go figure. Right now with our Roku, I have to use three remote controls, one for the TV, one for sound and one for the Roku. With the AppleTV all I need is the AppleTV remote. It's very slick. It controls the power to the TV and changes it to the correct input. It controls the volume on our Sonos. And of course, it controls the AppleTV.

Sure, there are cheaper options out there that work (for the most part), but Apple knows how to put together a good product so I'll pay a bit extra.

Sure, but I don't understand why the phone should be 'bricked' after this? That seems like a poor option.

I don't own any fingerprint recognition devices, I assume this is for convenience only, and that there is an alternate way in - like through a password entry (otherwise, if your hand were in a cast, your phone would be locked forever?)? So why wouldn't the phone simply fail to accept any fingerprint input from an un-authorized device, and force you to use the password? Doesn't that provide adequate protection, w/o destroying the user's phone? And as other's said, it should have given this warning earlier - getting it bricked as part of a SW upgrade is very bad form. I'd be PO'd (regardless of the manufacturer).

When you buy an Apple product, that's part of the deal. If you don't like it, don't buy their products. I surely wouldn't buy an Apple product thinking I'm going to make 3rd party modifications to it. That would be like beating your head against the wall. I also wouldn't be surprised if they tell you this somewhere in their TOS. So in a way, they did tell you beforehand.

And yes, as a fellow engineer, I recognize there are always different designs you can use. Apple chose this one because they like their closed ecosystem. It keeps their costs down and a majority of their users are happy. If it didn't, then they'd choose something else. Sounds like a good choice on their part.

 

[calmloki]

Had a Nokia phone that was tough and light and great - but that was about it. After over 8 years of abuse it slowly gave up the ghost and I bought a pretty darn smart Windows Lumia phone brand new, no contract, for $50. Meanwhile, the gal had had a succession of iPhones, which she made do all manner of nifty tricks and kept for 3-4 years. Didn't have a problem with that - she used the heck out of those iPhones - they were serious tools. Recently her 4s was being taxed by the tasks she put it to and she was pretty much keeping it on a charger all the time because the battery was gerflunkled. Got her an unlocked refurb 5S with 64GB from Groupon for about $320. It is working hard for her, though she chooses not to use the fingerprint scanner. I found a used 16GB 5 for $150, and am about to buy an unlocked 16GB 5S from a neighbor for $100.

Apple has a pretty darn smooth environment, unlike the Windows phone there are LOTS of mainstream apps, and if you don't mind not being on the bleeding edge or having something someone else has used you don't have to pay much. (frankly, I prefer the pocketable size and weight of the 5 vs the 6)

 

[ERD50]

...
When you buy an Apple product, that's part of the deal. If you don't like it, don't buy their products. I surely wouldn't buy an Apple product thinking I'm going to make 3rd party modifications to it. That would be like beating your head against the wall. I also wouldn't be surprised if they tell you this somewhere in their TOS. So in a way, they did tell you beforehand. ...

I'm not making this an Apple versus any other brand issue. They all have pros and cons, people should buy whatever they want.

And yes, as a fellow engineer, I recognize there are always different designs you can use. Apple chose this one because they like their closed ecosystem. It keeps their costs down and a majority of their users are happy. If it didn't, then they'd choose something else. Sounds like a good choice on their part.

There are always different design approaches, sure - what I'm saying is that this appears to be a very poor one (regardless of the manufacturer - I don't care!).

I read the article now, and I see some people were far away from an authorized repair place, needed their phone so got it fixed by a 3rd party. As I said earlier - if Apple needs to validate a security key in the device or something, that makes sense. But then simply lock out the fingerprint recognition function if it fails validation, the user then just uses the passcode method to log in. <<< That's the big issue, as I see it.

And the worst part of this is there was no warning. People got this repair done, probably have no idea about security keys and such - it could be that just the button broke, not the fingerprint function, but it's all built in I assume. So replace a button, big deal. It works fine for maybe a year, no warnings, and then, to have that phone bricked when you update the SW? That's nasty.

The article states that even some people who had the button break, and reportedly never had it fixed, just decided to live w/o the fingerprint function, and their phones got bricked as well.

If I don't like it, don't buy their products? If I avoid every manufacturer that does something I don't like, I'll soon be locked out of everything. But I'm not going to write off every bad decision as "Hey, that's how they do it". People should complain, and complain loudly when things go wrong, and maybe the company will make it right.

Personally, I think these people deserve a credit for a replacement phone if it it truly bricked.

-ERD50

 

[easysurfer]

At least Apple acknowledges the error:

Apple acknowledges 'Error 53' glitch, says it's part of Touch ID security

With an unofficial repair, the representative warned, that pairing can go unvalidated and lead to Error 53 once iOS is updated, or even restored. People running into the glitch should contact Apple support, the spokeswoman suggested.

The problem renders an iPhone unusable however, and affected owners will likely have no choice but to buy a new phone, since an unofficial repair violates Apple's warranty terms.

Can somethings be too secure for their own good?

 

[ls99]

At least Apple acknowledges the error:

Apple acknowledges 'Error 53' glitch, says it's part of Touch ID security



Can somethings be too secure for their own good?

Sure, I recall an advertisement for a write only memory chip. From the days of 64K nenory devices.

I guess the Iphone6 with ios9 is a close runner up.

Edit add:

Here is a fun scenario to contemplate.

You have iphone6 with ios9 installed. The phone is dropped but only the home button area is damaged such that fingerprint reader is inoperative. Yet it manages power up, presumably at boot time ios9 checks for all internal signatures and finds fingerprint reader unreadable or undetectable or corrupt.

ios9 to ensure security of your valuable data now bricks you phone.

How dou feel?

Ok I am now off to hang out at my mancave and ignore the world and technology.

 

[photoguy]

From the moment it's turned on it's checking it's integrity at each step of the way. If it finds something fishy - LIKE SOME NONE SECURE HARDWARE - it refuses to operate.

On my old blackberry if you entered the password wrong five times it would auto wipe. It could also be wiped remotely.

I think this is more a failure of communication/update process then necessarily a bad design. If I lose my phone and some one starts tinkering with it to get in, I definitely want it bricked as soon as a possible attempt is detected.

The other lesson here is NEVER EVER run an update on your electronics when you are traveling.





Sent from my iPad using Early Retirement Forum

 

[athena53]

I get the security concern, but why couldn't Apple remove the memory (equivalent of the hard drive) and restore the rest? The "brick" can't be donated or sold for refurbishment. I suspect most will be trashed instead of properly recycled to recover the rare earth elements. Mining those elements is rough on the environment. What a waste. It just seems punitive to me.

I could be wrong about the ability to replace a memory unit but I'm sure not going to open mine up to see and void the warranty!

 

[tulak]

There are always different design approaches, sure - what I'm saying is that this appears to be a very poor one (regardless of the manufacturer - I don't care!).

I read the article now, and I see some people were far away from an authorized repair place, needed their phone so got it fixed by a 3rd party. As I said earlier - if Apple needs to validate a security key in the device or something, that makes sense. But then simply lock out the fingerprint recognition function if it fails validation, the user then just uses the passcode method to log in. <<< That's the big issue, as I see it.

And the worst part of this is there was no warning. People got this repair done, probably have no idea about security keys and such - it could be that just the button broke, not the fingerprint function, but it's all built in I assume. So replace a button, big deal. It works fine for maybe a year, no warnings, and then, to have that phone bricked when you update the SW? That's nasty.

The article states that even some people who had the button break, and reportedly never had it fixed, just decided to live w/o the fingerprint function, and their phones got bricked as well.

If I don't like it, don't buy their products? If I avoid every manufacturer that does something I don't like, I'll soon be locked out of everything. But I'm not going to write off every bad decision as "Hey, that's how they do it". People should complain, and complain loudly when things go wrong, and maybe the company will make it right.

Personally, I think these people deserve a credit for a replacement phone if it it truly bricked.

-ERD50

It might be a poor design, but it's probably a good business decision. Sure, they could solve this problem and do more. But is it worth it to them? How many customers are really affected? I'm guessing it's significantly less than 1%.

Looking at wikipedia, they've shipped over 100 million iPhone 6's as of 3/1/15. So at the low end, let's say there are 100 million of these devices out there. According to the article, they say there are around 150k hits for this error on the internet. Let's say it's 500k devices. That means this affects 0.5% of their customers. That's a small number. No product is a 100% and Apple would be silly to create a better solution for less than 1% of their customer, especially when they have something already in place.

Out of warranty repairs for an iPhone 6/6s is $299. That's over half off. So if you break your device, yeah, life sucks, but Apple is willing to replace it with a new device for a reasonable price. Problem solved.

I get the security concern, but why couldn't Apple remove the memory (equivalent of the hard drive) and restore the rest? The "brick" can't be donated or sold for refurbishment. I suspect most will be trashed instead of properly recycled to recover the rare earth elements. Mining those elements is rough on the environment. What a waste. It just seems punitive to me.

I could be wrong about the ability to replace a memory unit but I'm sure not going to open mine up to see and void the warranty!

That's hard to do. The memory is soldered onto the board. Look at the image on ifixit at step 19: https://www.ifixit.com/Teardown/iPhone+6s+Teardown/48170

The one in the big red box is the memory. That's not coming out. But we all backup our devices, right? So restoring should be a piece of cake once you get your replacement iPhone.

If you replace your device with Apple using their out of warranty service, I would be shocked if they don't recycle what they can out of your old phone. Some of these probably show up as refurbished devices for sale on their website.

 

[mpeirce]

I get the security concern, but why couldn't Apple remove the memory (equivalent of the hard drive) and restore the rest? The "brick" can't be donated or sold for refurbishment. I suspect most will be trashed instead of properly recycled to recover the rare earth elements. Mining those elements is rough on the environment. What a waste. It just seems punitive to me.

Apple introduced the "kill switch" ("bricking the phone") because there was a growing problem with iPhone theft.

"If [a] phone's stolen, it's basically a paperweight," he said. And who wants to steal a paper weight?

In the 12 months after Activation Lock was implemented in September 2013, the number of stolen iPhones dropped by 40 percent in San Francisco, 25 percent in New York and 50 percent in London, according to city reports.

Thieves are willing to tinker with stolen iPhones and if they could simply replace the flash memory to get it working again they would.

 

[explanade]

In New Zealand now. Finding a lot of terminals which support contactless so I've been able to use Apple Pay. A couple of cashiers were surprised I could pay with iPhone.

When I use credit card, I have to select credit and then sign for it. Then I get a long receipt showing last four digits of the card as well as my name. So I keep those receipts to dispose of later. But with Apple Pay, the receipts don't have my name or any part of my actual credit card number so I discard those right away.

The transactions are faster than standard chip card transactions. Plus I can check the transactions using apps for Citi, Chase, BofA, Schwab using Touch ID to log into those apps.

As for the third party repair ability issue, that is the trade off for the sleek and thin Apple devices. You can't even swap batteries any more. Only once took an Apple product for repair and went to the Apple Store. Would have had to have searched for a third party repair place and it probably wouldn't have been cheaper.

My father earlier this year had an old iPhone where the battery was expanding. He was out of warranty so I did find some nearby repair places and made an appointment. But he took it to the Apple Store and they gave him a new device because the state of the old iPhone was considered a hazard.

They tend to have high customer satisfaction ratings because of anecdotes like these.

As for costs, yes when you first buy a device you pay a premium but at is the case with all new phones. Those other brands tend to get discounted faster, like no money down sooner.

Other things like phone service costs are the same. I could save money by using a prepay service like Straight Talk but I went with T mobile postpaid for the international roaming. Free data in most countries, free texts and 29 cents a minute to call back to the US or to call foreign numbers. Or free if using Wifi calling.

 

[mpeirce]

...I suspect most will be trashed instead of properly recycled to recover the rare earth elements. Mining those elements is rough on the environment. What a waste.

Apple does have an easy to use recycle program. Of course you can't force people to use it.

They also offer an upgrade program which they recently extended to phones with broken buttons and screens, not just iPhones in "good condition".

They do make an effort.

 

[ERD50]

It might be a poor design, but it's probably a good business decision. Sure, they could solve this problem and do more. But is it worth it to them? How many customers are really affected? I'm guessing it's significantly less than 1%.

Looking at wikipedia, they've shipped over 100 million iPhone 6's as of 3/1/15. So at the low end, let's say there are 100 million of these devices out there. According to the article, they say there are around 150k hits for this error on the internet. Let's say it's 500k devices. That means this affects 0.5% of their customers. That's a small number. ....

I think you are missing my point. I'm looking at this issue in isolation. I'm saying it appears to be a very bad design decision, period.

I'm saying (again), a better solution would be to disable fingerprint recognition if it detects an unauthorized module, and force the user to use the alternative passcode access. I see no reason to brick the device over this, and inconvenience the user and cost them $$$. And some claim the original Apple module just failed, they never had it replaced, they just didn't use that function, and then this SW upgrade bricked their device. I could see how a failed Apple module could fail in such a way that it could not perform the security authentication hand-shake - so stop communicating with it, don't brick the phone. I would be mad about that - you wouldn't?


It not a matter of what % of the customers are affected. A bad design is a bad design, even if no one ever experiences it. I'm not trying to say this will make hordes of people stay away from Apple, or Apple sucks or anything of the sort. I'm just saying this was bad design, and Apple should credit these people somehow. Now, if the people got a warning about this, I might feel differently (Think Different?), but to just brick a phone on a SW upgrade is a bad, bad thing.

To the earlier poster regarding just soldering new memory chip or something - that is very likely not possible. I've sat in on some design reviews regarding some similar security locks on devices, and it will make your head spin. Several levels of devices talking to each other, validating their keys, and the keys are one time programmable, and everything needs to match or no-go. The other components will sense a mismatch with a new part that was not programmed at the same time the original programming took place. If it were that simple to circumvent, it wouldn't be secure.

In some cases, requiring de-soldering is 'secure enough' - mass breaches are not really feasible for that much effort. But since the phone can be used to pay for things, they are likely at a higher security level than just replacing a part and performing a "Master Reset".

-ERD50

 

[tulak]

I think you are missing my point. I'm looking at this issue in isolation. I'm saying it appears to be a very bad design decision, period.

I'm saying (again), a better solution would be to disable fingerprint recognition if it detects an unauthorized module, and force the user to use the alternative passcode access. I see no reason to brick the device over this, and inconvenience the user and cost them $$$. And some claim the original Apple module just failed, they never had it replaced, they just didn't use that function, and then this SW upgrade bricked their device. I could see how a failed Apple module could fail in such a way that it could not perform the security authentication hand-shake - so stop communicating with it, don't brick the phone. I would be mad about that - you wouldn't?

I don't agree that your solution is a better design. I wouldn't want my device to work in any way whatsoever if was tampered with. That is a security issue. How do you know that the new unauthorized TouchID that was installed isn't able to get more information than just your fingerprint? Next thing you know we'll allow the NSA to repair our iPhones. Yeah, no problem with that.

Personally, I hope that they have enough logic in the device to prevent any unauthorized tampering. What if somebody grabbed your phone, modified it, and gave it back to you with you completely unaware. Wouldn't you want it to be brick at that point? I sure would.

In thinking about the actual issue, I wouldn't be surprised if this was flagged as a bug in versions of iOS prior to iOS9, probably after they were released. Then they probably realized, hey, somebody can change out this part and iOS will keep working and that's a security bug. So they fixed it in iOS9 to pop up an error and resolved the bug fixed. In retrospect, I doubt they would have wanted this to work in iOS versions prior to iOS9, but they had no easy way to patch those version. Plus, most development teams (especially in the consumer space) don't care as much about older versions of their software.

Unfortunately, some people got burned by this. As a bug fix though, it is lacking. Instead of popping up an error53, they really should say, "We've detected that your device has been tampered with and you should take your device to an authorized Apple repair shop for repairs." Maybe even educate the user base on why you don't want your device modified by unauthorized 3rd parties, which they've done somewhat:

This is even clear from the statement Apple provided to the Guardian:

We protect fingerprint data using a secure enclave, which is uniquely paired to the touch ID sensor. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the pairing is re-validated. This check ensures the device and the iOS features related to touch ID remain secure. Without this unique pairing, a malicious touch ID sensor could be substituted, thereby gaining access to the secure enclave. When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.

From an article at Replacing your iPhone's home button could brick it, and that's a good thing - GeekWire.

 

[Music Lover]

I don't agree that your solution is a better design. I wouldn't want my device to work in any way whatsoever if was tampered with. That is a security issue.

You're fine with it, but not everyone wants or needs that level of security.

 

[M Paquette]

The "Error 53" indicates that an inconsistency has been detected in a special storage and communications system internally called the "Secure Enclave". The Secure Enclave includes its own coprocessor (A7 and later processors) with it's own secure boot process and its own verified and signed software.

The Secure Enclave coprocessor uses the System Software Authorization to ensure the integrity of it's software and prevent a class of attacks involving software downgrades or rollbacks to re-install exploitable bugs. It also uses an encrypted exchange between the Touch ID sensor and the Secure Enclave to prevent another class of attacks that can be used to 'unlock' or decrypt extremely sensitive information stored in the Secure Enclave.

If the Error 53 failure could be ignored, an attack is possible which would grant access to items normally locked away by the Data Protection keys in the Secure Enclave. Think about it. That includes your phone content if encrypted, iCloud access, iTunes Store access, those cards you've associated with ApplePay, and interesting bits of your cellphone account tied to your hardware.

The unexpected result of many people seeing Error 53, rather than it appearing only to a handful of really bad people, is the result of service techs replacing parts in the Touch ID system without going through the expected unlock/repair/re-credential process that a trained tech should be following, or fairly unusual internal damage.

If Apple were to allow a hack that ignored Error 53 and unlocked Secure Enclave content for the hacker, I suspect we would be hearing a somewhat different complaint.

Given a choice of failing securely or failing insecurely, best practice is to fail securely.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor. It provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if thekernel has been compromised.

The Secure Enclave uses encrypted memory and includes a hardware random number generator. Its microkernel is based on the L4 family, with modifications by Apple. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter. The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is provisioned for the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.

 

[Daniel J]

Installing aftermarket/counterfeit parts always has some risk. Apple OEM only for me, the quality is excellent and no compatibility issues.


Sent from my iPhone using Early Retirement Forum

 

[ERD50]

...
If Apple were to allow a hack that ignored Error 53 and unlocked Secure Enclave content for the hacker, I suspect we would be hearing a somewhat different complaint.

Given a choice of failing securely or failing insecurely, best practice is to fail securely.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Thanks. But why not simply ignore input from the fingerprint recognition (FPR) module if it does not pass the security challenge, and force the user to use the passcode method instead?

As I understand it, FPR is for convenience, so that the user does not need to enter the passcode. So if the convenience entry is corrupt, just block that entry.

Finger print is just one way in. Passcode is another. So it sure does not seem like a security issue to me if a problem is detected in one part of the system, to allow entry through the passcode, as that was always a legitimate way to enter. It would be different if BOTH were required to enter.

Some of the people reported that they don't use the FPR, and never had it worked on (it may have failed and they just decided it wasn't worth getting fixed, use the 'old fashioned' passcode method). Should they really have their product bricked? I don't think so. At a minimum, they should have recieved a stern warning describing the issue, ask for their passcode, and advise them (with several "Are you sure" warnings) that continuing with the update could result in an irretrievably locked phone.

-ERD50

 

[M Paquette]

If the Secure Enclave content is unlocked with an unverified device (the thing claiming to be a fingerprint reader) attached to it's bus, there is a possibility that the unverified device may be an attack mechanism that will then have access to the user's encryption keys and all formerly secure content in the phone.

For those who like Bad Analogies, it would be like walking up to an ATM, ignoring the man in the ski mask next to it, and keying in your PIN number. Maybe nothing happens. Maybe the guy in the ski mask is just really cold, and waiting for a friend. While standing next to the ATM...

I suppose it's a reasonable alternative for folks who really trust strangers. That's not a reasonable alternative for a device manufacturer to choose for a device that will contain sensitive information for many users.

The manufacturer could probably offer a special version of the phone that would 'fail unsafe', ignoring security subsystem errors and granting access by default. Call it the "NSA Friendly" model. They might want to charge extra for this to cover the product liability premiums. You could suggest that to Apple.

 

[Running_Man]

If the Secure Enclave content is unlocked with an unverified device (the thing claiming to be a fingerprint reader) attached to it's bus, there is a possibility that the unverified device may be an attack mechanism that will then have access to the user's encryption keys and all formerly secure content in the phone.

For those who like Bad Analogies, it would be like walking up to an ATM, ignoring the man in the ski mask next to it, and keying in your PIN number. Maybe nothing happens. Maybe the guy in the ski mask is just really cold, and waiting for a friend. While standing next to the ATM...

I suppose it's a reasonable alternative for folks who really trust strangers. That's not a reasonable alternative for a device manufacturer to choose for a device that will contain sensitive information for many users.

The manufacturer could probably offer a special version of the phone that would 'fail unsafe', ignoring security subsystem errors and granting access by default. Call it the "NSA Friendly" model. They might want to charge extra for this to cover the product liability premiums. You could suggest that to Apple.

Except that it is only if you upgrade to the new IOS that this happens and why would someone stealing a phone then upgrade to a new IOS when they surely would know the problem? If a phone is not going to work if outside repairs are done on it, purchasing customers have a right to know that as much as the criminals

 

[ERD50]

...

The manufacturer could probably offer a special version of the phone that would 'fail unsafe', ignoring security subsystem errors and granting access by default. Call it the "NSA Friendly" model. ...

I'm certainly not suggesting that security be ignored, and that access should be granted by default - nothing of the kind. I'm suggesting that they simply end all communication with the FPR module, and fall back to the security method that is also accepted - a passcode entry. Were iPhones not secure before we had FPR?

You seem to be suggesting that a 3rd party FPR module could 'snoop' on the phone contents? How could it do that if the phone dropped comm with it when it failed the security validation?

Except that it is only if you upgrade to the new IOS that this happens and why would someone stealing a phone then upgrade to a new IOS when they surely would know the problem? If a phone is not going to work if outside repairs are done on it, purchasing customers have a right to know that as much as the criminals

Yes, it's the 'after-the-fact' implementation, and no warning to existing customers that I see as the real issue. I realize security changes are made along with other updates, and this was done in an effort to tighten security, but bricking someone's phone is extreme enough that you'd think there would be an equally extreme warning alert.

-ERD50

 

[M Paquette]

Except that it is only if you upgrade to the new IOS that this happens and why would someone stealing a phone then upgrade to a new IOS when they surely would know the problem? If a phone is not going to work if outside repairs are done on it, purchasing customers have a right to know that as much as the criminals

One of several points where the integrity of the Secure Enclave is checked is during software updates. This is done to block a class of attacks involving rollbacks, the installation of older software versions to exploit identified bugs, among other attacks.

 

[M Paquette]

I think I already mentioned that the Engineering team did not anticipate that folks would be replacing secure subsystem parts without bothering to perform the steps needed to re-validate the Secure Enclave subsystem. That's a failure in training of service technicians that is leading to bricked phones.

It may be possible in future releases to add a Software Restore option that can unbrick a phone with these specific failures, some sort of 'Yes, this is really my phone, and I still trust the integrity of all components in it' check that would verify ownership of the device and update the internal encryption key pairs. This has to be done carefully as it also opens a new front for potential security exploits.

You seem to be suggesting that a 3rd party FPR module could 'snoop' on the phone contents? How could it do that if the phone dropped comm with it when it failed the security validation?

There isn't a physical disconnect such as a fusible link between the fingerprint reader and Secure Enclave coprocessor that could be blown to disconnect the device. (Remember that it is also the Home button.) The device remains connected to the secure bus. This can be used to perform a number of different security attacks. One known attack on a similar Android system involves the use of a dummy 'fingerprint scanner' cut into the phone, sending an oversize buffer of 'fingerprint data' to the processor. The buffer overrun results in the injection of code allowing access to secured information in the device. (This particular attack should not work on the iPhone, but is described to give you some idea of the sort of things the security architecture has to deal with.)

 

[ERD50]

...

It may be possible in future releases to add a Software Restore option that can unbrick a phone with these specific failures, some sort of 'Yes, this is really my phone, and I still trust the integrity of all components in it' check that would verify ownership of the device and update the internal encryption key pairs. This has to be done carefully as it also opens a new front for potential security exploits. ...

OK, even if you were required to bring the phone into an Apple retail outlet, or send it to Apple, and provide proof of ownership to unlock it - that would at least be better than 'bricking' it unannounced (apparently permanently?) on the customer. And if it is really necessary/desired to have this level of security, I still say it is a bad design to not warn the customer that an unauthorized device has been detected by the SW updater, and proceeding will lock you out of your phone permanently. Explain that the risks are a potential, theoretical, security weakness that goes unchecked in earlier SW versions, but will be locked out in this upgrade.

I say 'theoretical' - have any 'smart', snooping, button replacements actually been found in the wild? Seems like a pretty sophisticated thing to pull off, and since it actually takes physical access to a phone and a customer asking to have a part replaced- wow, that's a pretty small target to put that much work into. It's hard for me to think that bad guys would work that hard for this. It's not like malware you can get by allowing a download that can access millions of phones remotely.

The buffer overrun results in the injection of code allowing access to secured information in the device. (This particular attack should not work on the iPhone, but is described to give you some idea of the sort of things the security architecture has to deal with.)

But keeping this in perspective - clearly Apple SW performed no validation on these replacement Home buttons prior to this release (or at least took no action on it). They go from nothing to bricking the phone, all in one step, and all w/o warning the customer of such a heavy-handed action. I still say that is a bad design decision.

I probably need to re-iterate - this isn't about beating up on Apple. They make some amazing products, have pushed the envelope and have made competitors play catch-up in many areas, and obviously have many loyal, and thrilled customers. And they seem to take security very seriously. I'm just talking about this decision in isolation - I think it was a mistake, a big one. Others were trying to rationalize it in this thread by the other things Apple has done - I'm saying that is irrelevant to this point, I'm just talking about this one decision. That's not meant to bad-mouth them overall, and I'm not comparing them to anyone else.

-ERD50

 

[ls99]

Piling on Apple
And the good news keeps on coming, from lawyers and barristers:

http://www.theguardian.com/business/2016/feb/08/apple-under-pressure-lawyers-error-53-codes

No I did not write the following article
The headline says it succintly:
Monsday, Feb 8, 2016
Apple takes its eye off the ball: Why Apple fans are really coming to hate Apple software - LA Times

 

[athena53]

So the Seattle lawyers in the first article will represent class action defendants "for free". Uh-huh.

My guess is that they'll take it on contingency and negotiate a settlement that pays them a few million $$ in fees and gives each plaintiff a $25 credit toward a new iPhone.