The iPhone 7 Has Arbitrary Software Locks That Prevent Repair (vice.com) 127

Posted by msmash from the things-going-south dept.
Jason Koebler, reporting for Motherboard: Apple has taken new and extreme measures to make the iPhone unrepairable. The company is now using software locks to prevent independent repair of specific parts of the phone. Specifically, the home buttons of the iPhone 7 and iPhone 7 Plus are not user replaceable, raising questions about both the future repairability of Apple products and the future of the thriving independent repair industry. The iPhone 7 home button will only work with the original home button that it was shipped with; if it breaks and needs to be replaced, a new one will only work if it is "recalibrated" in an Apple Store.

  But people will keep buying them...

    Anonymous Coward

    ...so this'll continue unabated. Just like how gamers bitch and moan about unfinished games being released, and then still go out and buy the latest call of duty on release day.

    Re:

      Anonymous Coward

      But people will keep buying them...

      Dude, how else am I to present an image to the world that I am so wealthy that I can overpay Apple to make a repair that any Chinese 8 year old on a street corner could do?

    • Did it occur to you that maybe if a repair shop can intercede with the authentication mechanism, so can govt. spooks (think Chinese Govt vs. Political Activists) as well as hackers after your apple pay info, or other sensitive data stored in your keychain? The independant repair industry for a $1000 product that has a practical life beyond the warranty period of just a year or two, for just a few specific parts is far, far, FAR less important that data security and protection from absolutely everyone. So w

      • Did it occur to you that maybe if a repair shop can intercede with the authentication mechanism, so can govt. spooks (think Chinese Govt vs. Political Activists) as well as hackers after your apple pay info, or other sensitive data stored in your keychain? The independant repair industry for a $1000 product that has a practical life beyond the warranty period of just a year or two, for just a few specific parts is far, far, FAR less important that data security and protection from absolutely everyone. So while most people will not think twice about it and say "Fuck Apple.". No. Fuck you. Go buy an Android any ass-hat can repair then. I prefer my iPhone to be as secure as they can practically make it, while keeping it relatively functional.

        It's not secure from the Feds. They broke into that iPhone in Texas by compromising it and bypassing the encryption altogether. They also haven't released the details of how they did it. So your using security by obscurity instead of Android where everything is transparent. Might as well install windows on your phone instead.

  All the more reason

    Anonymous Coward

    to never buy apple products.

    Nuff said.

  It's for your own safety, trust us you dumb fucks.

    by Anonymous Coward on Friday April 07, 2017 @02:05PM (#54192921)

    Former phone repair tech here, it's been this way since TouchID became a thing, with the iPhone5S I think?

    I hate to claim "it's not a bug, it's a feature" but this is done to make sure you cannot replace the home button with one that will send a "correct" signal for an incorrect fingerprint.

    Home buttons have been tied to the motherboard they shipped with as long as the iPhone has had fingerprint readers, this is not new.

    Re:

      by aitala ( 111068 )

      Wow, this is really old news folks. And as the OP says, its for your own safety. /. has gone downhill if this is getting through...

      EMA

    • If i have the hardware in my hand, the game is already over. Dont make excuses for them,
    • Read the article, this is different. "The home button has two functions: Touch ID, which unlocks the phone, and the actual "return to home" function you get when you push it. In the iPhone 5S, 6, and 6S, a new home button would break the phone's TouchID functionality, but the button's return-to-home functionality still worked. The phone could still be locked and unlocked as normal by entering a pin number, suggesting that the two functions are separate pieces of software that are not tied together. In the

      • On iPhone 7, the home button isn't a real button anymore - it's just more touch sensitive space.

        The old models probably still had software that triggered on the manual button click which is completely separate from the fingerprint reading / encoding software, and that software probably still exists for older models in the most modern versions of the OS. However, that button doesn't exist any more, so only the fingerprint software with the lockout ever gets used on iPhone 7. It's entirely possible that App

    Re:

      by Kjella ( 173770 )

      Former phone repair tech here, it's been this way since TouchID became a thing, with the iPhone5S I think?

      The difference is that in past iPhones you could replace it with a third party button, you lost TouchID and had to log in with a PIN but otherwise it worked. Now it's Apple's button or no button at all. Maybe they just decided it's safer for some reason or it's just a side effect of a design change or maybe they had second hand sales that were unhappy they got a "fake" home button. Whatever the reason my guess is Apple won't budge and you'll probably not win a law suit so... that happened.

  Not a terrible thing

    by mrbluejello ( 189775 ) on Friday April 07, 2017 @02:05PM (#54192925)

    This does not seem unreasonable. I say this because the home button is also a fingerprint reader, which is a security device. If a shop installs some kind of 3rd party button there, the security of the device could be compromised.

    Apple's garden is walled. It keeps the users in, but also keeps the bad things out.

    Re:Not a terrible thing

      by dgatwood ( 11270 ) on Friday April 07, 2017 @02:30PM (#54193189) Homepage Journal

      This does not seem unreasonable. I say this because the home button is also a fingerprint reader, which is a security device. If a shop installs some kind of 3rd party button there, the security of the device could be compromised.

      Actually, it does seem unreasonable. The proper behavior would be to detect the unknown reader and purge all fingerprints from the secure enclave, forcing the user to set up fingerprint recognition again after unlocking with the passcode. That would mean that the user would be alerted to the fact that the hardware was altered (thus preventing surreptitious swapping as a targeted attack) while still allowing the device to be repaired by swapping hardware at the user's request.

      The current situation is exactly the sort of behavior that got car manufacturers a very nice set of laws that mandate repair part availability, etc. Keep going down this path, and Apple will earn the consumer electronics industry a similar set of regulations, and none too soon.

      Re:Not a terrible thing

        by EndlessNameless ( 673105 ) on Friday April 07, 2017 @02:53PM (#54193413)

        The issue is that the fingerprint sensor is trusted to neither store fingerprint data nor replay finger presses.

        If you accept data from untrusted sensors, an attacker could replace the sensor with a device that will store valid finger scans and retransmit them when triggered by the attacker.

        So you need both trusted firmware and a secure pairing process to ensure the device is not compromised in this manner.

        While I suspect this move is mostly motivated by a desire to obstruct third-party repairs, there is also a legitimate security concern with this particular component.

        Re:

          by msauve ( 701917 )
          Then the proper behavior is to simply ignore the new fingerprint reader, and force the user to always use a passcode.

          • And this is exactly what happens. If you install a new home button, the fingerprint part stops working and it only works as a home button.

            Don't you feel all smart now?

            Re:

              by msauve ( 701917 )
              No, it isn't. It disables more than just the fingerprint based Touch ID. From the article: "In the iPhone 7, both Touch ID and return-to-home functionality are locked by software if you replace the button." That is, it doesn't even function as a home button.

              Don't you feel ignorant now?

              • The iPhone 7 doesn't have the mechanical button any more. It's just the fingerprint reader. So if the fingerprint reader is locked out, so is the not-a-button that servers as a home button.

                I'll refrain from putting some snarky idiot question on the end of this post, as I hope the irony has already caught up.

        Re:

          by dgatwood ( 11270 )

          If you accept data from untrusted sensors, an attacker could replace the sensor with a device that will store valid finger scans and retransmit them when triggered by the attacker.

          Who said anything about accepting data from untrusted sensors? Trust should not mean trusted by Apple, because it isn't Apple's device once it arrives in a user's hands. It is the user's device, so the user should decide whether a sensor is trusted. That means if the user intentionally replaced a broken sensor (or broken screen

    Re:

      by Phoenix ( 2762 )

      The problem with this way of thinking is that once the device is one generation out, Apple will not fix the device. They'll only sell you a replacement.

      Case in point. Shattered my iPad Air screen a while back. Took it to Apple and they said that they don't repair screens for anything but what they're selling on the floor. MEANING...that if I had an iPad Air 2...they would have replaced the screen.

      They did offer to sell me a replacement iPad Air for twice as much as the local Zagg kiosk would charge to repla

      • The problem with this way of thinking is that once the device is one generation out, Apple will not fix the device. They'll only sell you a replacement.

        That is the nature of Apple products. If you don't understand this when you purchase them, you are a poorly informed consumer. It is that way with their whole ecosystem, one irreplaceable button isn't going to change that.

        • yes, because every consumer should be aware of all the ways, large and small, that Apple is willing to screw them over. It's never Apples fault for being a bunch of greedy asshats, it's everyone else's fault for holding it wrong, squeezing too hard, owning too long, not going through Apple for every possible repair and just generally not letting Apple make all the decisions for your own good.

          The groveling passivity of Apple apologists is disgusting.

  Secure by design

    by krisbrowne42 ( 549049 ) on Friday April 07, 2017 @02:08PM (#54192947)
    You mean the fingerprint scanner that interacts directly with the secure enclave chip outside the OS? The one that could be misused by various actors if replaced with act-alike hardware? I'm not sensing the problem here - Feature not a Bug.

    Re:

      Anonymous Coward

      Also, this has been known since right around the time someone first got outraged by this back in the iPhone 5S era (4 years ago, as of the time of this post). How is this "news for nerds", or for anyone else for that matter?

    Re:

      Anonymous Coward

      If i had points you would get them .

      Its shitty since it makes it harder to repair, but the alternative is that almost anyone with basic electronics skills would be able to by pass the scanner and unlock your phone, and more importantly access the data on it. The feds would kill for something like this.

    Re:Secure by design

      by nbvb ( 32836 ) on Friday April 07, 2017 @02:17PM (#54193043) Journal

      You are 100% correct. Don't feel the trolls - this is clickbait headlines and a BS story. If you believe in security, this is a good thing.

      Re:

        by kwack ( 98701 )

        Indeed – what I see here is massive anti-Apple groupthink/fashion in the /.-community, which this story tries to cater to, because clicks.

    • Fingerprints are not the primary security on the device. "Recalibration" (pairing) should require no more than entering the PIN and/or logging into the associated iCloud account.

  • Not unless you have the tools and ability to calibrate the system, or it might not be set up right, or something else might still be wrong.

  Need federal right-to-repair laws...

    by TWX ( 665546 ) on Friday April 07, 2017 @02:11PM (#54192971)

    ...and laws that establish fair-use guidelines for software that's required for hardware to function. Unfortunately this is something that would have to be grassroots and widespread, no one party would ever make any headway on this unless there were an outcry from constituents, and even then it would be hard to overcome corporate counter-push.

    We've seen this kind of problem with conventional cars and light trucks, with heavy trucks, with farm implements, with major consumer appliances, and the prolifieration of this mindset is only getting worse as more and more functions can be software-tied.

    The laws need to say that software bundled into the device is considered part of the device, and may not be used to encumber the right to service or repair the device, and that for such software that is also intended to communicate with other software, the vendor must continue to support and maintain that code for bugfixes and security vulnerabilities for the realistic lifespan of the device and must provide a reasonable means for the owner to install such an update.

    Yes, this would increase the cost of the device originally, as the concepts for update must be turned into an actual process, but on the other hand if that means that the device can function for longer then it's net effect on the consumer should be small as they can continue to service and repair devices for longer than if vendor-created blocks stop them from doing so.

    • Ahhh. You mean something like federal laws regarding the repair of your personal vehicle. Like, for example, the federal law that says you cannot replace a wheel on your vehicle with another one unless it has TPMS (tire pressure monitoring system) sensors in them compatible with the vehicle, and the sensors have been configured and interfaced with the vehicle's computer, which for many vehicles requires proprietary diagnostic hardware costing thousands of dollars. So in other words I can't undo 5 lug nuts

      Re:

        by bws111 ( 1216812 )

        The law does not say you can't replace a wheel without TPMS. It says you can't disable a safety system. In the case of TPMS, the 'safety' aspect is in the form of a warning to the driver that there is a problem - either tire pressure is low or there is a malfunction in the system. You can replace a wheel without TPMS, but you can not disable the malfunction indication because it is, in fact, malfunctioning.

    • Even more basic than that, what we need is to realize that the Fifth Amendment affirms the right to property and that any law that prohibits the owner from modifying his property -- such as the DMCA's anti-circumvention clause -- is therefore unconstitutional.

    Re:

      by bws111 ( 1216812 )

      You do realize that many of those 'restrictions' are in there precisely BECAUSE of laws, don't you? Things like 'you must detect modifications to emissions systems' and 'you must detect modifications to safety systems'. And if you think those types of laws are going away, especially with things like self-driving cars, you're nuts.

  • Wasn't this already covered almost a year ago? https://hardware.slashdot.org/story/16/06/11/1458246/apple-is-fighting-a-secret-war-to-keep-you-from-repairing-your-phone [slashdot.org].

    I can at least understand the argument for preventing unofficial home button (or parts of it) repairs as it contains the finger print reader and it could be a lot easier to attack the security of the device if you could replace the reader.

    Or perhaps its just a conspiracy to get people to upgrade to the next iPhone about which we seem t

  Security, yes?

    by American AC in Paris ( 230456 ) on Friday April 07, 2017 @02:13PM (#54193001) Homepage
    As I understand it, this is a security measure, not an "arbitrary" lock. The home button is part of the Secure Enclave. If you let third parties make modifications to the Secure Enclave, it ceases to be secure.

  Not an ARBITRARY lock at all

    by jarrowwx ( 775068 ) on Friday April 07, 2017 @02:20PM (#54193071) Homepage
    Imagine a world where in order to unlock your phone all I have to do is open it up and swap out your home button with one that will let any finger unlock the phone. The original poster is trying to paint Apple as some kind of bad guy trying to take away the viability of the repair market. The truth is, they are trying to keep their phones secure by preventing an obvious attack vector. Thank you, Apple.

    Re:

      by Ecuador ( 740021 )

      I would personally prefer the attacker to be able to replace the home button than e,g, to sever my finger, but then again I would not use a fingerprint as any sort of "security" ;)
      But, in seriousness, if, despite how easy it is to get someone's fingerprints, you decide to have it as an option for login, yes, it makes perfect sense to have the reader/home button locked to the device and tamper-proof. I can find many many things to call Apple out on, this is not one of them.

      • but then again I would not use a fingerprint as any sort of "security" ;)

        At best, biometrics are a means of identification, but that is not the same thing as authentication. In other words, a reasonable use of the fingerprint would be as a replacement for the username, not the password.

    Re:

      by Quimo ( 72752 )

      The original poster has no problem with disabling the Touch ID function when replacing a button and specifically states that it makes sense from a security perspective. The problem lies in disabling the return to home functionality. As long as I am ok with not having Touch ID available why shouldn't I be able to replace the home button?

  • That's the real question. We no longer own what we purchase, even if the law says we do.

    TOS > law

  • The iPhone 7 doesn't even have a physical home button! It's a touch-sensitive spot on the bottom of the fucking glass!

    How would you go about "replacing" it anyway? Fake news.

  • They've had this issue for a while with home buttons. It's not arbitrary and it's not new. This is a very specific safety feature. Now, it's a bigger issue with the 7, now that that home button is built into the screen.. I'd call this FAKE NEWS with the "Arbitrary" label though.
  • Hey, author of the article here ... this is distinct from the 5S / 6 / 6S software lock and is not "old," it's a different thing that is explained in the article! Imagine that.
  • I understand that the scanner\home button is tied to the motherboard, but a point of failure that could potentially keep you locked out of your phone, which may also be your business, we need to be allowed options for what is and isn't security on our devices. I like Stack Overflows innovation:

    https://youtu.be/VgC4b9K-gYU

