More evidence that a cheap phone is the best option.
So consumer protection measures generate more sales for the company. Funny how that works…
No “error” should be programmed to brick a device unless the user has chosen that setting with full knowledge of the consequences.
self-confessed Apple addict
I guess it’s time…
for an Intervention
“He had to pay £270 for a replacement and is furious.”
But not so furious that he switched to an Android phone.
Apple is one of the only large manufacturers that takes privacy seriously. I’m happy to learn that they have anti-tampering mechanisms to protect my biometric data.
I think it’s a bit of a leap to imply that Apple is punishing people for having phones repaired independently. It sounds more like some kind of error in detecting tampering with the biometric sensor or a shoddy repair job.
Still sucks, though.
Even if that means destroying your phone?
Not anymore, at least if you have an iPhone6.
It’s the silence that bugs me most. If Apple really thinks this is better for their customers they should say so. And do they really think copping to it is going to cost them any customers?
It is pretty plausible that the biometric widgetry is considered a ‘trusted’ part of the system, and it would not be possible to maintain whatever level of security that authentication mechanism has if you allow untrusted hardware swaps.
However, if that’s the problem, there is no reason why the compromise of the biometrics-gimmick subsystem should brick the phone(especially since only some iDevices even have this subsystem in the first place). If the device’s storage encryption keys are tied up in the subsystem locally stored data might be irrecoverable; but there is no reason why the phone shouldn’t be able to simply be restored to defaults and operated as though it were a model without the fingerprint reader(except Apple’s obvious motivations to the contrary, of course).
In the same vein, if the sensor and/or cabling are considered a ‘trusted’ element, a malicious version of which could potentially compromise the phones authentication mechanisms and secured storage locations: any bets on how difficult it would be to locate the least-resistant Apple-Authorized repair location and have them install a malicious component for you, then re-bless using whatever authorized-personnel-only crypto sauce Apple provides? No good for wide-scale fishing expeditions; but might be worth a look for targeted attacks.
Yes. I would rather my phone be destroyed than have an attacker gain access to my biometric data or implant malicious firmware. That’s the whole point of secure, tamper-resistant devices.
The question, though, is why protecting the biometric data requires rendering the entire handset nonfuctional; rather than simply zeroizing any storage associated with the biometric feature and carrying on as though it were an iphone sold without that sensor.
To be fair, removing any access to your own data is pretty damn private.
Shh, they’re trying to appeal to the infosec demographic here!
(Y’know, the ones that aren’t quite smart enough to think of that.)
@SheiffFatman already mentioned the core issue - protecting privacy would mean to erase the personal data and shut down the cloud connection. A €600 brick is not the expected result of a privacy-protection procedure.
I’m perfectly happy with my Android phone. No Apple walled garden and shenanigans.
Apple obviously takes the security of biometric data very seriously. I suspect that after performing a risk analysis, Apple engineers decided to err on the side of a fail-safe mechanism. You can imagine the outcry if a hacker were able to extract biometric data from an iPhone because Apple decided to employ graceful degradation rather than full-blown bricking.
And the happy coincidence that it generates more sales for Apple is just the icing on the cake and likely never came into consideration? You seem to be giving them an incredible benefit of the doubt.
I’d buy your version of the decision-making process if they’d communicated clearly to customers in advance that this would happen.
Late stage capitalism.
Yes. Sometimes privacy is more important than hardware. Just like crumple zones, I’m happy if my nice car is utterly destroyed protecting me.
Apple uses a fingerprint reader where the fingerprints stay in the reader and are not accessible to the CPU. If they were to get to the CPU, someone would have my fingerprints and, for the rest of my life, security would be compromised – so it’s a good design decision.
Now, if someone wanted to break in to my phone, they could tell the fingerprint reader to tell the CPU everything is dandy and let me in. So, the phone needs to authenticate the fingerprint reader or else it’s useless. And if someone is tampering with the phone, how should it react? A wipe of the crypto decryption key would be good. It would be nice not to brick the phone, but shutting everything down is probably more secure – it would probably prevent reading of the encrypted partition for off-line brute-forcing, and it would shut down unknown future exploits that may happen if the software is still cooperating with attacker (e.g. running).