Error 53: Apple remotely bricks phones to punish customers for getting independent repairs

Next time, put it in the freezer before pulling the tag off.

Don’t forget cars v bikes. And typography.

One more great reason for that legendary ‘10-foot pole’; that’s the one that I wouldn’t touch Apple with!!

Are you disappointed in Cory and Boing Boing?

A piece of glass will never be secured with fingerprint protection there all over it.This is just protecting their wallets ,its never about you and prints are the easiest things to get from a person.

You are conflating the Secure Enclave and Secure Element. The Secure Enclave is what’s at risk here. The Secure Enclave stores the decryption key when the iOS is powered on. A malicious TouchID sensor has direct access to the Secure Enclave.

a perfect, smudge free, just like from a high-tech sensor, copy, right?

i do not see how my fingerprint on this glass, which was available before the iPhone existed, is totally the same, at all.

It doesn’t have to be perfect.
It has to be merely good enough.

It has to be good enough, and then reproduced, and then that facsimile presented to a fingerprint sensor.

Extra steps do not an equivalent make.

also, NO AND THEN

No, all of this is incorrect. The baseband doesn’t have access to the Application Processor. It’s a different subsystem entirely. It’s effectively just a modem and since when have you been able to compromise an OS by compromising a modem?!

If you have an image from a sensor, and want to feed it to another sensor, you still have to make a physical representation. So no step saved.

If you want to bypass the sensor and feed the system directly, you don’t need the physical representation in either case, just the image, whether directly from another sensor or a digitally cleaned image acquired elsewhere.

And the gif is blinking too fast and is headache-inducing and adds nothing to the discussion.

In some phone architectures the baseband processor apparently shares memory with the application processor and has full access. Think of it as having full access to /dev/mem. Some iPhone jailbreaks used this trick, via some overflow in AT commands if I remember correctly.

Why? If you’ve bypassed the sensor (which is what apple assumes you are doing) then you don’t need ANY finger, fingerprint, OR facsimile.

OR a false sensor feed to the system - which does not grant you access if the system requires the sensor to be the one manufactured to handshake with the system.

wow. You could save us both a lot of time and scroll down now.

You completely fail to understand the point of TouchID, which is to enable longer passcodes and to prevent lookiloos from seeing you enter the passcode.

Since the TouchID credentials are deleted after 5 incorrect guesses, on reboot, or after 48 hours of non-use, it’s a very good security measure. A random person that doesn’t know which finger you used will not be able to use latent prints to get access.

Hell, those people that you talked about faking a fingerprint right after they iPhone 5s was released … they even knew exactly which finger was used and had a perfect print. Even then, it took three tries to get it to work!

@shaddack is correct, it can be used to comprimise the secondary OS.

Even by itself, since the baseband OS controls the communication in and out of the device, and can be hacked undetectably, it is one of the preferred targets for spying on a persons phone calls, texts, location, etc.

If you do some security research, there is a reason that there are existing exploits for this part of phones and why they are actively used both maliciously and by government organizations. It is a fascinating area of research and well worth reading up on before making assumptions.

If I might chime in. The sensor is just a sensor, all it does is relay the 80 data points to the OS, it isn’t what does the authentication. so bypassing the sensor would never and could never give you the correct data for a qualified match. if you had that data you wouldn’t need to replace the sensor. you could 3D print a fingerprint for a hotdog and use the existing sensor as a german hacking team did from a photo of someone’s hand.

getting fingerprints are easy. you can get them from photos and multiple government databases, not to mention that we leave hundreds of thousands of copies of them lying around every single day everywhere we go.

It is true that using a non-standard finger is more secure, assuming that your home button is sufficiently smudged as to not be able to tell which finger you regularly use to unlock. 99% of people use predictable finger placements though, because of the way we naturally hold our phones. Go ask the next 10 iPhone users you see to unlock their phones. How many used a unique finger location? i’m guessing none.

it is a horrible security measure, but was designed for convenience NOT security. security theater. and the police can use your hands to unlock your phone without a warrant to do so legally in many states now, whereas they can not obligate you to give up your passcode because of the 5th amendment.

It collects them also? Right?

I agree. It is easy to get them.

how are you going to feed that 3D printed hotdog to the phone, remotely?

I’m not really worried about what happens once someone has my phone. I’m worried about software hacks around my security.

So this hardware solution seems awesome, and a selling point for this phone. Not a bug.

so bypassing the sensor would never and could never give you the correct data for a qualified match.

if the correct data is all that is required, and not the correct data collected from the correct input device, where is the extra security in that?

The iPhone does not have this architecture flaw.

However, what it did have in the Apple A4 and earlier was a fundamental flaw in the SoC that allowed any arbitrary code to be executed at the firmware level. This was a hard coded, unfixable flaw and part of the reason the iPhone 4 didn’t support iOS 8 (all of Apple’s security marketing claims were invalid on the A4).

This flaw was very easy to abuse and Jailbreakers loved it.

But the code used in the baseband of the A5 and later doesn’t matter at all, no matter how secure or insecure it is. What really matters is how the actual iOS and applications handle parsing corrupted, malformed network data. In this case, it’d be the same risk as delivering a maliciously crafted image (although delivering a malicious image is far easier than delivering malicious network data).

And the old bug from 2011 that @RogerStrong was likely discussing was true for all ODM parsers. However, only the US iPhones running on Sprint ever supported ODM. (Versus Android devices that support ODM worldwide).

How, how can you jump from the baseband to the real OS? What’s your theory for this on a device that doesn’t share memory between the baseband OS and the actual OS?

Furthermore, you are seriously suggesting you can compromise an Ethernet Hub to look at data that was encrypted by a device on one side of the hub with the destination on the other side?!

That’s why encryption exists and why there’s an effort to get TLS 1.2 implemented everywhere, you can never trust the network you are on not to spy. This is especially true at a Starbucks.

collects as in reads, not collects as in stores copies.
the sensor reads 8o data points and cryptographically hashes them and passes that hash to the OS, which is what does the authentication and unlocking. Replacing the sensor does not create an egress point to give someone access to the phone as it would have to produce a matching cryptographic hash.

Also from a security perspective these hashes are pretty darn weak, because for convenience there needs to be a lot of margin of error. users would be pissed if the button stopped working because they had dry skin, or the alignment of the placement was off by a few millimeters. It is an intentionally weak system and was designed for convenience not security.

Nothing happens. They can do that easily once they have your phone. It happens to phones all the time. Apple doesn’t brick phones that this happens to. It only bricks phones that you’ve had repaired at a non-authorized apple repair shop. If you lock and remote wipe your phone because it was stolen it doesn’t brick. this isn’t about security, it is about part drm, think ink jet cartridges that manufacturers put chips in so they get a cut of every ink purchase. it in no way stops someone from stealing your printer or printing with it because that wasn’t the reason the ink cartridges were chipped and using their cartridges enforced.

What good is the police getting your fingerprint with TouchID? TouchID doesn’t use the same source data as the fingerprint taken by LEOs. Furthermore, as I mentioned, even knowing which finger took three tries under perfect conditions. Do you really think an officer is going to keep trying a finger after it fails even once?!

Furthermore, TouchID is also automatically disabled after 48 hours or if the device loses power. Since US LEOs need a special warrant to even look at the phone, there’s a good chance the battery will die or 48 hours will expire before they get a chance to do anything.

Finally, if you were worried about LEOs, just reboot the iPhone if one is near. This immediately destroys all decryption keys and disables TouchID.

Latent prints like those from photographs cannot be used with TouchID unless you trained TouchID by putting those photos against the sensor. (TouchID doesn’t actually care which body part you use, as long as a pattern exists, some people train their nose)