So, I’ve worked with fips certified Thales Hardware Security Modules, and this is pretty much the expected result. The diconnect is a normal person would never expect this kind of reaction to detected tampering.
@jason_Sewell, me too. I can backup my data, change my passwords, etc. But I can’t change my fingerprint. (Hand replacement surgery is not an option :D)
What is all this “extract biometric data” nonsense? If I want to “extract biometric data” from your iPhone all I have to do is dust it for finger prints.
If the finger print scanner repair isn’t trusted then Apple could just, you know, not trust the finger print scanner any more, not brick the entire phone. iPhones have PIN screens.
This is exactly why biometric data is a bad idea.
I assume you wear gloves all the time, so that a ‘bad guy’ can’t ever lift a fingerprint from anything you touch.
I honestly wouldn’t be at all surprised if the engineers that came up with this mechanism for securing biometric data didn’t take into consideration that third parties would be doing repairs that could trigger this. If they did it deliberately with the expectation users would see this, I’d expect a better error than ‘Error 53.’ Having worked at Apple, repair is at most an afterthought, and these kind of surprises usually are a huge shock to the people responsible for implementing the changes (who are much more siloed than you seem to imagine). This side-effect has a negative net benefit to Apple - the revenue stream from repairs of home buttons is barely a rounding error, while the negative press has a far, far higher cost so far as Corp. is concerned.
sorry, I’m not able to parse this sentence - but maybe only my English module is b0rken?
if “this” means bricking I agree for the product category you mentioned, all serious security-related devices should die screaming when tampering is detected. but a smartphone is a consumer product and is focused more on convenience.
Remember back when apple portrayed itself as the plucky upstart, bravely going up against the arrogance and corruption of IBM? Those were fun times.
A normal person doesn’t expect the vendor to brick their phone, even when it is the right thing to do.
I remember raging when i first heard finger print scanners were coming to phones. This has not made me feel better about them. If i ever get a phone with a finger print scanner i will most definitely not be using it, but this has confirmed for me the fact that no phone i buy for the foreseeable future will be an apple device either 
now now – this is a Cory story. it’s how he rolls.
Hard to believe there is so much precious data out there anyway.
Most people are just not that fascinating, no matter how hard they try and impress you.
I used to service cellphones back when you could easily turn the Mic off and tune in other people’s conversations. Never did hear anything very interesting.
There is a lot to be said for using a good, old-fashioned key for your door - at least a locksmith can still get you back in (and you don’t need to burn down your house and buy a new one!)
Are you implying that building one of history’s largest and shiniest cryptographic walled gardens isn’t a brave act of defiance against the Information Purification Directives? We should probably make you unuser for that.
Just like John Deere, apparently you don’t actually own your computing device, even if you paid for it fully and out of contract. I’ve been using Apple products since the 1980s, and there’s been times I’ve thought of abandoning them, but no more so than in recent years. Haven’t yet… but it’s getting harder and harder to drink the Kool-Aid.
I really need to ask, and it is not clear from the text: Are these phones that the users own outright as I own my phone, having paid retail price for it? Or are these tied to a contract (with or without repair insurance) from a carrier or carriers?
Isn’t this the required behavior for Apple Pay? I don’t think this is about biometric data, but cardholder data. I’m pretty sure tampering prevention is mandatory.
Eh, on a phone I see it as no more than a convenience feature.
When my key fob for remote access or online banking token self-destructs I will get a new one for no or low costs.
I’m not convinced that it’s the right thing to do for an end customer device, especially when the new antitemper stuff was not communicated transparently (no idea if true, I only skimmed Cory’s write-up and the source article).
Except that here in reality, it doesn’t work that way. The fingerprint reader is a gimmick to con those who know nothing about security.
Within 24 hours of the release of the iPhone 5S, people were demonstrating how to use a smudged fingerprint from the phone screen to fool the sensor.
You can already use commercial software to read someone’s fingerprints as they walk past. You can expect such readers in public places just like now-common road-side licence plate readers. The Chaos Computer Club recently demonstrated it, reading the fingerprints of the German defence minister.
This follows an incident in 2008 when the German Minister of the Interior called for increased use of biometrics. The Chaos Computer Club responded by lifting his fingerprint off a glass and using a silicon printing process to produce a high-quality ridged output that could fool over 20 different types of biometric readers. And then they distributed thousands of copies with their magazine.
Good luck changing that “password.” (Think about that.)
You can refuse to tell your password to police, border patrol, or anyone else. With a fingerprint reader they simply force your hand onto the reader. But then of course they’ll likely have the authority to fingerprint you regardless.
This isn’t remotely bricking phones. Software running on the phone is detecting that a critical system tied to biometrics and cardholder data has been compromised and is shutting the phone down.
Imagining this is to “punish customers” is conspiratorial claptrap.
It is definitely a terrible outcome for people who’ve had their home button repaired by a non-Apple repair shop, but Cory’s framing is partly false, and partly paranoid delusion.
If it didn’t, the headline would be “Apple doesn’t take proper care of your cardholder data and iPhones leak Apple Pay keys to anyone who bothers to crack it open”.
