I think we are seeing the predatory behavior of scammers here.
For example, you are claiming that just attaching a chip from an old apple battery to a new one should read as genuine in the phone. That is a total scam.
The detection feature is tied to a chip, not to the cell chemistry itself. If chips from old iphone batteries are all it takes to show a scam battery is genuine, given the high volume of old batteries, EVERY scam battery would show as genuine. This is a workaround already used and well known in other situations. To avoid this workaround you need to tie a specific chip in, not just any apple chip in.
Seriously - how do YOU propose apple alert the user to a bogus third party battery.
This. I bought a second hand phone off some guy who does phone repairs in my area. Didn't realize the fingerprint reader did not work until a few days later as I had never owned a phone that new that had one and did not know it was supposed to work. When I looked on the internet it seemed that the reason was the home button was swapped out but without taking the chip that ties it to the phone with it from the old button. Asked the seller and he admitted that the home button was swapped, poorly at that. I still can not use the home button to unlock even though the phone is not stolen and I own it. So I personally am not a big fan of apple locking parts down. I personally had an iphone 4s up until half a year ago. I still have it I just happened to get an iphone 6. But my iphone 4s I have put at least 4 screens on it, a new battery, a new set of speakers and a power button. I laugh at the amount of work I have done on it. It is my Theseus iPhone :)
To phrase this another way: a third party made some modification to the biometrics sensor that is used to control access to your private data, including all of your device’s encryption keys, stored passwords, and payment information.
The phone detected this tampering and disabled the compromised component.
And you are disappointed that the part has been “locked down”.
That is not how I would rephrase it. And that is simply not true what you claim. Simply replacing the fingerprint scanner does not allow any access. The moment the phone is off the phone will require a password entered manually. Unless you suggest an actor can replace a home button all while not powering down the phone and I suppose that is possible but that to me would seem state level actor and they probably have other ways. So no there doesn’t seem to be a threat to my data if the fingerprint sensor is replaced. It would still require my password upon restart and if I failed to provide it at that point then sure good move Apple. The fact is they know they can force people like me, or people who’s home button is actually broken into their store if they want that magic button. Don’t kid yourself that they are doing this in the name of my security. But thank you for actually commenting I wish more people here on HN would justify their down votes with some conversation on the subjects.
Edit: I realize that perhaps someone could swap the button without my knowledge and upon me restarting it I would enter my password and the phone is compromised. But in all honesty who falls under that threat model? Apple simply could notify you of the change and allow you to accept the risk. That’s all it would take.
One possible attack would be to replace the sensor with one that records the fingerprint the next time you authenticate. And then in the future it could “replay” the fingerprint image to the SEP (secure coprocessor).
If it were really Apple’s intention to prevent you from servicing your device, would they only disable the Touch ID sensor? Why wouldn’t they make the whole device inoperable, rather than make you suffer a minor inconvenience by having to use a passcode?
The less exciting answer is that the sensor was designed to certain security parameters and modifying it invalidates those. Yes, the threat model includes nation-state actors. Disabling the sensor preserves system security; designing for a potentially adversarial sensor is difficult and increases risk.
What installing a malicious fingerprint scanner buys you is that you can unlock the phone. Which means all you have to do is require the user to unlock the phone (e.g. with a PIN) to activate the new fingerprint scanner. That protects the data that was already on the phone when the new fingerprint scanner is installed.
And as for future use of the phone, that's already hopeless, because if you have the capability to fabricate a rogue fingerprint scanner, install it in the phone and unlock the phone to activate it, you could just keep the original phone and replace it with a fully rogue phone that you've copied the original data to.
I am not sure I follow.
(Edit: there is more to the threat model than the scenario that the device is being broken into outside of your possession. Consider just a fake part that pretends to authenticate you but sends a fixed fingerprint image or embedding or whatever to your SEP. You wouldn’t know but someone else could get into your device.)
But each device has a unique encryption key that is implemented in hardware. The flash storage cannot simply be moved to a new device. Cloning the storage and the hardware key is assumed to be significantly harder (and more costly) than replacing the sensor with something similar-looking (see any number of Chinese knockoffs).
> Consider just a fake part that pretends to authenticate you but sends a fixed fingerprint image or embedding or whatever to your SEP. You wouldn’t know but someone else could get into your device.
Which was the second point. They can replace the whole phone and you're in the same situation. Having two components authenticate each other just requires them to replace both.
> The flash storage cannot simply be moved to a new device.
Not the way they've designed it, but there is no security reason not to allow that once the phone has already been unlocked.
You give them your phone and and the ability to unlock it, now they can copy all your stuff. The phone they give you back isn't yours, you have been pwned.
And they get the same thing when they give you the rogue phone back and you try to unlock it, at which point it sends the PIN to them and they can use it to unlock your original phone and then mount it over the network to display the same data until they've finished copying it.
We're talking about the fingerprint reader, which makes sense to require the phone to be unlocked to replace to prevent someone from doing it without your knowledge.
Though even that only makes the attack more expensive, because again, they can just replace the whole phone. Doing that undetected is harder because you have to connect the rogue phone to the original one as soon as they give the rogue phone what you need to unlock the original, which is a sophisticated attack. Though manufacturing custom malicious hardware already implies a pretty sophisticated attack.
For example, you are claiming that just attaching a chip from an old apple battery to a new one should read as genuine in the phone. That is a total scam.
The detection feature is tied to a chip, not to the cell chemistry itself. If chips from old iphone batteries are all it takes to show a scam battery is genuine, given the high volume of old batteries, EVERY scam battery would show as genuine. This is a workaround already used and well known in other situations. To avoid this workaround you need to tie a specific chip in, not just any apple chip in.
Seriously - how do YOU propose apple alert the user to a bogus third party battery.