Law Firms Consider 'Error 53' Lawsuits Against Apple as Some Stores Authorized for Repairs

[H2SO4]

Sorry, I didn't realize that we'd moved to a different topic.

We haven’t. I’m showing they have form for this your honour. Deliberately and knowingly set up their system to destroy user data and keep quiet about it. Anti competitive. Quote for you;
Apple defends its action and claims it was just worried its users were at the hands of hackers. Apple’s security director Augustin Farrugia informed the court that hackers “DVD John” and “Requiem” were potential threats to users and thus removed non-Apple music files from iPods. Farrugia reasons Apple did not inform users of the deletion because the company does not want to “confuse users” with “too much information.”

 

[dk001]

Since when does a company need to notify users at the point of sale that improper third-party repairs can cause their product to stop working? Where do people come up with these things?

When the item is: If you have your device repaired in a way we do not approve of we will remotely brick your device whether it is under warranty or not.
That is classified as potentially "willful destruction" of private property.

 

[St.John Smith]

I’d like your comments on the post above yours please as it’s far more likely than the drivel you posted.

Ah, the pejorative insult: last great mainstay of the true intellectual. Care to elaborate? I would welcome honest criticism.

That said, yes my post was a bit bombastic as in an exaggerated worst case scenario. All I meant is being able to get in the middle of those two subsystems is a huge security flaw with serious potential negative consequences. While Joe's discount phone repairs may not indeed have been able to pull off something like that by inserting hardware between the touch ID system (which is more than a button) and the A7/secure enclave, the NSA/CIA/FBI certainly could and VERY much wants to. Not to tinfoil hat myself, but if you look at today's MR headlines maybe you'll see my point.

 

[dk001]

Ha! Good one. It's all big bad Apple's fault that a repair was done incorrectly by someone else. They should be forced to make your phone work anyway. And, dammit, if you want to cut the battery wire, the phone sure as hell better not lose power!

.
.
.

Oh. Then there's the facts that it wasn't done on a whim and it doesn't destroy user data. But other than that...

Keep digging yourself into a deeper hole... sheesh!

There are plenty of complaints coming forward that iPhones are receiving an error 53 that never had the sensor worked on nor replaced. If you read the post from Apple on Error 53 (thx C DM) it can be something other than the sensor itself.

 

[H2SO4]

Ah, the pejorative insult: last great mainstay of the true intellectual. Care to elaborate? I would welcome honest criticism.

That said, yes my post was a bit bombastic as in an exaggerated worst case scenario. All I meant is being able to get in the middle of those two subsystems is a huge security flaw with serious potential negative consequences. While Joe's discount phone repairs may not indeed have been able to pull off something like that by inserting hardware between the touch ID system (which is more than a button) and the A7/secure enclave, the NSA/CIA/FBI certainly could and VERY much wants to. Not to tinfoil hat myself, but if you look at today's MR headlines maybe you'll see my point.

Point taken. Thank you.

 

[dk001]

It's likely cheaper to just break in to someone's house (if you're not even a repair person) and either place the person's finger on the phone while they're sleeping - or cut it off and take it with them

"in other news, there has been a rash of B&E's resulting in stolen iPhones and the loss of the owners index finger. Details at 11..."

 

[kdarling]

What if a Touch ID were replaced with a non-Apple Touch ID that continually sends numbers to the secure enclave until it gets the right one to open the phone?

One problem is that the touch id sensor would be totally unaware if/when it did randomly recreate someone's print data.

Worse, after five incorrect attempts the OS would lock it out and request a passcode.

You personally can't think of an exploit, so it's not worth closing? I disagree.

Okay, then I'll switch. I'll argue your side and agree with you.

The only possible point of such an exploit is to get access to the phone without knowing the passcode. Which requires replacing the sensor with or without the user's knowledge.

So who would want to do that?

Could be the Impossible Mission Force. Could be the police or FBI. Could be a boss or roommate or spouse or parent wanting to check on your phone's contents. So I agree that more than just the fixit store might want to do it, although I still say that in most of those cases, a fake finger would be easier to pull off (no pun intended). And yet, most people think that's a pretty rare event, too.

Anyway, yes, the OS should check if the sensor has been replaced. I think that most people have no problem with that.

What people have a problem with, is that the actual user cannot override the notice and use the replacement sensor if they wish, and/or that their entire phone is bricked.

 

[dk001]

https://support.apple.com/en-us/HT205628

Thanks.
What I am not seeing is how this "mismatch" is a security risk and why the said "risk" requires bricking a device. Even if you don't use TouchID.
That's the piece I'm looking for and have been unable to find.

 

[BaldiMac]

I came up with it through reading Apple's Whitepaper. The fingerprint reader data is kept independently in the secure enclave. The primary security mechanism, the passcode, should still work as stated. If it can't under certain circumstances (even because of a self or third-party repair) that should be stated instead. Rendering a device and data useless for N amount of time is too large a cost to not be explicitly forewarned. As I said before, IMO.

You've represented your opinion well multiple times in this thread. I agree to disagree with you.

Sure. I don't even know that we disagree on these point in general. It would absolutely be nice for Apple to support a break in hardware security with a graceful fallback solution that still maintained data security.

But to argue that it's simple or that they are required to do it by a warranty law is where I think people have gone overboard.
[doublepost=1455121515][/doublepost]

What people have a problem with, is that the actual user cannot override the notice and use the replacement sensor if they wish, and/or that their entire phone is bricked.

Sure, but that's just a preference. Apple simply chooses to prioritize security over supporting third-party repairs.

Heck, this is a company that limits how you can customize the home screen in order to maintain the product image. I don't think its surprising that they want to avoid potential security exploits.

 

[sracer]

How many people have had this issue? Hundreds? Thousands? More? It sounds much more nefarious when you speak in vagaries.

That is the general flow as I see it. You are free to disagree.

 

[St.John Smith]

Please answer just one question:
How?

The phone is encrypted, the security enclave with your fingerprint-hash is encrypted, the scanner has only one connection and that's to the enclave module.

For your situation to become true there has to be a huge security issue with the encryption. If that's the case it wouldn't have anything to do with your fingerprint scanner and anyone could just steal your phone and decrypt it.

The touch ID system is far more than just the sensor, it also does the encrypting/decrypting of your fingerprint as well as transmits that data to the secure enclave in the A7. It contains its own unique secure token that authenticates that it is valid, by a process of the A7 comparing the keys on both ends which is what seems to be the issue here. On top of that it also receives data FROM the A7- that data is a key to the secure enclave essentially "wrapped" in an additional layer of encryption that the touch ID holds on to while your phone is locked- when you unlock it, it passes that key back to the secure enclave via the A7 so that it can decrypt the "wrapper" and make use of the key inside of it (and you can get to your goodies).

While I do not pretend to know exactly the method one would need to exploit this potential vulnerability by getting in-between this transaction, clearly being able to insert anything in between those two subsystems would be a major liability. Touch ID is much more complex than people on here seem to think it is. In fact, that it requires the touch ID system and the secure enclave to communicate is by design- as in a security feature.

What worries me is that this seems to suggest that the pathway between the two or the two key validation was compromised at some point and had to be patched via an update. That indeed would be a "huge security issue" Maybe it falls under those anonymous "bug fixes" we are always ignoring when we update our phones...

EDIT: more to the point, as you stated the touch ID has "only one" connection, and that is to the secure enclave via the A7. Device token validation is designed to keep it that way.

 

[BaldiMac]

There are plenty of complaints coming forward that iPhones are receiving an error 53 that never had the sensor worked on nor replaced. If you read the post from Apple on Error 53 (thx C DM) it can be something other than the sensor itself.

How many?

I'm not sure how you think any of that contradicts what I've said.

 

[St.John Smith]

Posting the Apple iOS9 security white paper for reference.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

 

[samcraig]

One problem is that the touch id sensor would be totally unaware if/when it did randomly recreate someone's print data.

Worse, after five incorrect attempts the OS would lock it out and request a passcode.



Okay, then I'll switch. I'll argue your side and agree with you.

The only possible point of such an exploit is to get access to the phone without knowing the passcode. Which requires replacing the sensor with or without the user's knowledge.

So who would want to do that?

Could be the Impossible Mission Force. Could be the police or FBI. Could be a boss or roommate or spouse or parent wanting to check on your phone's contents. So I agree that more than just the fixit store might want to do it, although I still say that in most of those cases, a fake finger would be easier to pull off (no pun intended). And yet, most people think that's a pretty rare event, too.

Anyway, yes, the OS should check if the sensor has been replaced. I think that most people have no problem with that.

What people have a problem with, is that the actual user cannot override the notice and use the replacement sensor if they wish, and/or that their entire phone is bricked.

I'm going to reiterate/paraphrase my earlier post here. Is Apple (now) admitting that their Touch ID system is hackable and that Apple Pay could also be? Because by bricking/preventing access based on a repair, it sounds like Apple believes there's a way to break inside. Not exactly what everyone was led to believe or what was insisted upon here.

 

[igorsky]

I'm going to reiterate/paraphrase my earlier post here. Is Apple (now) admitting that their Touch ID system is hackable and that Apple Pay could also be? Because by bricking/preventing access based on a repair, it sounds like Apple believes there's a way to break inside. Not exactly what everyone was led to believe or what was insisted upon here.

Quite the opposite. I think Apple is saying, rather forcefully, try to break inside and you'll brick the phone. I certainly feel more at ease for it.

 

[coffeemadmanUK]

Yep. Not sure what your disagreeing with. Part is installed without pairing. Phone doesn't work. No obligation for Apple to create a workaround.


Your lack of knowledge doesn't mean Apple is lying.


Hey. Look. You just made something up without any evidence.


Your lack of knowledge doesn't mean Apple is lying.


Yes, they do. It's in the OP.

What? Apple don't need to make a workaround.

If I use a third party thing in my iPhone one of two things can happen:

1. It breaks. The third party part is not fit for function and I screw my iPhone up.
- Solution: I have to buy a new iPhone

2. It works. The third party part actually works fine and my iPhone works as normal. I have voided my warranty with Apple but it works.

The issue is that in scenario 2 Apple are still stopping your phone from working. This isn't right. If the part works fine then Apple shouldn't be screwing your phone up regardless.

In scenario 1 Apple don't have to create any workaround or do anything as it's entirely on the owner.

In both situations Apple need do nothing. They don't lose anything. They don't have to fix anything. They don't have to create workarounds for anything.

 

[samcraig]

Quite the opposite. I think Apple is saying, rather forcefully, try to break inside and you'll brick the phone. I certainly feel more at ease for it.

Yes. But they didn't immediately brick phones, right? It came later with OS updates.

 

[St.John Smith]

Yes. But they didn't immediately brick phones, right? It came later with OS updates.

I think it's somewhat likely if not obvious at this point that there was a liability there, and that touch ID was either compromised or vulnerable to a hardware based exploit by getting in-between the Touch ID and the A7/secure enclave. Since Apple doesn't release details of how to go about breaking into their non-updated devices when they discover an exploit and simply attempts to quietly (or in this case: not so quietly) patch them we may never know what the issue was... Perhaps the validation was not functioning/ occurring at all.

I think this is Apple being a victim of their own brand-consciousness and legendarily secretive nature. If they announced the specifics of the vulnerabilities they discover not only would people feel better about decisions like this, the information security sector would greatly benefit.

After all, who knows what the CIA and The Federales are trying to do to El Chapo's 6+?

Anywho... I suppose if Apple did do that then there would be malicious hackers racing to see if they could gain access before the solution could be implemented. Then again, maybe it would spur people to update faster. Ho hum.​

 

[MH01]

If there's no security flaw or risk - then why brick the phone?

Cause apple can.

Well 39 pages in we have established it could be security or apple forcing customers to repair the units = $$

I'm scheptical cause if it's security and it's such a major problem, why is the 5S not effected? Apple Pay?

 

[St.John Smith]

Cause apple can.

Well 39 pages in we have established it could be security or apple forcing customers to repair the units = $$

I'm scheptical cause if it's security and it's such a major problem, why is the 5S not effected? Apple Pay?

Every model of iPhone has different firmware and builds of iOS that are specific to each model. They also have different internal hardware- in this case the cable between touch ID and the rest of the phone. That brings the possibility that Joey B. Apple; software engineer extraordinaire in Cupertino missed a single line of code or even a "}" somewhere when finalizing whatever version of iOS he was responsible for and left a back door open. Maybe Apple found it and closed it??(Joey B. Apple is currently grand opening the Apple Store: Siberia as a janitor)

Or maybe, just maybe, this is a nefarious and malicious scheme to force you to repair your phone at the Apple Store- but only your iPhone 6 or 6+.

Wouldn't it make more sense if it were some sort of weird money grab that Apple would target older devices such as the 5s rather than cause a calamity over their just over a year old phone (which is still under Apple care if you a- bought it and, b- didn't have anyone that wasn't authorized to do so tamper with it)?

If your phone gets error 53'd and their is no damage or tampering evident that would point to a faulty touch ID, flex cable, of logic board and would be covered by Apple if the phone is under warranty.

In reality we will never know what actually happened.

Just like many seem not to know what a man in the middle attack is and how easy it is to accomplish via cutting in-between two encrypted messages in the absence of a secondary validation (iOS check), a secure key held by both parties (token in the enclave & touch ID), and a totally closed system with ALL channels secure (cables that you cannot interrupt without causing a error of some sort).

 

[garylapointe]

How could someone use old fingerprint sensor for something malicious? The TouchID sensor does not store your fingerprint data. Everything is stored inside SE.

The old sensor is just a sensor, it is useless for hackers. If someone wants your fingerprint, they may have better chance to take from your phone case, becuase your fingerprint is all over the place on the phone.

Exactly, I was saying I did NOT think of it that way when I read it.

Gary

 

[bazzasc]

Well 39 pages and we still have no agreement

It surely has to head for the courts then in order to decide

Although I am partially sitting on the fence I find some of the arguments of the Apple supporters to be a bit odd

The argument seems to be that Apple has the right to brick a phone because any fault in the touchid presents a security risk. In all 39 pages I have yet to see more than a few technical documents that make no clear argument in support of this and various declarations from posters (some of whom must have very understanding bosses to be able to post continually throughout the day) who seem to blame anyone but Apple

Oh, and then there are some of the most hilarious and far-fetched analogies, and even novellas explaining to us how insecure we are!

Then there are some insults against those of us who are skeptical against Apple - I was sent a note by a mod yesterday for fairly innocuous posting (although I accept the rap on the knuckles) - I just hope some of the posters on here have received the same, although the fact the posts are still there suggests not

The crux of it is that people have no phone due to an Apple update.....and any fault with the touchid will lead to the phone bricking. If you ar win warranty and there has been no work done then you are okay. If you are out of warranty - even if you have done nothing it will cost you a lot of money

Apple have yet to explain why a phone that was previously working is no longer doing so. Whatever the reason face up and say why clearly and unambiguously why this was done - rather than some people making excuses on their behalf, and not doing a very good job to be honest

I am on the page that this is cock-up and not conspiracy but if that was the case then there may be a claim on them. If it is security based then they had better have a good explanation and it be able to justify that bricking a $1000 object is the only option. If they have a good reason then, of course, it may undermine their claims about the security of the touchid system

Whatever the reason Apple have done a superb job on giving some college lecturers a good case study on how not to do PR

 

[MH01]

Every model of iPhone has different firmware and builds of iOS that are specific to each model. They also have different internal hardware- in this case the cable between touch ID and the rest of the phone. That brings the possibility that Joey B. Apple; software engineer extraordinaire in Cupertino missed a single line of code or even a "}" somewhere when finalizing whatever version of iOS he was responsible for and left a back door open. Maybe Apple found it and closed it??(Joey B. Apple is currently grand opening the Apple Store: Siberia as a janitor)

Or maybe, just maybe, this is a nefarious and malicious scheme to force you to repair your phone at the Apple Store- but only your iPhone 6 or 6+.

Wouldn't it make more sense if it were some sort of weird money grab that Apple would target older devices such as the 5s rather than cause a calamity over their just over a year old phone (which is still under Apple care if you a- bought it and, b- didn't have anyone that wasn't authorized to do so tamper with it)?

If your phone gets error 53'd and their is no damage or tampering evident that would point to a faulty touch ID, flex cable, of logic board and would be covered by Apple if the phone is under warranty.

In reality we will never know what actually happened.

Just like many seem not to know what a man in the middle attack is and how easy it is to accomplish via cutting in-between two encrypted messages in the absence of a secondary validation (iOS check), a secure key held by both parties (token in the enclave & touch ID), and a totally closed system with ALL channels secure (cables that you cannot interrupt without causing a error of some sort).

All Apple has to do is confirm, technically as of right now, the threat exists, and a device has been compromised in this manner, hence the bricking. They have not done so. Until they do so, its about as credible as our government taking away our civil rights cause there "might" be a threat of terrorism, and they require access to our data to prevent it.

I am all for security for a reason, a solid reason. This update that suddenly bricks a phone without clear communication is amateur hour, especially if I own the device!

Apple is testing the waters here, they have been very careful in their wording.

I am not of the current generation of mac users where the device is glued, I am from a generation where tinkering, upgrading and getting the most of your device was encouraged, the early generation of mac users. If Apple is telling me that they can brick any of my devices in the future......cause it has non apple parts, that is every mac I own pre 2012, , including ipods, where I have changes the battery/hd.

Heck, they can turn around to all of us and say that the RAM, and HDDs we replaced could have been modified to steal our data.....and the device will not function until official parts are put back in.

What I find funny is that had Microsoft or Google pulled this stunt, these forums would be on FIRE, saying how could they etc. Apple pulls it and people defend them, although there is no proof. People are already making up scenarios that don't exist from a meaningless apple PR statement. For some people is like big brother, and people follow them blindly.

I wait for some evidence. Any piece of evidence that backs up Apple's action. None has been presented so far.

 

[dk001]

Every model of iPhone has different firmware and builds of iOS that are specific to each model. They also have different internal hardware- in this case the cable between touch ID and the rest of the phone. That brings the possibility that Joey B. Apple; software engineer extraordinaire in Cupertino missed a single line of code or even a "}" somewhere when finalizing whatever version of iOS he was responsible for and left a back door open. Maybe Apple found it and closed it??(Joey B. Apple is currently grand opening the Apple Store: Siberia as a janitor)

Or maybe, just maybe, this is a nefarious and malicious scheme to force you to repair your phone at the Apple Store- but only your iPhone 6 or 6+.

Wouldn't it make more sense if it were some sort of weird money grab that Apple would target older devices such as the 5s rather than cause a calamity over their just over a year old phone (which is still under Apple care if you a- bought it and, b- didn't have anyone that wasn't authorized to do so tamper with it)?

If your phone gets error 53'd and their is no damage or tampering evident that would point to a faulty touch ID, flex cable, of logic board and would be covered by Apple if the phone is under warranty.

In reality we will never know what actually happened.

Just like many seem not to know what a man in the middle attack is and how easy it is to accomplish via cutting in-between two encrypted messages in the absence of a secondary validation (iOS check), a secure key held by both parties (token in the enclave & touch ID), and a totally closed system with ALL channels secure (cables that you cannot interrupt without causing a error of some sort).

Good write up however I have yet to see how this would in actuality work. Nothing from Apple either. If the "chain" is needed for security why c an't Apple just come out and say it.
And my single biggest issue: what gives Apple the right to permanently brick my device remotely?

All Apple has to do is confirm, technically as of right now, the threat exists, and a device has been compromised in this manner, hence the bricking. They have not done so. Until they do so, its about as credible as our government taking away our civil rights cause there "might" be a threat of terrorism, and they require access to our data to prevent it.

I am all for security for a reason, a solid reason. This update that suddenly bricks a phone without clear communication is amateur hour, especially if I own the device!

Apple is testing the waters here, they have been very careful in their wording.

I am not of the current generation of mac users where the device is glued, I am from a generation where tinkering, upgrading and getting the most of your device was encouraged, the early generation of mac users. If Apple is telling me that they can brick any of my devices in the future......cause it has non apple parts, that is every mac I own pre 2012, , including ipods, where I have changes the battery/hd.

Heck, they can turn around to all of us and say that the RAM, and HDDs we replaced could have been modified to steal our data.....and the device will not function until official parts are put back in.

What I find funny is that had Microsoft or Google pulled this stunt, these forums would be on FIRE, saying how could they etc. Apple pulls it and people defend them, although there is no proof. People are already making up scenarios that don't exist from a meaningless apple PR statement. For some people is like big brother, and people follow them blindly.

I wait for some evidence. Any piece of evidence that backs up Apple's action. None has been presented so far.

I am in the same space. Have yet to see anything that gives technical or factual credence to a security issue. Instead we are currently left with vaguely worded official responses and a whole lot of online supposition.
Facts.

 

[Fenez]

Sales next quarter won't be down apparently, due to the fact that whomever has had their phone bricked will need to purchase a new one. As of now anyway.