It also considerably reduces the ability of nation-state attackers to replace parts with modified hardware without your knowledge, as Apple can detect and terminate misuse of the tool that creates new cryptographic signing keys for the pairing of phone and part. We saw signed-pairing appear with the Touch ID system in response to Apple learning of nation-state attacks on the iPhone that used hardware modifications.
To date, no HN discussion of this crypto-pairing of the phone to its parts has revealed an alternative solution that would be effective at Apple’s scale for preventing phones from being hacked by a parts swap while also allowing any part to be swapped in — not to mention while providing the anti-theft benefits described upthread. I’d love to see a viable alternative solution described, if anyone has one.
> To date, no HN discussion of this crypto-pairing of the phone to its parts has revealed an alternative solution that would be effective at Apple’s scale for preventing phones from being hacked by a parts swap while also allowing any part to be swapped in
Random-ass repair shops are not going to expend the effort of putting in fake parts to hack you to.. hack a couple of thousand dollars off of your account and then get caught due to it easily being traceable to the repair shop?
The only people who need protection from hardware-swap hacks are people like journalists. And if you are one, you shouldn’t be giving people physical access to your device regardless.
Here is a simple solution: give the normal user (after a passcode unlock) a pop-up: ‘your X has been replaced. Do you wish to authorize this new part for use with your iPhone?’.
Make it so that if your phone is set to the new Lockdown mode, you cannot authorize any new parts.
Anyone crossing a border where a nation state takes physical possession of their device is, currently, protected. The US border authorities have a very awful policy of storing data they’ve stolen for up to 15 years, and other US federal authorities have been previously caught using hardware modifications to hack devices. Anyone within 100 miles of a US border is subject to seizure and search under US law, which is approximately one-fifth of the country, including SF tech workers and NYC fintech workers.
These protections apply to considerably more of one country’s populace than would benefit from off-market parts being usable at third-party repair shops. I appreciate Apple’s choice to prioritize in this regard, but I’d still like to see if tech can overcome this barrier without sacrificing that safety.
> Anyone crossing a border where a nation state takes physical possession of their device is, currently, protected.
Assuming you are a normal person, you already are. Rapidly click the lock button 5 times and they cannot extract any data with normal means. If you are someone worthy of nation-state attention, why are you crossing the border without a wiped device, as has been the adviced standard practice for years?
Again: these draconian repair protections should be tied to Lockdown mode. There is no reason to destroy repairability to protect a tiny group that isn’t giving their device out for repairs anyway if they’re following opsec.
I have no faith in the ability of nation-states to accurately determine that I am not a criminal, and the authorities in my home nation-state are known around the world for both their excessive violence and their unannounced home invasions, in which (for example) scenario reaching for my phone would result in me being killed. Those protections benefit me and others like me especially, and I’m comfortable paying a few more dollars for authorized repairs to retain them. I appreciate that you do not see the need for those protections for yourself, but the convenience you seek comes at the cost of the safety it provides others. I remain unpersuaded.
> I have no faith in the ability of nation-states to accurately determine that I am not a criminal
No state will burn extremely expensive tools like Pegasus on a garden-variety criminal.
I’m very conscious of my privacy and device security myself, but I’m also aware that I do not warrant high-cost surveillance. Most people are in that boat. You can model your threats accordingly.
The "your X has been replaced" pop-up doesn't handle the situation where an attacker knows your passcode.
I think you might also be failing to account for situations where you aren't in possession of your phone for an hour or two. Imagine if police in a foreign country take your phone for a couple of hours and then give it back to you. Or you leave your phone in a hotel room to charge for a few hours. Or your phone gets "misplaced" for an hour after going through the airport x-ray machine.
There are many targets other than journalists too, such as people in the USA who develop export controlled technologies, certain tech company employees, defense contractor employees, other government employees, etc. I don't think you can expect every potential target to constantly set their iphone to lockdown mode.
> The "your X has been replaced" pop-up doesn't handle the situation where an attacker knows your passcode.
If this is the case, they can add their own fingerprint or face (alternate look feature) to your iPhone. You’re thoroughly pwned at that point, no hardware swaps necessary.
> I think you might also be failing to account for situations where you aren't in possession of your phone for an hour or two
If I came back to my unattended phone after 2 hours and it was giving me a pop-up about a swapped part, I would never trust that phone again.
> I don't think you can expect every potential target to constantly set their iphone to lockdown mode.
If they are that much of an attractive target, their organizations would be stupid not to enforce it. I know that Lockheed used to give personnel that was China-bound a throwaway laptop and would shred it the moment they returned to the USA.
>You’re thoroughly pwned at that point, no hardware swaps necessary.
Exactly. It boggles my mind the amount of mental gymnastics Apple apologetics will go through to try to justify Apple's anti-consumer anti-repair practices of software locking replacement parts.
To date, no HN discussion of this crypto-pairing of the phone to its parts has revealed an alternative solution that would be effective at Apple’s scale for preventing phones from being hacked by a parts swap while also allowing any part to be swapped in — not to mention while providing the anti-theft benefits described upthread. I’d love to see a viable alternative solution described, if anyone has one.
reply