Sunday, February 7, 2016

Error 53

Miles Brignall (via Hacker News):

Thousands of iPhone 6 users claim they have been left holding almost worthless phones because Apple’s latest operating system permanently disables the handset if it detects that a repair has been carried out by a non-Apple technician.

Relatively few people outside the tech world are aware of the so-called “error 53” problem, but if it happens to you you’ll know about it. And according to one specialist journalist, it “will kill your iPhone”.

tristanj:

In summary, Apple iOS uses a validation system to ensure Touch ID sensor is not maliciously replaced or modified. The Touch ID sensor has access to the iPhone Security Enclave, where fingerprint data is kept. A malicious sensor could, hypothetically, steal fingerprints from an iPhone user unknowingly. This could be used to unlock the phone and make purchases through Apple Pay without the owner’s permission. To prevent this, Apple uses a validation system whenever the Touch ID sensor is repaired. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the validation paring is updated. Third-party repairs to the sensor will not update the pairing, and will fail validation when using Touch ID. This validation error is shown to users as the mysterious “Error 53”.

If the validation fails, the device will function mostly fine, although with Touch ID disabled. However, the device will be prevented from restoring or updating to a new version. Restoring from backup still works. I’m not too sure why restoring or updating is blocked, but my guess is that they want to prevent malicious software from being uploaded in this process.

qb45:

No, the CPU reads encrypted data from the sensor and sends them to the SE for decryption and analysis. See the PDF linked here by somebody. What a malicious sensor could do is store user’s fingerprint for retrieval by unauthorized parties.

John Gruber:

It seems very reasonable to me that iOS should check for a trusted Touch ID sensor. But, if the sensor can’t be trusted, clearly the whole phone should not be bricked — it should simply disable Touch ID and Apple Pay. And, obviously, it should inform the user why. Putting up an alert that just says “Error 53” is almost comically bad.

Update (2016-02-11): Gwynne Raskind:

You must predicate everything you do in the name of security on the presumption that users are hopelessly lacking in knowledge.

They ​WILL​ be socially engineered into giving up credentials.

They ​WILL​ be socially engineered into turning off security features that give them even a moment’s annoyance even just once.

[…]

A number of people have asked why Apple didn’t disable just Apple Pay and leave the rest of the phone functional. Technically speaking, I can’t do more than guess at the details, but it’s my presumption that this is the only way they could prevent jailbreaks and other “the user will do any stupid thing rather than actually listen to security warnings” (the effect of user arrogance on security is a whole separate issue from user ignorance that I’m not going to get into) from getting around the error, which would have rendered it useless.

Update (2016-02-16): Josh Centers:

We reached out to an Apple Authorized Service Provider who is familiar with the matter. While he confirmed that Apple’s requirement is a security feature, he also sees it as Apple pushing several agendas: selling AppleCare+, pushing customers into buying new phones after AppleCare+ expires, shutting out non-authorized repairers and suppliers, and shutting out fake devices built from knock-off parts. It turns out that all iPhone screen repairs have to go back to Apple for screen replacements; Apple has a machine that restores the pairing between the Touch ID sensor and the secure enclave.

[…]

Apple’s handling of the situation has prompted the Seattle law firm PVCA to file a class action suit against Apple; if you’ve experienced Error 53, consider getting in touch with them.

[…]

However, it’s not all bad news. In order to deal with unauthorized repairs, Apple has drastically reduced the price for out-of-warranty screen repairs. Without AppleCare+, the company now charges between $109 to $149 for a screen replacement, which isn’t much more than what you’d pay with AppleCare+. However, if you have AppleCare+, Apple will give you a loaner phone and likely move your repair up in its priority list.

Adam Minter (via Slashdot):

That’s not a unique business model, of course. For decades, auto manufacturers and dealerships have done their best to undermine independent garages by limiting access to original parts and diagnostic tools. The results, in both industries, are predictable: Repair shops have to turn away willing customers, and consumers lose the benefits of free competition, notably lower prices and more convenience.

In 2000, under threat of so-called “right to repair” legislation, U.S. automakers, dealerships and service shops formed a union to share information on repairing today’s high-tech cars. Because membership was voluntary, however, there was little incentive to cough up any useful data, especially in a prompt manner.

Update (2016-02-18): Matthew Panzarino (via John Gruber, comments):

The update is not for users who update their iPhones over the air (OTA) via iCloud. If you update your phone that way, you should never have encountered Error 53 in the first place. If, however, you update via iTunes or your phone is bricked, you should be able to plug it into iTunes to get the update today, restoring your phone’s functionality.

Mike Ash:

That Error 53 thing everybody said was Super Important Security Stuff™ was an inadvertently released factory test.

Gwynne Raskind:

I’m not trying to accuse Apple of anything here; I’m personally satisfied with how they’ve handled the Error 53 situation. While I favor “right to repair”, and strongly dislike the trend towards hardware that the customer doesn’t effectively own, security of a device carrying important data in the context of the infamous gullibility and technical inexperience of the majority of users is a knotty problem at best and Apple is walking a fine line with relatively few missteps (though the “few” here is a long, long way from zero). What I do wonder about is what more there is behind some of the decisions that were made, and the timing of those decisions. If nothing else, it’s a matter of curiosity.

Update (2016-02-20): Alex Cranz:

AJ Forsythe is familiar with Error 53. He’s the CEO of iCracked and like many iPhone repair services, they’ve been aware of the problem for over a year now. […] Most third party repair agencies have learned to live with the quirk and have standardized their training of repair agents to accommodate this specific issue. (The companies that didn’t are the ones likely leading to the majority of brickings).

Update (2016-05-25): Husain Sumra:

Apple argued the lawsuit should be dismissed because the company issued a fix for the error and offered to reimburse customers who had paid to have their devices replaced or repaired. However, the plaintiffs are now arguing that Apple failed to properly alert users to the reimbursement program. They argue the “vague” announcement on Apple’s website and a support document published in April isn’t sufficient enough to inform affected customers.

10 Comments RSS · Twitter

Christian Beck

While I don't like bricked iPhones either (and think Apple could - as always - have communicated something to it's users), I don't see any way around bricking the whole phone.

Because we are talking about unencryptable phones and the NSA it's buddys want access to them really bad.

So I design a sensor that stores your fingerprint or PIN and send's it to the secure enclave on my command (i.e. morse NSA on the home button). Then: I get your phone, swap the sensor, you think "hmm, Touch ID broken, dumb Apple, always with that updates" use it with the PIN and all the while holding your fingers long enough on the sensor for them to be scanned (out of pure habit - try using a iPhone without Touch ID and see what I mean) and stored on my chip. Then I steal it for real. And all your data belongs to us.

tl;dr They are out to get YOU!

The NSA could lift your thumb print from the phone -- or almost anything else in your environment -- and unlock it anyway; MITM'ing the touch ID sensor would be a ridiculous amount of work by comparison.

Additionally, Apple can replace the touch ID sensor; that means Apple is in a position of ultimate trust. If you really have NSA-level adversaries and really think that validating the sensor is critical for security, then why would you want there to be a "golden key" that could be used to replace your touch ID sensor without warning -- ala encryption backdoors?

We've somehow flourished over decades of computing despite having computers that allow the keyboard to be replaced without warning. A keyboard can sniff all your passwords, your credit card information, and it can even control your machine. A USB keyboard (which is most of them) can present a USB mass storage device that will be auto-mounted, can execute code from that device, and can otherwise compromise your entire machine.

And yet, attacks on the physical security of laptop and desktop keyboards makes up a vanishingly small percentage of the actual real-world user compromises.

Perhaps this isn't really about security? Or, if it is, it's more about security theater than real-world risk and cost analysis.

Guardian reports that class actions suits are being started in the UK and US. Plus, they think it may violate criminal laws in UK.

FWIW, class action suits are the only way Apple has been willing to react to this kind of stuff over the past 5 years or so.

(And thanks to Landon Fuller for debunking that logically incoherent first post. I didn't have the time or energy. Only two things I'd add is that the 'middle way' suggested by Gruber fully solves the security concern, and that Apple's motivation really may be less about security theater and more about their multi-year efforts to force out 3rd party repairs for money reasons...)

@Chucky I don’t think it’s so much that Apple wants to make money from repairs as that it’s simpler for them to have everyone’s hardware in a known state.

"I don’t think it’s so much that Apple wants to make money from repairs as that it’s simpler for them to have everyone’s hardware in a known state."

You may well be correct on motivation. But for whatever reason, there is some kind of patten going all the way back to 'screw-gate' where they seem to be doing their best to eliminate 3rd party repair. And these days, I never put any money motive beyond them, no matter how small. But again, you may well be correct here.

[…] Previously: Apple Fighting New “Right to Repair” Legislation, Error 53. […]

Leave a Comment