I posted this earlier today, but the current article (from bbc.co.uk) does a poor job covering the issue. In summary, Apple iOS uses a validation system to ensure Touch ID sensor is not maliciously replaced or modified. The Touch ID sensor has access to the iPhone Security Enclave, where fingerprint data is kept. A malicious sensor could, hypothetically, steal fingerprints from an iPhone user unknowingly. This could be used to unlock the phone and make purchases through Apple Pay without the owner's permission. To prevent this, Apple uses a validation system whenever the Touch ID sensor is repaired. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the validation paring is updated. Third-party repairs to the sensor will not update the pairing, and will fail validation when using Touch ID. This validation error is shown to users as the mysterious "Error 53".

If the validation fails, the device will function mostly fine, although with Touch ID disabled. However, the device will be prevented from restoring or updating to a new version. Restoring from backup still works. I'm not too sure why restoring or updating is blocked, but my guess is that they want to prevent malicious software from being uploaded in this process.

From the Daily Dot article, if a user encounters this error, Apple's current resolution is a full device replacement. It may be overkill I don't think Apple expected many people to encounter this issue, so it seems reasonable why they chose this option.

This is a great security feature for users, and I'm really glad Apple engineers considered this situation. Unfortunately the media is blowing this and leaving crucial details about what's happening and the reasoning behind it.

Here is Apple's statement on the matter:

We take customer security very seriously and Error 53 is the result of security checks designed to protect our customers. iOS checks that the Touch ID sensor in your iPhone or iPad correctly matches your device's other components. If iOS finds a mismatch, the check fails and Touch ID, including for Apple Pay use, is disabled. This security measure is necessary to protect your device and prevent a fraudulent Touch ID sensor from being used. If a customer encounters Error 53, we encourage them to contact Apple Support.

Damned if they do, and damned if they don't.

"Anyone can access your private photos and emails! Just replace the home button with one programmed with your own fingerprints!"

Can you imagine the comments if that were a story?

The problem here is that Apple didn't find a way to tell repair shops and users that this could be an issue.

I highly recommend reading up on Apple's Security white paper that details how it all works... https://www.apple.com/business/docs/iOS_Security_Guide.pdf

It's totally dumb that a functioning phone is bricked by an update because of repairs done in the past. Imagine the same thing happening to your car. "Sorry sir, the software update done to your car has now disabled the vehicle because in the past someone not related to x (insert name of car company here) has repaired it, your car is now junk (you can't even resell it) and you'll have to buy a new one".

It's just petty revenge because you had to temerity to go to another party other than apple to get your phone repaired and maybe even saved some money in the process. So now, in retaliation we'll destroy your phone in software. I'm sure this will go down well with the various EU courts.

This is still not as bad as the newer laptops in which TPM is soldered onto motherboard and the OS won't boot if it's damaged. You can't even get it repaired, even by the manufacturer without getting a brand new motherboard.

Hardware level security is important, but one must know that whenever you involve hardware into the equation you must allow for collateral damage.

Trusting trust is hard. You can't expect the verifier to verify the security module you got changed from the guy in a basement. Might as well get the OS and kernel from the same guy too.

The reason this disables your phone is the same reason you see a red page when using self signed certificates. The guy vetting you isn't vetted himself. Now there is a case to be made that Apple should just show you a warning and let you use the phone. But this isn't about protecting your privacy, this is about protecting privacy of the guy whose phone you found.

Alternative: Apple stops NSA, China, crooks meddling with TouchID during repair.

https://twitter.com/charlesarthur/status/695709113964195840

The stated rationale is that it's reasonable for a security-critical device to self-destruct if it thinks it may have been tampered with. Unfortunately this is a phone which costs a lot of money and has much of the user's life stored on it. I wouldn't be surprised to see Apple sued over this; I don't know what the interaction of the Sale of Goods Act and remote-bricking is.

I was thinking along similar lines recently when someone sent me an email to an old PGP key - I was able to dig up the key, but had long since forgotten the password. Do you want your computer security system to fail-open (leaking your stuff and potentially exposing you to fraud) or fail-closed (losing data which may be irreplaceable and of emotional significance)?. It's not obvious. But if you store your photos on your phone, you should probably back them up to the cloud - and to a different system that is not under the same account, either locally or another cloud. User-friendly crypto may be possible, but user-friendly key management is a total nightmare.

Albeit necessary to check the authenticity of components such as the TouchID sensor for security reasons, bricking the phones seems extreme. Why not simply disable Touch ID? This is them asking for a lawsuit.

It is frustrating the the language of MA 'right to repair' doesn't extend to devices. https://en.m.wikipedia.org/wiki/Massachusetts_Right_to_Repai...

All these comparisons to car warranties, and more specifically how in some countries there may be a question of legality. The U.S. has similar laws that car dealers can't deny warranty coverage because of third party repairs. IANAL, but it would be interesting to see how this translates to phones (or any other similar asset).

http://www.consumer.ftc.gov/articles/0138-auto-warranties-ro...

Has someone made unintentional medical joke with this error? It reminds me of https://en.m.wikipedia.org/wiki/P53, which is responsible for apoptosis - programmed death of cell.

The way they've reported on this seems a bit misleading. Isn't it just that the third-party repairers haven't reset the security mechanism after replacing the home button?

Wouldn't a better idea be to simply display an error message to the effect of "your phone has undergone untrusted changes, please bring to your nearest Apple store" rather than bricking the whole thing?

People in the US should be complaining to the FTC. In the very least, for phone's under warranty, Magnuson-Moss should apply if Apple isn't fixing these problems for free.

https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...

I think it's utterly reasonable for the device to shut down if it detects what looks like tampering with a high-security component. It's frustrating, sure, and the error message is beyond poor, but the behavior makes sense. It's not about preventing third party repairs.

It is unfortunate but true that high levels of security ultimately require trust, and that means that some things we used to take for granted will fall by the wayside. Third party repair of what are now secure components may be one of those things.

I guess "iPhone 'disabled' if Apple detects key security component replaced with unauthorized version" wouldn't get as many clicks.

I'm not sure I understand what exactly happened here. Was it previously possible for non-apple engineers to replace the home button or was it not? The guardian's article seems to suggest it was: "Indeed, the phone may have been working perfectly for weeks or months since a repair or being damaged."

If that is the case and it was possible to replace these sensors before, apple's narrative that the "error 53" code was introduced for security reasons doesn't seem to make a lot of sense: If the hardware sensor wasn't designed with secure authorization (e.g. via asymmetric cryptography) in the first place, all they could do now in a software update would be to add some kind of cosmetic device ID check.

However, any such newly introduced check in software could not actually prevent "malicious sensor" attacks but would only add a (possibly trivial) additional step to the attack where you have to spoof the correct device id.

Or maybe my reading of the guardian article is imprecise and replacing the home button has always meant loosing access to at least some security-relevant features?

Now might be a good time to make a donation to the EFF.

https://www.eff.org/issues/right-to-repair

Could this be a protection against selling stolen iPhones? As I remember a "broken TouchID" rates pretty high as a shady phone. Does anyone know how does this work? Can you reset a stolen phone or do they just sell those as parts nowdays?

One more proof that you don't own your device?

I love the sentence: >He had to pay £270 for a replacement and is furious.

He was so furious that he bought a second iPhone which had the same fundamental design decisions and would fail in the same way if he got it repaired by a non-Apple repairer. No wonder Apple doesn't give a damn about this - everyone is just buying a new phone from them.

I don't see why people are upset or surprised about this. Apple is a pioneer in making electronics difficult to open up and play with.

It has always been their approach to control every interaction that every customer has with every part of their business and every product produced by it.

Accept it or use something else.

I feel like a hypocrite criticising this one. Security has always been a tradeoff against convenience. I've been, overall, happy that Apple's starting to take the security of personal data on a very losable device seriously.

I mean, not to gloss over it. I just got stung €320 for a screen repair, and I won't pretend I'm at all happy with that. But I have to accept we can't have it both ways - if we're demanding tough encryption, we have to accept the inconvenience that comes with it.

So much for owning something you thought you owned. This has happened again and again, and will increasingly happen in the future under whatever disguise, security-wise or not.

Something suspiciously like this happened to me on a second-hand iPhone 6 I bought a few weeks ago. Talk about crappy timing.

Everything pointed to a software issue, but every repair person I took it to (both apple and non-apple) kept saying it was a hardware fault.

Touch ID stopped working and the phone drains super quickly despite not being in use. Hoping Apple can provide a "fix", not gonna hold my breath though.

I'll take it as a positive that there is a good chance if someone tampered with my device my information is still secure.

I feel for both sides of this issue. As a consumer I am upset that I am essentially being forced to either buy a new iPhone or do my repair via Apple (do they even do all repairs?). Although, as a business I understand not wanting third party repairs as those can damage your brand if done incorrectly.

I think it is a design flaw, putting a security component in a common fail assembly, a fragile glass cover. Sony chose to put their touch ID sensor in a side button. I wonder if they thought of this, it sure looks like a smart design decision in light of this.

I feel for both sides of this. On one hand, as a consumer, I think it's unfair to force users to either buy a new iPhone or do repairs via Apple (do they even do them all?). As a business, I understand how non-Apple repairs can damage a brand.

This is just the beginning.

High prices and resale values have spawned a substantial and apparently growing 3rd party repair and refurbishment market for Apple mobile devices. Beyond the dodgy corner unlock shops, multiple national chains have sprung up over the last 2 years where I live that advertise heavily on broadcast TV.

Apple clearly sees this as money left on the table and they're concerned about the emergence of a comprehensive parallel supply chain for repair parts. Bricking end-user devices is one of the few levers they've got to try and shut down this industry, since there's no way to effectively identify and pursue the upstream suppliers in mainland China.

Sucks for the users, though. I wonder if Apple will still be selling devices at all in 5 years, or if they'll only rent them out for €25/$25/£25 per month. Ultimately that'll probably be the only way to get the control they want.

I'm fairly certain that's illegal in Australia. It's called third line forcing.

Looks like Apple is, yet again, going to be investigated by the ACCC.

So basically you do not own your hardware.

The iPhone6 and F-35 share the same problem trying to detect approved or faulty parts. Funny.

Isn't this piece core to the virtual wallet/payment tech installed on the phone? Should apple's engineers have to put in friendly error messages if you exchange components in what's supposed to be a closed system?

Don't use smart phones. Just don't. It works for me.

Could someone explain what is the legal basis for this?

This type of move can't work now, because Apple is losing its mojo in a very fast pace.

yet another thing that anti-iphone people rile and iphone users don't care. The bricked owners will buy the next gen iphone and won't repeat the mistake of third party repair. what's the fuss about? yawn...

This is just to protect customers. </irony>

Wow, Apple hate like on /r/technology.

Lawsuit time, which Apple will lose

Correct me if I'm wrong, but from what I understand this is done to protect the customers from tampered with Touch ID sensors.

It may be overly paranoid but I can at least understand the motivation behind this. Changing the display also involves disconnecting the Touch ID sensor so technically a malicious person might have done something that exposes the user of the device in some way.

Statement from an Apple spokeswoman:

“We protect fingerprint data using a secure enclave, which is uniquely paired to the touch ID sensor. When iPhone is serviced by an authorised Apple service provider or Apple retail store for changes that affect the touch ID sensor, the pairing is re-validated. This check ensures the device and the iOS features related to touch ID remain secure. Without this unique pairing, a malicious touch ID sensor could be substituted, thereby gaining access to the secure enclave. When iOS detects that the pairing fails, touch ID, including Apple Pay, is disabled so the device remains secure.”

http://www.macrumors.com/2016/02/05/error-53-home-button-iph...

Url changed from http://www.bbc.com/news/technology-35502030, which points to this.

There is a strong bias, and the amazing thing is that its very difficult for the people who have this bias to realize it. As far as they can tell it is fact, and this is in large part because they live in a filter bubble where they only see things that confirm their bias.

For example: Articles bashing Steve Jobs get upvoted a lot more than ones praising him. Exactly the opposite for bill Gates.

Now if you look at Slashdot a decade before Hacker news the results for bill gates would have been the opposite of what you see here.

Effectively, Bill Gates' millions in spending to improve his PR have changed people's perceptions (they will argue that its because he's such a generous benefactor, because that's politically correct, alas, they won't look too close at the activities of the Bill and Melinda Gates foundation lest they notice he isn't.)

Google Good, Apple Bad, Leftism Good, Socialism Good, Basic Income! Global Warming is FACT, and anything you post that goes against this narrative risks getting you slow banned or hellbanned.

Hell, I was once banned from here for relating how I met Grace Hopper as a kid (in a comment on an article about Grace Hopper.)

I have no clue why that was hell ban worthy, after all she was the original "GRrrl in tech!!11!"

Welcome to hacker news where there are no hackers.

Fuck Apple.

Fuck Apple.

"these 10 fun tricks helped us get sued" apple.com

>retarded

Don't say this.

It is frustrating the the language of MA 'right to repair' doesn't extend to devices. https://en.m.wikipedia.org/wiki/Massachusetts_Right_to_Repai...

That's how desperate Apple is.

The wonder of closed source

More reasons for not to be in Apple ecosystem.

Has anyone read full Terms and Conditions?

I think most of the people clicked / tapped / pressed "AGREE".

So here you go.

What really surprised me, and what most people don't seem to know, is that repairs at an Apple store are way cheaper than third party repairs.

So stupid, it's like they are asking for a class action lawsuit

I haven't experience any error 53 codes on the devices I've repaired, but if this is true... Wow! That's really shady of Apple. I'm starting to get the feeling that the moves they're making (like charging for Apple radio [not Apple music], and now disabling phones with unauthorized repairs) is their response to their recent report of declining iPhone sales. Disappointing if this is true that these changes are at the expense of their end users and fans (and I am a fan).

This seems like a deliberate move by Apple, since they could've put the secure component ("TPM") on the mainboard, where it won't be as easily damaged, instead of the fingerprint reader. It's like an organism whose brain is in one of its appendages instead of its head...

Either way, if the skills of the Chinese (and other far-East) reverse-engineers continue to be what they are, I think workarounds will be found soon enough - from what I've seen, the repair people in particular are very resourceful and clever, and come up with "tricks" to fix things that the original manufacturer never even thought about. It's their core business; you can bet they'll spend a ton of effort on figuring out how. Apple's proprietary cable authentication chips have been cloned. The infamous Thinkpad BIOS password has been circumvented. Replacements for ink cartridge authentication chips (seriously) have appeared. There is always a crack.

I continue to find it amazing how effective the "security" excuse is; it seems you can get the majority to give up anything if you can turn it into some sort of argument about how it'll make things safer. Who doesn't want to feel safe, even if it ultimately results in society where every little thing you do is controlled by some huge bureaucracy? The old quote on security vs. freedom is so relevant today, but related to what I think will happen, here's a variant on that theme: "I wish for the insecurity that gives us freedom."

You DO have the right to repair your iPhone; it just has to be done by an official Apple repair centre.

I completely understand the downsides of Apple's particular approach here, and totally get why people want the right to use 3rd party repair services. I've used them myself in the past to save (a lot of) money.

But considering just how much of my life, financial and otherwise, is on my phone, I'm actually very glad that Apple has erred on the side of obsessive security!