Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors
from the right-to-repair dept
We’ve been discussing for some time how John Deere, Apple, Sony and Microsoft are among a laundry list of companies fighting against so-called “right to repair” bills. The bills, currently being pushed in a handful of different states, make it easier for consumers to repair their own products and find replacement parts and tools. The bills are an organic consumer response to the attempts of many of these companies to monopolize repair, driven in large part by John Deere’s draconian lockdown on “unauthorized repairs” — forcing tractor owners to pirate tractor firmware and maintenance tools just to repair products they thought they owned.
Apple’s been notably vocal on this subject, recently trying to shut down a Nebraska right to repair bill by proclaiming that it would turn the state into a dangerous hacker playground. Of course, propped up by the DMCA’s anti-circumvention rules, Apple has utilized a rotating crop of tools to try and protect this repair monopoly. Last year, for example, Apple caused a bit of a shitstorm due to “Error 53”, part of an iOS update that bricked phones that had their screens replaced by third party repair vendors.
Having apparently learned no lessons from the backlash from that use of repair locks, Apple is once again taking heat for new software locks cooked into the iPhone 7, which prevent the device’s home button from working after it has been replaced. Unless, that is, the replacement is performed by a certified Apple technician with the proper “re-calibration” software. The home button is used to unlock the phone, and to return the user to the home screen when pressed.
In previous iPhone versions (iPhone 5S, 6, and 6S) if you replaced the home button you lost the security function, but users could still login via pin — and the button still worked to bring users “home.” But with the iPhone 7, replacing the home button via third-party vendor results in the button not working at all — unless you take the device to Apple’s Genius bar. This is, independent repair shops claim, just part of Apple’s overall strategy of monopolizing repair, hampering third-party repair vendors, and restricting consumer choice:
“In a video demonstrating the block, Michael Oberdick, owner of the independent iPhone repair shop iOutlet, swapped the front displays (and home buttons) of two iPhone 7 devices. When swapped, the phone displays an error message that says “The Home Button May Need Service.” Its functionality is disabled and “Assistive Touch” automatically pops up on the device, creating an onscreen, software-based home button.”
This is, Oberdick argues, little more than a vindictive, anti-consumer move on the part of Apple:
“Not supporting that menu function makes no sense,” Justin Carroll, owner of FruitFixed, an independent iPhone repair shop, told me. “Just a sad and petulant move on their part that will directly affect consumers especially after their one year manufacturer warranty is up.”…This may sound like an esoteric issue, and to some extent it is?screen replacements can still be done so long as the original home button is carefully removed and moved to the new screen. But software locks specifically designed to prevent repair are a monopolistic, anti-consumer move that attempts to “tie” an electronic to the manufacturer even after it’s already been sold.
Whether coming from Apple, Sony, or Microsoft, opposition to “right to repair” bills usually focuses on the three (false) ideas: the bills will make users less safe, somehow “compromise” intellectual property, and open the door to cybersecurity theft. Apple will be sure to breathlessly insist that they’re only making the iPhone 7’s home button impossible to repair to protect consumer security, hoping you’ll ignore the entire practice of such software locks simply allows the company to monopolize repair, drive up the cost of overall ownership for all of its customers, and make life harder for third-party repair vendors.
Filed Under: digital locks, home button, iphone, right to repair, software lock
Companies: apple
Comments on “Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors”
I will never own an Apple device. I disagree with their basic philosophy of computers and don’t like their software aesthetics.
That said, this is not the ownership sky-is-falling moment people are making it out to be. The button functions as the fingerprint reader for the device, and by linking the device to the motherboard it ensures that the device is secure even if it leaves your possession.
Maybe there’s a secure way that a new fingerprint reader could be synchronized with the phone regardless of who installs it, but I’m not sure what that would be.
Re: Re:
I somehow missed discussion of this in the article and was not aware that prior Apple phones could replace the button and restore the device with the entry of a PIN. I withdraw my comment.
Re: Re: Re:
I’ve replaced a number of iPhone screens myself, and recently replaced the Home button on a iPhone 5S. While TouchID no longer worked as expected, The Home button worked for everything else and so you just have to use a password. Old school!!!
On the 7 and 7+, there’s no button that I know of right? I thought it was solid with a force Touch thing to give you a virtual feel of pushing a button. How would it go bad? Can’t you just swap the button to the new screen? I haven’t looked into the iphone 7 and see how things are done.
I just didn’t think it was any kind of a wear device at this point and you could swap it like buttons in the past.
Re: Re:
Came here to say this.
In this instance it’s a security choice, not an anti-consumer move.
http://www.imore.com/apple-took-touch-id-security-one-step-further-secure-enclave-heres-how-and-what-it-means
Re: Re: Re:
It’s not a security choice. A security choice would be to disable the fingerprint-recognition feature until the user had confirmed that they expected the sensor to have been changed (eg. during a repair). That would protect the integrity of the path between the sensor and the secure enclave. Everything else, including disabling the button for non-fingerprint-related functionality, has nothing to do with security and everything to do with locking out independent repairs. How does bringing up the PIN keypad, for instance, compromise security if it’s done via a home key installed during a repair? Unless, of course, you’re positing that some nefarious party has swiped the phone, swapped out both the home button and the entire screen for hardware that’d somehow record and store fingerprints and PIN entries in hardware not part of the phone, and then returned the phone without the owner ever noticing it was missing for the length of time required to effect the work. And then managing to swipe the phone a second time to offload the stored data from the hardware (it’s not part of the phone, remember, and our nefarious actor doesn’t have the fingerprint or PIN that’d permit him to install software on the phone (if he did, he wouldn’t have to install hardware to get them)). I find that whole sequence highly unlikely, unless of course you’ve been targeted specifically by someone who wants access to your phone in particular and not any phone in general and who’s also in physical proximity to you.
Re: Re:
How to confound the issue, the complaint was not that the fingerprint reading function was disabled, but rather that the home function was disabled. The owner should be able to choose who repairs their phone, while using a replacement to break the phones security requires that a bad guy get hold of the phone long enough to carry out the replacement, at which point all security bets are off, and it would be easier to set in place malware that allows the reader to be bypassed.
Now who can get hold of your phone long enough to attack its security, I will give you a hint, they all have three letter acronyms.
Re: Re:
As someone who’s bought Apple since the 1980’s, I completely agree with you. For security reasons, the reader has to be verified to be an untampered version that has access to the secure enclave.
HOWEVER, the way the iPhone 6s and earlier handles this is that it lets the home button function as a home button (no security issues there) and just won’t let the fingerprint reader work. I see no reason why they couldn’t have continued this with iPhone 7 — there’s not too much that could be done here (maybe have circuitry embedded that monitors the circuits used by the print reader and also by Apple Pay? That’s about the only issue I could see).
Is this NOT what Microsoft got in trouble for back in the day?
When they had to release the keys to their windows so others like firefox and chrome could install their browsers on the windows platform.. I can’t remember the name of it,, but I am sure that this falls in the same…
Re: Re:
Nope; it’s not. And the other browsers were always able to install on Windows.
That legal battle – this was before Firefox or Chrome – was about Netscape wanting access to unpublished internal Windows APIs. At the time Netscape had more of a monopoly* on browsers than Microsoft had on OS’s. Microsoft didn’t want to give them access because Netscape was trying to expand its browser into a competing OS.
* That is, a larger market share. Which some still declare a monopoly despite viable alternatives.
Re: Re:
No.
Windows is an open platform; there are no "keys" required to install programs on it.
Microsoft did get in trouble for contractually obligating hardware vendors to put Internet Explorer on the desktop if they shipped their hardware with Windows. This did not technically prevent the hardware vendors from including other browsers (we’re talking about Netscape and Opera here; Firefox and Chrome did not exist yet), but most vendors opted not to put two web browsers on the desktop.
In the US, Microsoft was fined for this, monitored by the courts for several years, and forced to change the language in its contracts with vendors, and to include a program that easily allows Windows users to change their default browser.
The EU went farther, and (IIRC) forced Microsoft to bundle competing browsers and allow users to choose a default browser at first login. But that never happened in the US.
They’re really not the same thing at all, except that they’re both anticompetitive behavior by large computer companies.
Re: Re: Re:
It wasn’t so much “contractually obligating hardware vendors to put Internet Explorer on the desktop if they shipped their hardware with Windows”. Internet Explorer was part of windows and couldn’t even be uninstalled. So even using another browser you still had to have IE around.
Re: Re: Re: Re:
And that was because they started using Internet Explorer as the document reader for their help files.
Re: Re: Re: Re:
Yes, but that’s still the case (well, it’s Edge now, but same principle). The courts never made any determination that MS couldn’t bundle IE (at least, not in the US; I’m not sure about other court decisions overseas), just that it couldn’t use its dominant position in the desktop market to force it onto the desktop.
Re: Re:
Are you thinking about the TPM BIOS thing that Intel introduced and Microsoft bullied into most other Windows-compatible PCs?
That’s the one where the BIOS had to be cryptographically signed against the hardware, and any OS not signed would not boot. This of course was a problem for Linux, which is open source and doesn’t have an individual who could oversee the master key for each piece of hardware out there.
So MS and Intel figured out a way to create a bypass to the TPM check, and also agreed to hold signing keys for known trusted Linux distributions so that they could run in signed mode.
Re: MSFT
Yes, the geniuses in Washington decided to spend tens of millions because they thought it was too hard for people to download other browsers for Windows. Typical of the incredibly stupid business of D.C.
Re: Re: MSFT
And on 56K dialup, it kinda was.
Downloading a new browser in those days wasn’t a one-minute process like it is now; it was a hassle. The vast majority of users used the browser that came with their computer. MS engaged in anticompetitive behavior to ensure that OEMs would not include other browsers.
I’m not sold that this is part of a nefarious plan to prevent third parties from replacing broken hardware.
It looks like a reasonable security measure to disable a suspect authentication method.
The button serves the purpose of a regular button and a fingerprint sensor for authenticating the user. The button interacts as the button and the as fingerprint sensor with the phone through a single cable that has been effectively paired with the device. They are disabling the device entirely as soon as they detect anything that could be a man-in-the-middle attack.
While it may make some sense to only disable the authentication communication and not disable the “button click” communication, that may have actually introduced a security risk as for every bit of communication you receive, you have to do some processing to see if the type of communication was disabled.
Re: Re:
What security risk is posed by allowing the home button to take you home? And what makes it suddenly a greater risk now than when they first introduced the fingerprint reader with the 5s? And if it is such a major risk, why didn’t they explain that instead of backing down on “Error 53”? Apple has a long history of being hostile to third party repairs, so why should they be given the benefit of the doubt this time?
Re: Re:
You do realize that apple doesn’t only sell their phones to spys right? If only .01% of their users need that kind of security why are they forcing it on the rest?
Isn’t this good security? It prevents the device from being compromised by a fake touch ID sensor or some other method of getting around the iPhone’s significant security?
Re: Re:
Think about it, not only would an attacker have to have the phone for enough time to replace the reader, but they then have to get the correct fingerprint onto the compromised reader so that it can record the data for their latter use.
The get the phone, give it back, and now get hold pf it
again after it has been used is an unlikely scenario.
Re:
Except it’s not the TouchID feature that has folks upset. It makes sense that you shouldn’t be able to install a new button with new or no fingerprints coded to it. But that’s not what is happening. In addition to disabling the TouchID feature, they are simply making the entire button not work at all. You can’t press it to return home, you can’t double click to see recent apps, you can’t hold it down to access Siri. How is any of that security related? Why would the old version still function as a dumb button after replacement? Why was Apple able to back down on “Error 53”?
This is an outrage! People will never stand for… Ooh, shiny!
I know it’s wrong, but I can’t help, but think…people who buy apple get what they deserve
Re: Re:
It’s not wrong at all. Personally, I want a phone that can’t be easily hacked or monitored. I accept the tradeoff of higher prices and lack of repairability for this.
For a device for hobby development? I’ll get something with Android on it, strip out the stuff I don’t want, and assume it’s compromised from the get-go. No financial activity or other sensitive data goes on that phone, but emulators and personalized UI elements do.
Re: Re: Re:
Well I guess apple has you fooled.
Re: Re: Re:
“assume it’s compromised from the get-go”
Which is exactly what you get when you buy apple, no need to assume.
It's about power and control guised as security
Comparison to M$ is a valid one. Mid 90’s M$ discovered that Novell (their major competitor at the time) was using Visual C++ as their language and compiler for their network card firmware. So M$ _intentionally_ included a bug in their C++ compiler/linker if it detected that is was being used by Novell. Took us ages to figure out why firmware built using the latest version of VC++ would crap out (at execution time). If memory serves when M$ was confronted with this they claimed that the bug was unintentional and part of a security patch — I don’t believe this for one nanosecond, but make of it what you will.
Apple has enough people drinking their Koolaid that they can get away with crap like this.
I have no clue why there are so many Apple fans. They’re submissive in such abusive relationships.
Re: Re:
Its such a lovely looking and expensive phone that it has become a status symbol, and they are unable to lower their standards to use something else.
Apple - for people who can't make decisions
Some people find choice difficult to deal with or have a hard time remembering how a multifunction device works. For those people Apple products are perfect.
When using a PC “do I click the right mouse button or the left?!?! PCs are so confusing!”
When using an Apple they find it simple “No button to choose, I just push the mouse down! Simple!”
Apple just sucks. They are done. Too anti-consumer.
And Richard Stallman is repeatedly shown to be correct despite everyone ridiculing him over his no-compromise stance on open source. As long as these devices use closed source software – including drivers, and locks to prevent 3rd party “hacking”, you’re entirely at their mercy. No state laws are going to fix this problem entirely thanks to federal laws which preempt this very problem with copyrighted material (the DMCA). Apple also has no incentive to change their MO because of the masses of people throwing money at them ever couple of years or so for a new iPhone. Poorly drafted laws by lawyer politicians that know jack about technology aren’t going to help either, and may very well hurt instead of helping.
Re: Re:
If Richard Stallman were here, I am 100% certain that he would correct you and ask that you refer to him as an advocate for free software, not open source.
I won’t be surprised if Apple, in a few years, releases a new phone with a lot more battery capacity.
Off course it will be a non-replacable alkaline battery…
They don't want to rapair stuff anyway.
Actually they don’t want to repair their products, they want to sell new products. The fixed rapair rates are choosen carefully to encourage customers to buy a new device instead. Even Louis Rossmann’s repair shop in NY with insane rents is less expensive. It’s all about controlling products and users to optimize profit.
iPhone 7 now a brick after update
I feel cheated by Apple. My iPhone 7 is now totally useless since I recently installed the latest update. I broke my screen shortly after purchasing it and replaced it myself. That caused the home button to not function. I have been using the virtual work around on the screen. This worked fine until my grandson triggered the new update. It is impossible th activate the phone without using the home button.
I sent the phone into Apple and they said it could not be repaired as it had been tampered with by a third party. They sent it back unprepared or said I could buy a new one for $700.
As I have searched the internet, it seems that many iPhone 7 users are in the same boat.
Once again, I feel used and cheated by Apple. No options! Looking for legal recourse