Damned if you do, damned if you don’t
The empty cloud
On August 6th, 2012 an article was published in Wired magazine by Mat Honan. In the article, he relates how the accounts he uses on line were destroyed over the period of an hour. First, he lost access to accounts in Google, then Twitter, and finally his AppleID was compromised. Mats Amazon account was a connecting link between Google and the AppleID.
To hear him tell the story the damage done to his on-line presence was preventable. Mat knew better, but still did not use multi-factor authentication, or on-site backups. He then continues to talk about how the hacks happened. Someone got into a service (Amazon), harvested data from them (last four digits of his credit card number), and used that data as an identifier with the next service (AppleID). Each service had different identity requirements, and treated identity information differently.
The reports of this attack were scathing. Tech blogs posted how-to’s helping users identify if they were effected. This was negative press, and no company wanted it. Initially, Apple suspended phone password resets. This gave Apple time to reevaluate their security policy. They realized they had a problem, and moved to fix it. Two months later they announced what measures they were taking to protect their customers.
In September of 2013 Apple announced a new iPhone, the 5S. It had hardware that could read a person’s fingerprint, and use it as a form of authentication. This change required a redesign of the hardware. No longer was security a function of just software. The phone could measure a physical attribute and determine if the use of the device were authorized.
And this changed everything. Under the hood, Apple had to ensure that all components that amassed information (all the little bits of hardware, from the fingerprint reader, to the storage location, to the processor) were legitimate. If someone stole an iPhone, the thief could open it and replace components. A simplification of the way the system prevents this from working includes reading unchangeable identities of the components. The name of this system is the “secure enclave.”
Apple started its iOS security at the hardware level. They also changed the way that iCloud stored information. Apple removed themselves from the security equation. They replaced components of their iCloud security with one way functions. This means that even Apple does not have a back door to the information you store with them. If you lose a password, access to your account by Apple is prevented mathematically. This means that law enforcement does not have access either.
“You can’t please all the people all the time.”
Apple took actions to protect themselves and their customers. The move started at the hardware level, swept through changes in the software, and was accentuated by changes in policy effecting iCloud.
They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. — Tim Cook.
Customers applauded. Customers cheered. Then the updates came, and customers did not cheer so much anymore.
Error 53 first showed up around February of 2016. The unrecoverable error code shows up in iTunes when updating an iPhone to the most recent release of iOS. During the update the software identifies that a piece of hardware has changed. Maybe you took your phone to a repair shop not authorized by Apple. Maybe your cousin Frank fixed your phone for you. Maybe you wanted to save a few bucks and had your next door neighbor fix your phone.
What you will see, is this:
If your iOS device has Touch ID, iOS checks that the Touch ID sensor matches your device’s other components during an update or restore. This check keeps your device and the iOS features related to Touch ID secure. When iOS finds an unidentified or unexpected Touch ID module, the check fails. For example, an unauthorized or faulty screen replacement could cause the check to fail.
You can trust me, honest.
What, exactly, is Apple trying to protect me from? The name of this type of attack is man-in-the-middle. If I can see you when I communicate with you, I can establish that most likely communication is going directly from me to you. However, if we are in separate rooms, and someone has to carry a message from me to you, they may tamper with the message after it leaves my hands, or before it gets to you. To prevent this from succeeding we have to reach an agreement on a method for establishing that what I send, is what you receive.
So why are we worried about this in a phone? Assume someone steals my phone. The hardware inside the phone is connected together using wires. The fingerprint sensor is in a different room than the processor and the memory that compares what the sensor sees to a stored value. I could remove the fingerprint sensor and attach something that repeatedly tries to send the correct pattern of ones and zeroes until I get into the phone. This “brute force” attack is not elegant, but it is possible.
What were the publics reactions when Apple accounts were easily hacked? Class action lawsuit; of course. Right down to violations of the Magnus-Moss warranty act. Now, that we have fixed the problem, and secured everything down to the hardware level, what is the publics reaction? Class action lawsuit; of course. It is expected that the Magnus-Moss warranty act will rear its ugly head again.
At the beginning of this story, Apple was guilty of providing people what they wanted, instead of what they needed. At the end of the story Apple is providing people what they needed instead of what they wanted. What is the result for the consumer if they fall victim to error 53? The customer buys a new phone.