The author himself points out in the article that Apple provides you with the necessary tools to hand Apple support a completely wiped phone as they diagnose your issue and then recover it again at home. If his point is simply that this process is inconvenient and the state of the art should be better, then I think it's a pretty weak point.
The analogy that a commenter made here about a plumber entering your home is spot on. Like the locks on a door, the security mechanisms Apple has designed are constructed to thwart breaches on a large-scale (governments) and also on a small scale (your snooping family members).
Protecting it from people who need to service is it does not seem to fit any of these categories; if you cannot trust the Apple Genius in the store, seems silly that this same person would nonetheless trust the probably dozens of people who handled the device before it was finally placed in its box. And, like the plumber, if you somehow want him in your house and you want him to provide expert advice on how to fix your problem yet you fear that he may do something nefarious in the process, Apple does one better than "keepin' ya eye on him" -- it essentially allows you to strip the house of all of your belongings so the plumber has nothing to look at but the sink. And then it lets you put all your things back in. Seems pretty good to me.
I took his point to be that Apple encourages you to go the insecure route and just trust them instead of teaching their customers good security awareness. Apple doesn't suggest to you to wipe your phone, they tell you to just trust them.
A better analogy from the physical world would be a locksmith who tells you to just leave your keys under the door mat for him so that he can come in and do the work when you aren't home.
And plenty of people would be willing to make that trade-off on security for convenience. (This is locksmith right? Like...you realize if he actually cared he could get in your house without keys?) Others wouldn't. Depends how sensitive your personal information is; or in the locksmith analogy, to what extent you consider your valuables irreplaceable. Seems kind of silly to expect every layperson to operate to the same security standards as a security professional. My mother does not have credentials to dozens of business systems on her phone; she has pictures of her cats and maybe a credit card account stored somewhere.
The locksmith analogy breaks down fast: the locksmith can enter into your house if he really tries, but Apple can not enter into your phone without your help (if it can, it's utterly broken)
You are hopelessly naive. Do you have some method for independently verifying Microsoft and Google cannot remotely access their respective consumer OS's that you'd like to share with us?
...with all your personal information (bank info, passwords, etc.) written down on a notebook left on the seat of the car? Then yes, the car analogy works.
Choice which is not offered to you by Apple. They are neither explaining what it means to give them the unlocked phone nor telling you that you have the option to wipe out the phone before handing it to them.
You are supposed to know that beforehand, and they are even discorauging you to consider that there are some issues with handing over an unlocked phone, which means 95% of their userbase are not aware that there are security implications.
You have two options: either you give me you unlocked iPhone and I, and any of my colleagues, could steal any information from your device, or you backup and wipe the phone before giving it to us.
That is, Apple should make very clear what it means giving an unlocked phone to an untrusted third-party - even when that party happens to work for Apple.
Let's not forget that, by definition, Apple the company is also an untrusted third-party (not only the Apple employees).
> Let's not forget that, by definition, Apple the company is also an untrusted third-party
Maybe in theory. In practice, the devices trust all software updates signed by Apple's certificates. Who knows what other trusted diagnostic hardware exists 'at the back' referred to in the article.
>The author himself points out in the article that Apple provides you with the necessary tools to hand Apple support a completely wiped phone as they diagnose your issue and then recover it again at home. If his point is simply that this process is inconvenient and the state of the art should be better, then I think it's a pretty weak point.
An anecdote from a long time Nexus owner: last year my Nexus lost the ability to charge via its USB port. After a short while on the phone with Google (who, contrary to other anecdotes I've read here, does have good customer service in my experience), they overnighted me a brand new phone at no charge. They too provided me instructions on wiping my phone before sending it back, but they also provided me a brand new device without ever having to hand over my old one for evaluation first. It was easy enough to setup the new phone, since my old one had plenty of charge when the new phone arrived the next day.
Does Apple do this? Is it a requirement to bring your phone into an Apple store or ship it to get replacement equipment? If they provide similar service as Google gave me, this seems more like a complaint about Apple Stores or their employees, and not Apple.
I think the author's main point is that Apple's process violates the principle of least privilege. Technicians shouldn't require access to the software in order to repair a hardware problem.
Is Apple support bonded and insured, so the risk to the customer is limited? Do they follow a code of ethics[1] that creates requirements to, for example:
...act as a trustworthy and fiduciary agent
for each employer or client, shall seek
no favors and shall not profit or misuse
confidential client or employer information.
I don't know, this feels like a case of "you're going to have to let the plumber into your house if you want him to fix your broken toilet." If you're buying Apple products and asking for support from them, you're implicitly trusting them anyway. Apple likes to advertise their security greatly; but in fact, I think "we own you so you can be protected from everyone, including yourself" is probably closer to the truth.
There's a difference between trusting Apple as a company and trusting random Apple retail employees. A rogue admin could try to extract user data from servers, but I expect Apple has at least some processes in place to prevent that. A rogue programmer could try to get malicious code shipping in an Apple OS or on their servers, but that would be risky and easy to get caught doing. On the other hand, a rogue retail employee given an unlocked phone would 'just' need to surreptitiously tap around a bit to copy data off. And they're paid a lot less anyway, which matters if your threat model isn't the NSA but random criminality.
Following the plumber metaphor, at least we were able to monitor plumber's action and it affects mostly the toilet. While what apple is doing is more along the line of "give us the key to your house, we will fix your toilet"
The plumber analogy is a bit silly, as it is not access to the hardware of your phone that the author is objecting to (which would be analogous to your home), its the confidential private information that is stored on it. The issue is not that you think the Apple store employee will steal the 128G of flash memory from the hardware of your phone, it is that he will copy credit card or other personal information from your phone. The assumption here is that having access to an unlocked phone gives access to these things.
Yes people do give service professionals access to there homes, but unless they are hopelessly naive they don't leave credit cards, money, jewellery and guns around.
If you read the fine print in the agreements you make to have such items you explicitly agree not to allow other people access to them.
The scary thing is that responses here don't seem to be playing the devils advocate and actually seem to be believing this is OK.
Yeah, I don't get it either. It seems like a weird thing to choose to complain about. Especially because there are conceivably lots of potential things wrong with a phone that would require being able to log in, or for which being logged in would make diagnostics a lot easier.
And how would you know whether that machine is really doing what it or its operator is telling you it's doing?
Ultimately, it is an issue of trust; and I argue that the relationship of trust with Apple started the moment you decided to buy an iPhone, and continues to apply when you ask Apple for support.
Or you could always just click on "Backup", erase your phone, and restore it after you get it back. Apple has had iCloud backup since 2011. Its had tethered computer backup since day 1.
> If you're buying Apple products and asking for support from them, you're implicitly trusting them anyway.
Trust is not binary or one-dimensional. You have no choice[1] but to place some hope in them working in alignment with your interests when the build the product, but it doesn't mean you should be careless about retaining some control in the process when doing business with their retail staff. Their staff is human and heterogenous, and you know there are more levels of QA in the phone production process than in the customer service,
and customer service employees have much lower risks of getting caught & much less to lose career-wise than iOS engineers if they violate your privacy.
People complain about Facebook and Windows 10 too. "You're implicitly trusting Facebook/Microsoft anyway" is not really true there either, you're just tolerating their privacy behaviour in exchange for value, and hoping to escpe harm.
[1] If you want a smartphone, that is (the competition is worse)
Although I find the title and tone of the piece a bit meh, he still had a point: Apple is targeting non-tech users who are not familiar with backups, let alone infosec. It is Apple's responsibility to ensure the safety of the data they're asking for, which as the Brisbane news he's pointing to indicates, they're not doing.
'A bit meh'? This might be the most hyperbolic headline I've seen on here in years.
The users Apple is 'targeting' (an odd choice of words; most would use 'customers' here) mostly don't do anything so sensitive with their phones that they need to worry about bad actors within the company which sold them their phone in the first place. In the rare instance where some Apple tech starts stealing nude photos or credit cards, they will be fired, probably prosecuted, and the customer will recover. Big whoop.
>The Australian privacy commissioner will call on technology giant Apple to explain reports of staff stealing, sharing and ranking of customers' explicit photos.
I have no idea why people think this is a crazy hypothetical. Of course some techs will look at your nude photos. And in this case, copy them, post them online, and rate them.
I am with the OP on this one; there's a lot of things they could have done to diagnose the device whilst preserving the safety of his data. Also there was a recent case he linked to in his tweet where Apple employees were lifting personal images off their customers' phones...
Troy has done some excellent work on security and I for one applaud his attitude.
I don't know about the author of the article, but personally I would be even more worried if I handed a locked phone over to a tech and they said "Oh, don't worry about giving us the unlock code - we have ways to get around that easily..."
The fact that tech guys cannot easily get into a locked iPhone actually gives me better peace of mind.
At the end of the day, as others have said - It's like handing over the house key to a tradesman, or your car key to a mechanic (I do both on a routine basis, once I have vetted the other party). End of the day, it is about making their job as easy as possible, and some semblance of trust is required if humanity is to keep moving forward.
I wonder what the author would say if he went to his employer or a client site to diagnose a network issue and they refused to give him any admin passwords. Sure you can diagnose a DNS or firewall issue without the domain admin password, but having it surely makes the job a LOT easier and quicker.
Exactly. I found it odd that he claims to be a security guy yet repeatedly says Apple should have some way around a locked phone. No solution offered in the article...
> if there's a hardware issue that requires the device to be taken "out back", then there should be a means of diagnosing faults on a locked device.
A dangerous suggestion.
A better policy might be for Apple to require it's users to backup all their data, wipe the phone clean and hand over an unlocked device. After getting back the device, you could sell it on ebay, like OP suggested, or wipe the device clean in case you suspect malware was installed and continue using it.
"Backup your data" is actually a requirement when you schedule appointment to the Genius Bar. It's written on the web page after confirming and if I recall correctly it's also written in the confirmation mail.
The OP said that he had the option to instant wipe his device and restore it back home. But he choose to buy a new iPhone for "convenience" because the process take time.
Last time I got my phone serviced (and ultimately replaced so I had to wipe). The Apple employee even let me backup to iCloud from the store wifi so I would'nt loose the last data of the day.
PS: It's totally the locksmith case, except that (in theory) even if they wanted to apple can't get into you phone without consent while the locksmith can lockpick.
There's a catch though. Some settings don't get carried over to iCloud (I recently upgraded to iPhone 7 from iPhone 6), and for many heavy users the free iCloud storage is not enough for backup nowadays.
And that's assuming all the sync and backup worked well, which even on day-to-day use between and iPhone, iPad and Mac can be a bit of a pain (pictures not syncing, etc.) Given their insane means, I don't know how Apple manages to fail at providing at least working cloud/sync services, let alone performance in that regard. But there it is, iCloud services are a dumbed down mess that may or may not work.
And overwrite is automatic. I don't think there's even snapshot feature so in case of some horrible incident I can retrieve back the old version. I could be wrong.
Huge help he's giving his son by teaching him basic security practices, but also how to type on a damn keyboard.
I volunteer with an engineering education camp over some summers and kids are totally unable to do anything with a normal computer. We try to start teaching them programming through writing minecraft mods and we require that kids have a little bit of experience with minecraft, but half the kids that come in have NEVER used a computer that wasn't an iPad. In their lives. We have to show kids how a keyboard works, and they're point of refrence is the virtual one from a touchscreen.
Assuming most people will live in some Augmented/Hybrid reality by the end of the next decade (2025-ish), the likes of Magic Leap, it seems that a physical keyboard will gradually become too cumbersome an interface, largely relegated to very specific use.
The question is whether or not speech (or even thought) recognition will be good enough to properly replace 99% of what a keyboard empowers you to do -- probably easy for most messaging/writing, perhaps a bit harder for coders as you wouldn't be efficient spelling out every symbol.
Then we'll really have entire generations who never used a keyboard and don't really need to. Except coders, maybe, which rarely account for more that 2-5% of the population. And it seems all too natural that we'd create "natural speech coding languages" that properly fill in the blanks to convey the programmer's logic (e.g. just saying "if i=0 given i++ while i<10 then do this else do that"). This could probably be enough for most of the code out there. Soon enough, you'd actually just spell the logic in plain english and the interpreter would code it for you.
It's basically the idea of moving ever closer to Star Trek's computers, naturally human interfaces.
Your comment is both frightening looking at today (and yesterday) and at the same time a probable clear indication of the shape of things to come.
I never took data down but I'd say most are in the 10 to 12 range, with a couple outliers above that. Next to no kid below 10 has touched a keyboard.
I don't live in a tech-y area either, and the kids come from a lot of diverse backgrounds. It's just that kids first introductions to computing is always an iPad. Makes the job of educators a lot harder :/
Believe it or not that makes me worry a little less. My keyboard classes didn't really start until 7th grade I think. Tablets are great. My guess is they're easier to lock down for kids, but also expose kids to modern concepts (passwords, websites, idk what else). Its probably fine so long as they sooner than later learn to type. Now, there's the worrying number of hunt and peckers I see in the IT department at work...
I would love for the iPhone to have a "guest mode" for the times you need to loan the phone to someone for a quick call, and that would work for Apple Store diagnostics as well.
It won't work for Apple diagnostics, but there is a guest mode of sorts.
Settings > General > Accessibility > Guided Access
With the above option turned on you can enable triple tap home key in caller app to only be used for dialing calls, can't view prior calls or anything else in phone until passcode is entered.
EDIT: I use this all the time, just make sure you draw the 'no go area' around the buttons at bottom of dialer app and you can also disable physical buttons as needed this way too.
I never thought of this for handing over your phone (though I use triple-click home instead to super-darken my overly bright iPhone7 screen) [1].
I just wish the guided access had more fine-grain controls on touch areas - some apps you have to block out both orientations and/or lock the rotation. I mainly use guided access for my kids.
find my iphone locks the phone's serial number so it can't be wiped / activated with a new account. turning it off allows the phone to be re-activated under a new itunes account
Last time I needed an iphone repaired (a 1 hour in-store screen replacement), they asked me to write down my passcode on the repair authorisation form! They also seemed really offended when I said I'd rather erase it instead.
Apple could do a much better job in this department.
I am not sure why this article is raging. Before I go into the Apple Store for a hardware issue, I backup my phone, and just erase it. They usually take an hour or so to fix it and I just restore it and I am up and running again. Am I missing something here?
I could have wiped it there and then, handed it over and later restored from last night's iCloud backup,
but I don't like not having a fully working outgoing device before doing a restore to a new one.
I also don't like the lag time due to poor Australian internet and
whilst I could have driven home and done a local backup to iTunes,
there's still the need to reconfigure a bunch of things that don't cleanly restore
- It's not really that difficult
- If you're really paranoid you can restore your backup into a second device (you aren't really paranoid if you don't have a second device)
- See point 1; it's so easy my mom could do it.
Can we please stop using the word "paranoid" with respect to security? Security doesn't happen by passing the responsibility back onto the user. I don't care if the actual task is "easy" (a subjective term); by judging levels of "paranoia", you are saying everyone should have to make a value judgment about the value of the data on their device, the probability that the store employee will attempt to abuse his or her position, and have enough education in the field of computer security to even begin evaluating the "value" of data.
The entire point of this article was that Apple shouldn't be requiring bad practices that require either teaching bad lessons or preexisting technical knowledge about the existence of and need for a workaround.
A good example of a similar principle are the modern rules for gun safety[1]. One rule is to never put your finger anywhere near the trigger area until just before you intend to fire. Nobody should be judging if a gun is safe, because accidents happen when someone makes an incorrect assumption or mistake. Instead, anybody handling firearms should be in the habit of following basic safety rules. Safety - aka "security" - happens by minimizing risk, and the way to get the average person to minimize risk is either by making failure modes impossible, or by teaching and encouraging good habits.
So many people are missing Troy's point and suggesting that he could wipe the phone, or you can trust apple like you trust a plumber.
It's a hardware problem. Can't Apple as the hardware manufacturer create a sandboxed service area on your phone where they and their genii can do diagnostics? Does it really take every person with a hardware issue to either hand-over their entire device unencrypted or wipe the device before giving it to the manufacturer for maintenance?
Imagine if you could let a plumber into your house, but they could only see the plumbing! They would have no access to all the goods in your house. Isn't that what we should be aiming for with technology? Don't try to put real world constraints where they shouldn't exist. I can already create a sandboxed 2nd user on my device, why can't apple do this themselves, just for them, with the correct hardware or whatever. Or why doesn't apple recommend people do this before handing over the phone.
Several years ago, I took a white MacBook in to the Apple Store to have it looked at. The white plastic around the front corners had started to crack and chip off. It didn't affect the functionality at all -- it was only cosmetic -- but I wanted to get it fixed.
Apple said they'd have to send it off to fix it. It'd be about three weeks before I'd get it back and, yes, they'd need my password -- to fix a purely cosmetic issue.
The next day, I took it to a local AASP and showed it to them. They said they'd order the part, get it the next morning, and I could pick it up the next afternoon. No, they didn't need my password.
When I went back to get it, they had fixed it and it was just like brand new. Oh, and they had ran some type of diagnostic tests on it, found that the DVD drive was failing, and went ahead and replaced that for me too -- without my password!
It was all covered under AppleCare and I didn't have to do the backup/wipe/restore dance.
>The Australian privacy commissioner will call on technology giant Apple to explain reports of staff stealing, sharing and ranking of customers' explicit photos.
I think this is important, because all the comments so far are about how this is a crazy hypothetical scenario that no one should be worried about. It's not.
Exactly. With Apple's track record, the author has every right not to trust Apple with his device's security, no less so because he is in security himself and regularly gets notified of hacks / data breaches - presumably on his phone. Australia Red Cross Blood Service and Cap Gemini being the two most recently published.
He is not being alarmist; it may only take a few rotten apples to spoil the barrel, but boy did it get spoiled.
My laptop was accidently switched up at the PDX once. I was coordinating to have it shipped back and the lost and found employee asked me to provide my password to prove that the laptop was mine. I had to insist on providing the full serial number a couple of times before she agreed.
> Genius (and I'll be using that term sarcastically from here on in)
Slightly off topic, but it really bugs me when people ridicule these workers who are just doing what they've been instructed to do. Seems to happen all too often when discussing the Genius Bar.
I mean, I agree with the premise, but is handing over a locked phone to an untrusted third party any better than an unlocked one?
Doesn't physical access always mean game over?
If they know they're returning the device to you, can't some sort hardware interception, keylogger, or listening device be installed inside the phone?
Doesn't match any experience that I've had with the genius bar.
In all cases that I can remember I've been told when making the appointment to back up the device prior to the appointment and every time the device has had to go into service the genius person has had me wipe and factory reset the device in the store before they take it off me.
Anecdotal for sure, but so is the original article.
Tell them you are okay with them not being able to run diagnostics on completing the repair; yes, you understand this may leave the device badly calibrated. Don't waste time arguing; escalate until you get someone who will accept your locked phone.
I go through this every time I use Apple's Genius bar. Only once did I have to wipe, and that was with a Mac.
Provided they really do require authorization to perform any actions on the phone.
That would prevent anyone from modifying your phone without your permission. Such as flash the BIOS or something more malicious. Again provided authorization is required to perform those actions.
Just wipe the phone & hand it to them. It doesn't take long to reset all content & settings. Restore it (from the backup you made right before leaving the house. You DID back it up before leaving, right?) as soon as you get home.
No they're saying arbitrary code execution on the phone would be insecure, perhaps in a slight misunderstanding of what the article suggests, but true nonetheless.
I too am wary of a diagnostic partition/back door as an answer to this conundrum as it seems like it just introduces another vector for attack. We can say "just make it secure" or "don't give it access to do malicious stuff, but the nature of jailbreaks on the iPhone rely on bugs in otherwise innocent functions. Jailbreaks are just exploiting the phone security.
The author seems to be of the opinion that there should be a hardware test that doesn't require actual access to the phone, which is probably true -- they likely could just swap the speaker in this case and call it a day. But many of the hardware components are integrated on the iPhone and I'm not sure there's value in a dedicated speaker test device or a limited hardware test device like that. Similarly, quality testing afterwards would best be done before handing it back to the customer; it's pretty lousy service to hand back a fixed device for it to just not work again, and at some point to ensure that you've solved the problem you need to get into the phone.
I don't know what the full answer is here since the core problem seems to be Troy doesn't trust Apple. As others have said, you give up your car keys when you get your car repaired. You let the plumber into the house. At some point trust has to be there and people need to be held accountable for violating that trust. Geeksquad violated that trust without real penalties multiple times, so it's a legit fear. But Troy seems really intent on distrusting Apple -- that's fine, but he needs to realize how that's in direct conflict with how support works. Does he insist the same security on his car? (Ie, no keys for the mechanic?).
As for a solution, maybe an iPhone onsite imaging tool, some small microboard attached to a raid box that quickly pulls an encrypted image and stores it temporarily on site. The tech can test it on a vanilla and then restore for the client. I don't know if this would violate the iPhone security though being able to restore the image...
I read it more as that he does trust Apple (who could remotely update his phone with backdoors, read his iCloud contents or ..., but likely has strict controls in place against this), but he doesn't necessarily trust a random individual Apple employee who has unlimited and unsupervised access to his phone. Especially since there are documented cases of store employees copying photos, less so of Apple actually compromising user data if avoidable.
I agree that it's not the best case that Apple needs to bring it "in the back" and to need to unlock it but if you can access the phone's diagnostics from outside the locked phone done it's already insecure. The fact that even apple has to have me unlock my phone tells me that not even their diagnostic tools work outside the lock screen. That sounds beautifully secure to me. And I agree with userbinator in that "you're going to have to let the plumber into your house if you want him to fix your broken toilet.".
Funny, he doesn't care it's full unlocked iPhone backups being uploaded to Apple servers and freely accessible. It's not like there is full iMessages, iPhotos and other App Data in it!
Suppose I submitted this story with the following headline:
"Microsoft MVP has problems with Apple's security policies"
The article is actually a good read. I think the message needs to reach everyone - although I am sure the irony is not lost on the people with slightly longish memories about Microsoft's security track record till very recently.
In any case, I am sure someone would come in and change the headline and ask me to cut down the hyperbole and focus on the message.
This exact response needs to be sent to bloggers who write these click-baity headlines. The fact that some of them are experts who do know what they are talking about actually makes it more cringe-inducing, not less.
Oh, and no, the developed countries do not make up the entire human race (even if people in insular Australia might sometimes think so - see what I did there?), and many many people in the rest of the world don't even have Apple devices.
It is somewhat ironic that he quotes a tweet about Surface being repaired in sight without asking a password, when MS now forces all kinds of telemetry and spyware on their OS.
Edit: You can add to insult that a MVP has a problem with a genius... Oh this is a nice story!
The analogy that a commenter made here about a plumber entering your home is spot on. Like the locks on a door, the security mechanisms Apple has designed are constructed to thwart breaches on a large-scale (governments) and also on a small scale (your snooping family members).
Protecting it from people who need to service is it does not seem to fit any of these categories; if you cannot trust the Apple Genius in the store, seems silly that this same person would nonetheless trust the probably dozens of people who handled the device before it was finally placed in its box. And, like the plumber, if you somehow want him in your house and you want him to provide expert advice on how to fix your problem yet you fear that he may do something nefarious in the process, Apple does one better than "keepin' ya eye on him" -- it essentially allows you to strip the house of all of your belongings so the plumber has nothing to look at but the sink. And then it lets you put all your things back in. Seems pretty good to me.