[…] According to the document, which was distributed to Apple’s Authorized Service Providers late last month, this policy will apply to all Apple computers with the “T2” security chip, which is present in 2018 MacBook Pros as well as the iMac Pro.
The software lock will kick in for any repair which involves replacing a MacBook Pro’s display assembly, logic board, top case (the keyboard, touchpad, and internal housing), and Touch ID board. On iMac Pros, it will kick in if the Logic Board or flash storage are replaced. The computer will only begin functioning again after Apple or a member of one of Apple’s Authorized Service Provider repair program runs diagnostic software called Apple Service Toolkit 2.] […]
This is a repair model that is similar to that used by John Deere and auto manufacturers, who often prevent owners from repairing their own tractors or cars
These kind of shenanigans are undermining one of the core principles of Apple, i.e. making robust and durable devices by harmonising software and hardware. That was the reason why I switched to Apple a while back, and that is why my 5 year old mid-end (at the time) macbook pro is still outperforming my brand-new high-end windows computer in many ways. But I’m hearing more and more of these things; like the increased difficulty of maintenance and repair, as well as performance throttling for “battery life”. I wonder if it’s not more profitable to invest in a
new type of business model - and device, accordingly - instead of resorting to backhanded solutions, which is steadily killing their image.
I find that a helpful feature that ensures you can use your phone for longer even when the battery is in bad condition. The phone will last longer on one charge albeit with reduced performance. There’s always a tradeoff between performance and battery life. I appreciated it on my phone, an iPhone 6, until I recently changed the battery (BTW changing the battery made the screen more responsive as the battery had swelled and the increased pressure on the screen was reducing its responsiveness, especially in the bottom left corner; that’s similar to the impact from a swelled battery on the trackpad on the old Black/White Macbook).
The issue with this was the initial lack of transparency, not the feature itself.
In addition to the right to repair awfulness of this, I think this might (could) backfire for Apple for the demographic who see Apple devices as more privacy-respecting than others, safer for journalists, dissidents, etc (e.g. Zeynep Tufekci, Aral Balkan etc.)
It includes the Mac Resource Inspector, which does a “quick health check of hardware and software,” as well as tools that check the system’s memory, display, power adapters, cooling system, and other aspects of the computer. It functions only if connected to Apple’s Global Service Exchange (GSX), a Cloud-based server that Apple uses to handle repairs and service. It requires a login from Apple to access.
The iFixit article guesses that the Apple Service Kit 2 software might track part serial numbers, linked to a particular service store. Given it has to be run on the individual’s own device, definitely a possibility it will link this to a specific device serial number. I didn’t see any specific mention of it in the articles, but it seems a reasonable assumption that Apple somewhere has a log of laptop serial numbers and customers. So if you take your MacBook in for repair you could theoretically be pinpointing your location in the world, and who knows whatever else information the software scans for, and sending this to Apple. If I was a political dissident I’d be pretty worried about that. It’s MacBooks now, but maybe iPhones next?
Even just for general citizens you don’t want black-box software that phones home to someone else’s server running on your machine. Apart from everything else Apple should explain exactly what this “quick health check of hardware and software” actually is and they should make their AST2 software publicly auditable.
What is your threat model? If I was a political dissident I’d be more worried by other things than the fact that I’ve visited an Apple Shop.
Before servicing a device Apple will check its warranty coverage. Apple maintains a database of all the servicing it has done. I suspect other brands do the same.
Most OSs do phone home in one way or another, and you have to spend time to harden them in that respect if it’s important to you. There were some concerns a few years ago with the default ntp server used in some Linux distro (can’t remember the details but it must be somewhere on the web). Apple devices use an Apple ntp server by default. This is a common, often overlooked, protocol that regularly calls home by design.
On MacOS if this concerns you, you may want to check out ObjectiveSee’s Lulu, a free, shared-source firewall for macOS. Of course whether you trust its author, a Mac security specialist, who has created many convenient security related tools and… who used to work for the NSA is another story!
Haha, true! Perhaps not the most pressing threat However I would suspect Tufekci, Balkan et al would recommend Apple devices less for privacy-concerned journalists, dissidents, etc, should Apple pursue this policy. If you simply cannot continue to use a damaged device without taking it to an Apple approved store that reports back on your servicing, along with other unspecified pieces of information, to a central database somewhere, it’s not a very good precedent to set.
That needs unpacking. I agree with you about the right to have your device repaired wherever you want by whomever you want. However, if you bring it to Apple they’ll record some information. And they’ll also record information when you use their Store and similar services. (And I believe it is similar for all brands, with Google being worse as they monetise this information). It also helps them with fraud:
At its peak, Apple was seeing 60% of warranty repairs in China and Hong Kong as being fraudulent, literally costing Apple billions of dollars per year. […]
Apple retail had taken a very laid back approach, swapping out faulty iPhones as long as they didn’t appear to be intentionally damaged. It had been estimated by executives that fraud represented less than 10% of claims.
However, in 2013, an Apple data scientist counted the number of iPhones that switched Apple IDs after being repaired. This provided a very good estimate of the number of fraudulent replacements, as legitimate customers would naturally log back in to the same Apple ID they were already using. Criminals getting repairs for stolen iPhones lit up like red flags across Apple’s system. The problem of iPhone repair fraud was finally taken seriously inside Apple.
This counting showed the actual reality; more than 60% of repairs in China were fraudulent. The Information says that in the 2013 financial year, Apple had set aside $1.6 billion for warranty repair costs. The company ended up spending $3.7 billion in that period, with much of that gap explained by Chinese fraud.
Apple should be lauded for trying to bring their laptop and desktop lines into the same defensive posture as their mobile offerings.
The criticism of Apple in regards of the T2 chip has been IMHO too blunt. That Apple may use this to limit repair is a serious concern, but creating a secure computer is difficult and the T2 appears to offer several security improvements. How to resolve the tension between open and repairable systems and secure ones is non trivial. From a security point of view you’d want a trustable path from boot to a secure screen enclave (so you can trust that, for instance, the displayed banking information comes from your bank, and that it can’t be copied by another app). Such a path goes through many elements of a system, many that one would want to be able to repair on their own or using an independent repairer. Degrading functionality may be a way forward (as happens with iPhones when you change the home button and the home functionality keeps working but the fingerprint functionality doesn’t). It’s a complex topic and I find the discussions I have seen so far have been too simplistic.
Update: just found out a a very interesting presentation made by Mike Lynn at Objective by Sea (the recent MacOS security conference organised by Patrick Wardle, ex-NSA software engineer now developer of security tools): Aliens Among Us:
But whereas normal Macs have a single heart under the hood, like The Doctor, T2 Secure Boot Macs have two. And the deeper you look, the more differences you see.
Agree that its complicated. Wondering what Ross Anderson has to say on the matter? Haven’t seen anything yet. He seems very lucid on the real costs of security, but also very pro-repair and longer-lasting devices.
Recently someone was challenging us on Twitter on the very same points, and iFixit does not seem too helpful, except to raise the alarm about possible problems.
Isn’t in the end what is called for some “auditable” firmware, as suggested by Alison Powell at Fixfest last year? She also cites the example of Android as exemplary (!) as possible in respect to allowing users to customise but still benefit from the system. Obviously she says there are numerous issues to work out… She starts on this around minute 13:
Ross Anderson clearly understand security at a deep level and was pro-repair in Restart Radio interview so would likely be a very cogent interviewee on this complex topic.
Alison Powell at FixFest seemed to be talking more about application level security. Also the possibility of doing an audit is not helpful if you do not have competent independent expert(s) doing the audit and you also need to ensure that the code you are using is the one that has been audited. I.e., it may be part of the solution, but this is far from obvious.
I looked a bit at the security aspect many years ago when working at Symbian. We looked at ways to provide a secure path to a display. This was never implemented. One solution could have been to have a separate display (or part of the main display) not accessible at all to third party app. IIRC we were thinking purely in software terms, and not about someone replacing components; that would also likely invalidate any security guarantees.
If I understand correctly some of the points made by Alison, she’s suggesting the possibility of a trade off between security and repairability made by the end user and the manufacturer at any point during the life time of the device. That would work only so far as lapses in security may affect more than just the end user (a reason for instance most banking software do not work on jailbroken devices).
Thanks for sharing @Panda - interesting re “secure path” to a component.
Just to say that her main area of interest is open hardware and #IoT so I imagine she is interested in firmware and hardware, it’s just she didn’t have time to go into detail at Fixfest.
She does mention the thornier security issues of “ecosystem” when speaking of Android… and again not enough time…
That article makes the obvious point (so obvious that we haven’t stated it explicitly so far in this discussion) that:
it’s entirely possible a simple software update could activate this “kill switch” across the board. Or it could already be activated on certain machines or models. We simply don’t know. And that’s a reality no one – except Apple – probably wants.
This lack of transparency is definitely part of the problem. And this is made worse when the manufacturer, Apple here, may change how things have worked in the past with no prior discussion nor even some publication about what exact changes will happen and the motivation for these changes.
We are actually now planning an interview with Alison Powell for an upcoming Restart Radio episode - to talk about the security implications of the right to repair.
(Alison was mentioned earlier in this thread, you can listen to her talk at Fixfest 2017 linked above, or read her here.)
off!
However I would suspect Tufekci, Balkan et al would recommend Apple devices less for privacy-concerned journalists, dissidents, etc, should Apple pursue this policy. If you simply cannot continue to use a damaged device without taking it to an Apple approved store that reports back on your servicing, along with other unspecified pieces of information, to a central database somewhere, it’s not a very good precedent to set.