Apple's secret iPhone calibration machine and its Touch ID sensor will allow it to monopolize the repair industry.
Last week, the Wall Street Journal reported that the next iPhone will have some significant changes. The report notes that the next iPhone will not have a home button and will instead be made of a single piece of glass, a long-rumored and seemingly inconsequential move that is in fact central to an ongoing and hugely important legislative struggle between America's largest company and thousands of independent smartphone repair shops.
Moving the Touch ID fingerprint-reading sensor from the home button into the screen itself will have the side effect of giving Apple a straightforward path to monopolizing screen repair. The move could give Apple unprecedented control over the ownership and repairability of your phone, which means that in the very near future, it's possible that the only company that will be able to do a simple iPhone screen replacement will be Apple itself.
If the Wall Street Journal report is true (similar things have been reported by Bloomberg and featureless, buttonless fingerprint-reading technology has been patented by Apple), the development could hurt thousands of independent smartphone repair companies around the United States, and it threatens the very concept of phone ownership. The move would combine the only part of the iPhone that can currently only be replaced by Apple (the Touch ID sensor) and the most often broken part of the iPhone (the screen) into one part.
The removal of the home button would be an instant death blow to many of the roughly 15,000 independent smartphone repair companies in the United States, most of which are small businesses that work primarily on iPhones and specialize in screen replacement.
A few caveats before we get to the meat of the matter: Even if Apple decides to not get rid of the home button in the next iPhone, the way the company currently handles Touch ID replaceability is still central to the ongoing right-to-repair legislation currently being considered in eight states; this matters, even if Apple kicks the redesign further into the future. This is because the only part of the iPhone that has a software lock preventing repair, and Apple's lobbying against this legislation has been focused on protecting that software lock. It is also entirely possible that Apple makes Touch ID easier to repair with the next iPhone by redesigning its software; this would be a good result.
How independent iPhone screen repair works today
If you crack the screen of your iPhone and take it to a third-party repair company, a technician can swap your broken screen for a new one. This screen may have been salvaged from another phone, or it might be an aftermarket part bought from any number of factories in China. These aftermarket parts are of varying quality—some are as good as Apple's original parts, others are less good. Regardless of the quality of the part, however, the repair tech never replaces the actual Touch ID button. Instead, they will swap it from your old screen onto your new one.
The Touch ID sensor is paired with the "Secure Enclave" chip inside of the phone, which you may remember from the Apple vs. FBI encryption debate from last year. The Secure Enclave stores your fingerprint data, passcode, and other cryptographic information using a built-in random number generator. The security features that have to do with preventing repair, it should be noted, have nothing to do with the overall encryption of data on the iPhone. For the purposes of this article, accessing the data stored within the Secure Enclave is functionally impossible without entering your passcode to unlock the phone.
Radio Motherboard explores the right to repair. Subscribe on iTunes or any podcast app.
Because fingerprints are stored on the Secure Enclave and not on the Touch ID sensor itself, it is impossible to save an unlock fingerprint on one phone, physically transfer that sensor to another phone, and unlock the second device using the fingerprint from the first. This is good, because otherwise you'd be able to unlock and take data from otherwise encrypted phones by simply putting a new button on them.
But Apple took its Touch ID security one step further.
"There's never a moment when you're not with somebody else, and there's cameras everywhere but the bathroom"
Apple notes in a white paper that the Secure Enclave and Touch ID are given a "device's shared key," which is a unique cryptographic signature shared between the Touch ID and Secure Enclave. This means that replacement Touch ID sensors will not work if swapped onto your phone, because they aren't paired with the existing Secure Enclave in your phone. This was a big problem on the iPhone 5S, because the cable that connects the Touch ID sensor to the phone's logic board broke easily during standard repairs. Replacement buttons worked as a home button only; Touch ID would be forever broken on that device, meaning the user had to enter a passcode whenever they wanted to unlock the phone. This is what it looks like when you put a new Touch ID sensor on an iPhone:
Taken as a whole, companies that repair iPhones employ skilled people. They know to be careful with the Touch ID sensor, and they know that the old sensor must be transferred to the new phone when doing a screen repair. It's a system that's annoying, but that works for the vast majority of cases.
How iPhone screen repair at the Apple Store works today
If you take a phone with a cracked screen to the Apple Store, the Geniuses there don't have to swap the button from your old screen to the new one. According to one current and two former Apple Store employees, there is a "Calibration Machine" in the back room of every Apple store that is able to reset the pairing between Touch ID buttons and the Secure Enclave. So when Apple replaces your screen, it simply recalibrates the new button to work with your existing phone.
"The calibration machine was a rather big device (imagine something roughly the size of a fairly large microwave) that phones had to be inserted into after replacing the display," one former employee told me in an email. "It took about ten minutes per phone to calibrate them, and the device would run a battery of pressure-sensitive tests in addition to registering the display with the secure enclave. An iPhone had to be secured in the device, naturally, and a mechanical arm would perform the necessary functions."
A current Apple Genius told me that the machine is hooked up to an iMac, which is hooked up to a special server, which runs the software that recalibrate the device. Apple employees are told that the calibration machine costs between $20,000 and $60,000 (there are different models of calibration machine), and it is available only to Apple Stores, not to so-called "Apple Authorized Service Providers." No photos of the machine are available publicly, and I was told it would be impossible to take one without getting caught: "There's never a moment when you're not with somebody else, and there's cameras everywhere but the bathroom," the Genius told me. "Apple is so secretive that they don't even want us wearing our Apple shirts outside."
[If you know anything more about how recalibration works or about the calibration machine, you can contact me securely.]
I spoke with three different iOS security experts about how recalibration would work. Apple holds many of the secrets of Secure Enclave close to its chest, and little is known outside of Apple about the specifics of the Touch ID-Secure Enclave relationship. Only one of the three experts would speculate on the record about the mechanics of recalibrating the phone. Apple did not respond to request for comment on any aspect of this article and has ignored dozens of requests about repair issues from Motherboard over the past two years.
In theory, Touch ID reprogramming should require only a piece of software and perhaps authentication from an Apple server, according to Luca Todesco, one of the world's best-known iPhone jailbreakers.
"You probably don't need any hardware to do it," Todesco told me. "I wouldn't think there is much more required than some software running in the Secure Enclave Processor." Todesco said that the "pressure-sensitive tests" are likely standard touch screen tests that are done as part of "SwitchBoard," an internal app that ensures the phone is running properly before it's sold to or returned to a customer.
"Apple is going to see it as an opportunity to cut off the aftermarket, to require software to do glass repair, which would be the end"
Though we don't know exactly how Apple recalibrates phones, Apple Geniuses told me that the machine is unable to bypass what's known as "iCloud Activation Lock," a security measure that bricks phones that have been reported as stolen. The recalibration can only occur if the phone has been unlocked by a customer using their passcode, meaning they are the owner of the phone. This is an extremely important point: All three Apple Geniuses told me that the calibration machine can currently only be used on phones that have been unlocked by their owners using their passcodes. The calibration machine also cannot extract any data from the phone.
The mere existence of this machine, however, is hugely important to the future of iPhone repair.
The future of cracked screens
This brings us to the next model of the iPhone. If Touch ID is integrated into the screen and the home button is removed entirely from the device, then any phone that has a cracked screen will have to be recalibrated with the Secure Enclave in order to function properly. And if Apple controls the only machine that can perform recalibration, that spells doom for independent repair.
iFixit, a company that posts electronics repair guides on its website and sells iPhone replacement parts, says that roughly 15,000 companies have signed up for its wholesale parts sale program; most of those companies would struggle to survive if Apple makes this change to the iPhone.
"If Apple integrates a component that has cryptography on it into a critical repair failure component, then we're going to have a problem," Kyle Wiens, CEO of iFixit, told me. "A substantial number of people who have bought a smartphone have broken their screens. It's a very common repair, and doing those repairs is a really important part of the economy."
"You've got 15,000 repair shops across the country that are fixing these things," he added. "If there's a cryptographic element to fixing the glass, then our ability to do repairs could completely go away."
Touch ID integration, then, is quite literally an existential threat to independent repair companies, and if Apple suddenly becomes the only company that is able to fix your phone if you break it, then do you really own it?
Touch ID and the Right to Repair
For the last several years, Apple has been lobbying against "Right to Repair" legislation that has been proposed in several states around the country. The legislation would require manufacturers to sell repair parts and diagnostic machines and tools to third party repair companies and the general public. Bills are being considered in Nebraska, New York, Massachusetts, Illinois, Tennessee, Wyoming, Minnesota, and Kansas.
Specifically, legislation in these states notes that manufacturers "shall make available for purchase by owners and independent repair providers all diagnostic repair tools incorporating the same diagnostic, repair, and remote communications capabilities that such original equipment manufacturer makes available to its own repair or engineering staff." It also says that manufacturers "may not exclude diagnostic, service, and repair documentation necessary to reset a security-related electronic function from information provided to an owner or independent repair provider." Manufacturers must also allow owners to reset security systems back to their original state.
"We've only got a one or two year window to get this done or it could be game over. So let's get it done."
If the legislation passes, Apple will be required to sell its calibration machines on the open market. Not every mom-and-pop shop is going to buy a $20,000 calibration machine to fix a few iPhones, but many of the larger operations already shell out tens of thousands of dollars for top-of-the-line microscopes, and would surely buy the machine if it were made available.
I went to the Electronics Reuse conference in Houston in October, which was full of repair professionals hoping to get at least one right to repair law passed this year. At one meeting, Wiens told members of the trade group Repair.org that this Touch ID issue is a ticking time bomb that has added urgency to the group's efforts.
"Apple is going to see it as an opportunity to cut off the aftermarket, to require software to do glass repair, which would be the end," he said. "We've only got a one or two year window to get this done or it could be game over. So let's get it done."
Apple has lobbied hard against this legislation, and later this week will send a representative to Lincoln, Nebraska, to speak at a hearing on the issue. Behind closed doors, Apple has told lawmakers that right to repair legislation would create security vulnerabilities for their customers and, in Nebraska, has told lawmakers that it would turn the state into a "Mecca" for hackers.
"Apple has no problem inventing fear-based rhetoric that is not based in facts"
Apple has never been specific about the types of security vulnerabilities it's worried right to repair will introduce, but it seems likely that Apple is lobbying at least in part to keep its calibration machine a secret and out of the hands of independent repair professionals. So, does Apple have a legitimate gripe with the legislation that is more compelling than the idea of a megacorporation losing a slice of the repair market?
Security experts are split on this issue and, admittedly, not enough is known about the Touch ID / Secure Enclave architecture to make a completely informed call. Nicholas DePetrillo, a mobile security expert with Trail of Bits, told me that Apple simply doesn't want any changes made to its security architecture for repair reasons.
"It boils down to the fact that Apple has legit security design reasons for this architecture, this is not simply to lock someone out of the phone or to kill third party repairs, it's hardware root of trust and to protect the consumer," he told me in an email. "No security professional will look at this and say, 'There's no reason for that! They're doing that simply to annoy third party repair shops.'"
The fact remains, however, that Apple has not ever made a specific public case about how repair threatens security and has relied on the fact that essentially nothing is known about the recalibrating process.
Todesco says that there are any number of ways that Apple could prevent Touch ID from being hacked, even if recalibration machines were made available to the general public.
As I mentioned, recalibrating the Touch ID sensor does not:
- Allow stolen, iCloud-locked phones to be unlocked
- Allow anyone to unlock the phone without the passcode
- Allow anyone to access the data within the phone without the passcode
So what is Apple protecting? Todesco says any hacks on Touch ID would be far-fetched and would have "trivial countermeasures."
"If you had an Apple server that handled recalibration requests, it would be very possible to enforce authorization from a user or to tell if their Touch ID sensor had been recalibrate by a malicious party," he said.
"I honestly think it's more burdensome for Apple to repair all screens than for them to allow Apple to recalibrate," he added. "They make money from repairs, but losing the ability to repair would probably lose them customers."
"Worst case scenario, we see Cellebrite in the repair business"
The repair community, for its part, is not buying Apple's arguments. Apple has in the past introduced artificial software barriers to repair under the guise of protecting users' security, and has not earned the benefit of the doubt on the security issues (if any) of right to repair legislation.
Apple spontaneously bricked thousands of user- and third-party repaired phones with a software update that caused a problem known as "Error 53" that affected any phone that had its home button replaced (Touch ID did not work on these devices but they could be used with a passcode). At the time, Apple noted that it was "the result of security checks designed to protect our customers … this security measure is necessary to protect your device and prevent a fraudulent Touch ID sensor from being used."
Later, however, Apple pushed out an iOS update that fixed Error 53 and said the original error was a mistake and was "not intended to affect customers."
"The real gateway to the secure boot chain of the device is always the passcode lock [and not Touch ID]," Jessa Jones, one of the world's best iPhone repair and data recovery experts, wrote to the Nebraska lawmaker who is sponsoring right to repair legislation. The letter was obtained by Motherboard, and Jones will be speaking to legislators at Thursday's right to repair hearing in Lincoln.
"Without the passcode, no data recovery in the world can access data on any modern iOS device," she wrote. "Apple chose to do nothing about [Error 53], then they lied about it to inspire fear about device security, even though they knew this was not in the consumer's best interest and there was no security risk. This tells us that at least Apple has no problem inventing fear-based rhetoric that is not based in facts."
One of the central question that legislators must grapple with, then, is whether manufacturers should be able to maintain such extreme control over their devices even after they've sold them. Apple has taken many steps to protect the security of their customers, but in doing so, has worked to monopolize the repair business. Apple thus far hasn't been willing to be honest and public about the specific security concerns it has with repair, and yet legislators have continued to allow it to kill legislation that is aimed at benefiting its consumers.
"In other security-based industries such as locksmithing, there is no protective regulation in place to protect consumers from criminal intent," Jones wrote. "Consumers enjoy the freedom to employ any locksmith they choose. Criminal acts are criminal. It is counter to the freedom of our citizens to continue to ask consumers to throw away repairable devices over fear of potential criminal acts, especially when there is no evidence to support that there is a bona fide security risk from any aspect of independent repair."
If Apple kills right to repair legislation and integrates Touch ID into the glass, Todesco jokingly imagines a future in which the world's best hackers partner with the repair community.
"Worst case scenario," he said, "we see Cellebrite in the repair business."
Update: One sentence of this article has been edited to be more specific about the relationship between Touch ID, Secure Enclave, and repair.