[ryanlol]

>I mentioned that the most common method for uniquely identifying a handset (the IMEI) can be changed by switching a chip on the iPhone's main board. (At least this was true 6 years ago.)

https://www.theiphonewiki.com/wiki/ECID Firmware updates use this, not IMEIs. And I think the IMEI is more commonly used to identify the radio, not the device itself. But I could be wrong about that.

>So, unless Apple uses an interactive signature scheme or prevents the FBI/intelligence agencies from ever seeing the signature (using TLS with hard-coded certs), then the signature can be replayed.

Every time you update an iPhone it generates a nonce, called APTicket. Apple signs that, your ECID and the firmware. The nonce essentially makes replay attacks impossible, even if you managed to swap a devices ECID.

[KMag]

Thanks for the research! If they're signing the ECID using an interactive signature algorithm, then it sounds like they've thought it through pretty well.

> And I think the IMEI is more commonly used to identify the radio, not the device itself.

Across manufactures, I'm not sure another quasi-unique identifier in common use.

> Every time you update an iPhone it generates a nonce, called APTicket. Apple signs that, your ECID and the firmware.

This is one variant of interactive signature scheme.