[clort]

Surely if the FaceID module provides a key to decrypt the encrypted contents of the phone, if you swap a module then another module might be able to verify a face but not provide the correct key, and the phone remains locked? If, before you remove the module, you wiped the phone then of course no key is required..

Having a module which could be removed and replaced just say Yes or No would seem to be a very poor design. Also in that case, Apple could presumably authorise a new module, meaning they would retain the capability to break into any phone (which I understood they did not want)

[wilg]

Here is an overview of how that system works:

https://support.apple.com/guide/security/secure-enclave-sec5...

https://support.apple.com/guide/security/face-id-and-touch-i...

https://support.apple.com/en-us/102381

[zlsa]

That wouldn’t prevent the case of “the module is swapped for one that unlocks no matter what, and upon noticing the phone isn’t unlocking, the owner resets and sets up Face ID again” right?

[Dylan16807]

Upon noticing the phone isn't unlocking and reading the big warning message that the Face ID module was replaced, which doesn't seem like a big threat vector to me.

[Someone]

I think it is because it’s not “the module is swapped for one that unlocks no matter what, and upon noticing the phone isn’t unlocking, the OWNER resets and sets up Face ID again”, but “the module is swapped for one that unlocks no matter what, and upon noticing the phone isn’t unlocking, the THIEF resets and lets the owner set up Face ID again”.

They’re also is the case of “Steal two phones, swap a few parts, reset the phones, and sell them second-hand”. Both phones will have 100% genuine parts.

[Dylan16807]

> “the module is swapped for one that unlocks no matter what, and upon noticing the phone isn’t unlocking, the THIEF resets and lets the owner set up Face ID again”

The thief wouldn't have been able to reset Face ID, would they? Also it would make sense to warn a second time when you go to set up Face ID again.

If they reset the entire phone, uh, they could have handed you a different phone entirely. I don't see how part swapping is the problem here.

> They’re also is the case of “Steal two phones, swap a few parts, reset the phones, and sell them second-hand”. Both phones will have 100% genuine parts.

What role does the part swap have in this scenario? What stops me from simplifying it to "Steal two phones, reset the phones, and sell them second-hand."? Because if that simplification is valid, then this scenario has nothing to do with repairability.

[purkka]

Apple could still use keys to validate the module is genuine. Then you just need to trust Apple to not release compromised modules. They need to just stop pairing the individual modules to the phone.