[chalst]

-> But it also takes aim at “parts pairing,” or the practice of preventing you from replacing device parts without the approval of a company or its restrictive software. Apple, which routinely uses this practice to try and monopolize repair, lobbied extensively against the Oregon bill. As usual, under the (false) claim that eliminating parts pairing would put public safety and security at risk:

-> “We remain very concerned about the risk to consumers imposed by the broad parts-pairing restrictions in this bill,” John Perry, principal secure repair architect for Apple, said at a legislative hearing last month.”

There was a time when interpreting the “risk to consumers” as a risk of being prevented from gouging consumers would be cynical. Now I guess something like that occurred to the lawyers.

[hedora]

It does sound like this means it's now easier to get a touch screen, embed a tap logger in it, and then swap someone else's screen with it. (Similarly, for the camera module, etc, etc.)

A better approach would be to force Apple to allow the device owner to pair parts (third party or not), and for Apple to provide a list of authorized non-OEM parts to anyone that was considering buying a used phone.

Also, I wonder what this does to the anti-theft mechanisms. Before touch id, basically nobody set screen passwords, and phones were stolen at extremely high rates. After that, and because a stolen iPhone is marked as such and won't work with Apple services, phone theft dropped to almost zero.

If Apple's not allowed to prevent the pairing of the stolen parts in Oregon, I'm guessing it will lead to a black market industry there, where people launder stolen phone parts into refurbished phones by mixing them with parts from broken phones.

[concinds]

See iFixit explain why parts pairing doesn't help reduce theft:

https://www.ifixit.com/News/91648/banning-parts-pairing-wont...

If Apple disagrees with iFixit and has genuine reasons to believe this will compromise security, they can share their reasoning publicly and let people judge. So far I don't think they have.

[whartung]

Well using the Petri dishes of State policy, perhaps someone can track iPhone thefts and see if the impact is imagined or real.

[hedora]

I like iFixit, but that part of the article is nonsense. They completely ignore the standard argument for parts pairing as a theft deterrent:

A shady shop buys a box of broken, non-activation-locked phones, and a box of stolen, working, but activation-locked phones.

They install parts from box two on mainboards from box one. This completely defeats activation locks and cell modem blacklisting.

The same thing is commonly done for other high-value products. It is what automotive chop shops do (there, a wrecked car with a clean vin + stolen car with dirty vin is turned into a sellable car with a clean vin).

[smoldesu]

They refute your point altogether - any sufficiently dedicated chop-shop can install box one parts on a box two phone with enough effort. This happens all the time in China and there's no reason to doubt it happens in America too. At best, Apple is slightly blocking the floodgate for one-off urban muggings. At worst, they're using a non-existent threat vector as an excuse to expand their already-exploitative repair parts scheme. Anyone who's had to repair a Macbook without warranty knows that Apple will refuse to sell you replacement parts for what they're worth.

> It is what automotive chop shops do

If you think this is about iPhone chop-shops, you have lost the script. Apple designed this scheme from the bottom-up, if they wanted you to have control over your phone they would have left an escape-hatch. When someone locks your door and doesn't give you the key, it's always worth asking: Cui bono?

[dns_snek]

The point of module-level pairing is to make every module is identifiable, correct? Furthermore, these devices are only usable when connected to the internet.

IF their goal was merely to prevent theft, they could achieve that goal by simply blacklisting individual components when a device is reported stolen. Apple knows precise serial numbers of every paired component installed in that device, they just need to host a database of stolen parts that devices could query on every boot and on a set interval.

Of course, that's not their true goal, so they treat everyone like thieves in the hopes that they buy a new device instead.

[threeseed]

What happens if that service is down. Or if a state actor decides to DDOS it to cause havoc.

Of course since this process needs to access networking stack etc it's going to be trivial to bypass if the device is jailbroken. Which means that users buying stolen phones need to be informed not to upgrade the OS otherwise their device is bricked. E-waste implications would be staggering.

[dns_snek]

Nothing happens if the service is down. They could just as easily DDoS other Apple services, most of them would cause actual havoc if they were down - iMessage, iCloud, Apple Pay, Sign in with Apple, etc.

If the device is jailbroken then all bets are off regardless? If you can bypass the theft database check, you can bypass the current parts pairing check, too.

> E-waste implications would be staggering.

Is that meant to support your argument? That's the status quo.

[threeseed]

If the service is down then how would the validation happen. Or if you just allow stolen components to be accepted whilst the phone is unvalidated then state security services will just DDOS the service. They would love to be able to swap out a screen and gain access to the password for journalists, dissidents etc.

And you can't bypass the current pairing check since it is happening before the OS is launched.

[dns_snek]

I'm sorry but that's just a fairytale. Nobody is going to go through a 10 step process that hinges on someone's phone being stolen and returned without their knowledge while successfully pulling off a DDoS attack against one of the most powerful corporations on the planet that's already facing constant cyber threats.

Extremely relevant: https://xkcd.com/538/

They'll just use a 0-day exploit or a $5 wrench.

[tadfisher]

You mean like every other device in the world? Should Mazda be forcing me to buy a Mazda OEM or OEM-approved car battery through DRM? It would prevent theft of my car to steal its parts, but it would also have the curiously beneficial side effect of massive profit.

[burnerthrow008]

You mean like how California bans installation of used catalytic converters? And how that law was passed explicitly to cut down on converter theft?

You will never guess what California requires to be inscribed on every converter sold in the state.

[saratogacx]

Is it this :) ?

WARNING: This product can expose you to chemicals including arsenic, which is known to the State of California to cause cancer. For more information, go to www.P65Warnings.ca.gov

[TylerE]

As someone who was mugged for his phone about a decade ago, I am very very very much in favor of Apple continuing to require this. It is very much pro consumer on the whole.

[chalst]

The mugging scenario shows that there are risks associated with pairing removal, but the suggestion by lcnPylGDnU4H9OF [1] seems to deal with this particular issue.

Are there any other risks?

[1]: https://news.ycombinator.com/item?id=39707586 (in reply to you)

[lcnPylGDnU4H9OF]

- Allow to remove the pairing after a timed delay, say 30 minutes

- Require authentication including a second factor to initiate and confirm the removal

Assuming a mugger isn't likely to sit there for 30 minutes given the chance someone could walk by. If this is the only way to remove the part such that it can be paired with another device, doesn't it solve both problems? I get the feeling Apple is being a bit disingenuous with their "risk to consumers" claims.

[TylerE]

Look into the iPhone unlock scam networks. They’re using blackmail tactics as it is.

Anyway, no, the mugger isn't going to try to unlock it while holding you at gun point. They'll rip and run, and sell it for $20 to a fence who will pass it up the chain. Usually they end up in other countries.

Similar in concept to the groups that will take cars stolen in the US, grind off all the VIN plates and other identifying marks, fake paperwork, and then sell them into markets in Africa and the Middle East where the buyers don't ask questions, and government officials are easily and publically bribed.

[BeFlatXIII]

> drugs come in; cars go out

How feasible would it be to tighten up port security to stop the export of stolen cars?