Hacker News new | ask | show | jobs
by dns_snek 831 days ago
The point of module-level pairing is to make every module is identifiable, correct? Furthermore, these devices are only usable when connected to the internet.

IF their goal was merely to prevent theft, they could achieve that goal by simply blacklisting individual components when a device is reported stolen. Apple knows precise serial numbers of every paired component installed in that device, they just need to host a database of stolen parts that devices could query on every boot and on a set interval.

Of course, that's not their true goal, so they treat everyone like thieves in the hopes that they buy a new device instead.
1 comments
threeseed 831 days ago
What happens if that service is down. Or if a state actor decides to DDOS it to cause havoc.

Of course since this process needs to access networking stack etc it's going to be trivial to bypass if the device is jailbroken. Which means that users buying stolen phones need to be informed not to upgrade the OS otherwise their device is bricked. E-waste implications would be staggering.

link
dns_snek 831 days ago
Nothing happens if the service is down. They could just as easily DDoS other Apple services, most of them would cause actual havoc if they were down - iMessage, iCloud, Apple Pay, Sign in with Apple, etc.

If the device is jailbroken then all bets are off regardless? If you can bypass the theft database check, you can bypass the current parts pairing check, too.

> E-waste implications would be staggering.

Is that meant to support your argument? That's the status quo.

link
threeseed 831 days ago
If the service is down then how would the validation happen. Or if you just allow stolen components to be accepted whilst the phone is unvalidated then state security services will just DDOS the service. They would love to be able to swap out a screen and gain access to the password for journalists, dissidents etc.

And you can't bypass the current pairing check since it is happening before the OS is launched.

link
dns_snek 831 days ago
I'm sorry but that's just a fairytale. Nobody is going to go through a 10 step process that hinges on someone's phone being stolen and returned without their knowledge while successfully pulling off a DDoS attack against one of the most powerful corporations on the planet that's already facing constant cyber threats.

Extremely relevant: https://xkcd.com/538/

They'll just use a 0-day exploit or a $5 wrench.

link