Hacker News new | past | comments | ask | show | jobs | submit login

What backdoor is that?



Being able to load arbitrary firmware onto the device without requiring user authentication, so long as it's signed by Apple.


Has Apple addressed this? I was under the impression the PIN was needed to update the OS. Why isn't it? Some sort of recovery method that doesn't wipe data?


OS updates OTA need your PIN, but using DFU mode connected to iTunes doesn't. I assume this is so a broken OS upgrade can't brick your phone.


This is just how Apple does things. Indeed, Apple expects you to trust it more than you trust yourself.


How can we fix it? Easiest I can think of is wipe storage if updating without user authentication. Any better way?


Who is "we" here? Apple could do that, for sure. In the present contest, I can see why they'd want to. It would be a great move to forestall this sort of attack in future.

But "we", as in you and I, cannot easily do this. Because we can't sign stuff as Apple. But maybe it's doable.


I think this is where things are headed. I think we will soon see a new version of iOS by Apple with more stringent security (no updates without authentication or information is wiped when you force an update).

If this doesn't happen, I would highly suspect there is an NSL (or something similar) involved forbidding it.


You can vote with your dollars, you know. Feel free to buy devices from those other manufacturers that you trust.


Me, I'm waiting on openFAB devices. Could be a long wait.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: