Apple Plans To Update iPhones In-Store Without Opening the Boxes (appleinsider.com) 101
Malcolm Owen reports via AppleInsider: Writing in his "Power On" newsletter for Bloomberg, Mark Gurman claims that Apple has a system that can update the operating system of iPhones before they get sold. Crucially, it can do so without opening the box. Consisting of a "pad-like device," store employees place unopened iPhone boxes onto it to trigger an update. The pad wirelessly turns on the iPhone, runs the software update, then turns it off again. While only iPhones are mentioned in the report, it's plausible that the idea could be extended to other products in Apple's catalog. It is claimed that consumers may benefit from the system at Apple Stores before the end of 2023.
Android users (Score:5, Interesting)
asking what an update is.
Re: (Score:2)
It's something that changes the way your OS functions without providing you any meaningful benefit. Consider yourself luck.
Sincerely
Windows and Apple users.
Re: (Score:2)
Once you pull your head out of your arse perhaps you could get one retro-fitted
Great idea (Score:1)
I encountered this myself with the recent iPhone release, even though I got one right around launch it updated as part of setup.
It makes an otherwise extremely friendly data transfer session from your older device have an odd hiccup in the middle, where it has to resume transfer after the software update is done. To have that transfer be totally seamless right out of the box would make it easier for a whole lot of people to complete device transfer successfully.
Re: Great idea (Score:5, Informative)
I am less convinced about it being a great idea. Convenient for the company and users certainly, but good?
Anybody with the device can flash the device with a new firmware remotely, yes centimeters but still a distance, without the knowledge nor consent nor password of the device owner.
While it certainly can be used positively, there are plenty of bad actors, including government actors, that triggers alarm bells.
This is yet another attack vector to turn any Apple device into an eavesdropping device by anyone with sufficient resources.
I would prefer devices require additional physical interaction for this type of operation.
Re: Great idea (Score:4, Insightful)
I'd be less concerned about bad actors being able to install the software. I would assume that the phones would still verify the installed packages.
But this probably means that if you are concerned about some threat, you can't just assume that a switched-off phone is safe.
Re: Great idea (Score:1)
Re: (Score:2)
I would hope this capability is deactivated once the device has been powered on by hand.
Re: (Score:2)
Ref: https://www.pandasecurity.com/... [pandasecurity.com]
Ref: https://www.comparitech.com/bl... [comparitech.com]
Re: (Score:2)
you can never presume a switched off device to be safe. This is one reason why I prefer devices with removeable batteries.
Ref: https://www.pandasecurity.com/... [pandasecurity.com]
Ref: https://www.comparitech.com/bl... [comparitech.com]
Right. Because a phone with removed batteries is sooooo practical when out and about.
Re: (Score:2)
Re: (Score:2)
duh, you put them back in when you need to check messages or make a call.... or you could put it in a faraday cage...Trust me, you can live 20 minutes without checking your phone.
Oh, just shut up.
I hope you have the batteries out of your phone when the hospital calls to tell you your family-member has been rushed to the hospital.
Seriously.
Re: (Score:2)
Re: (Score:2)
wow, so, have you ever considered taking an anger management class?
All my relatives have died, I don't have to ever receive that call again. thanks for those memories though.
Tough shit. My relatives are all dead, too.
Re: (Score:2)
Re: (Score:2)
shit happens. we all die eventually.
So far, at least.
Re: Great idea (Score:2)
While thatâ(TM)s a fair concern, it seems like something thatâ(TM)s relatively easy to mitigate. Requiring the pad to present a certificate to the device identifying it as a device authorised by Apple would be a good first step. Stopping this from activating once the device has completed setup would be a good second.
That, and of course the existing protections Apple has in this regard, like requiring the firmware youâ(TM)re installing to be signed by Apple would seem to mitigate your issues
Re: (Score:2)
While thatâ(TM)s a fair concern, it seems like something thatâ(TM)s relatively easy to mitigate. Requiring the pad to present a certificate to the device identifying it as a device authorised by Apple would be a good first step. Stopping this from activating once the device has completed setup would be a good second.
That, and of course the existing protections Apple has in this regard, like requiring the firmware youâ(TM)re installing to be signed by Apple would seem to mitigate your issues.
I'm pretty sure that the company that uses stegography to "adopt" a new device into your AppleID has got this sorted.
Re: (Score:2)
I am guessing the attack surface will be similar to initiating a flash request via the USB connection, where the .ipsw file will need to be signed, and the device would have to go get an individual signing ticket from Apple for the firmware to be installed. Bypassing this would require a full scale iBoot jailbreak, which is extremely unlikely.
If there is some key exchanges done between the remote flashing device and the phone, it will be highly unlikely this attack can happen, and if it does, a 0.1 update
Probably will not work once activated. (Score:1)
Anybody with the device can flash the device with a new firmware remotely
In addition to the other aspects mentioned which make this very unlikely, I'd also assume it will not be able to do this once you have activated the phone. This update mechanism happens before the device is attached to anyone.
Re: Great idea (Score:2)
Re: (Score:3)
Re: Great idea (Score:2)
Re: (Score:2)
Re: (Score:2)
Why is everyone in this thread thinking the device is doing the flashing or transmitting the software?
My hunch is all this device does is triggers the phone to wake up, connect to the store wifi with pre-stored credentials, then run the update as it normally would when activated and shut back down. Sending the update from the device itself, as you say, is a potential exploit path, but if all it does is connect to the wifi and run software update it's no more vulnerable than any other Apple device.
The other
Re: (Score:2)
Anybody with the device can flash the device with a new firmware remotely, yes centimeters but still a distance, without the knowledge nor consent nor password of the device owner.
I can't really see Apple paying an employee to stand there beside each of the hundreds of devices in their inventory for half an hour waiting for the employee's phone or whatever to push an update to the device. The form I'd expect this to take is a wireless charger with has a longer range, which will trigger the phone to power up, and some magic command sent over NFC that tells the device to connect to the store's Wi-Fi network, download the update, and shut down. Ten seconds per device, and then put it
Re: (Score:2)
I am less convinced about it being a great idea. Convenient for the company and users certainly, but good?
Anybody with the device can flash the device with a new firmware remotely, yes centimeters but still a distance, without the knowledge nor consent nor password of the device owner.
While it certainly can be used positively, there are plenty of bad actors, including government actors, that triggers alarm bells.
This is yet another attack vector to turn any Apple device into an eavesdropping device by anyone with sufficient resources.
I would prefer devices require additional physical interaction for this type of operation.
Probably only works with non-Personalized Devices.
Hopefully.
Re: (Score:2)
Anybody with the device can flash the device with a new firmware remotely, yes centimeters but still a distance, without the knowledge nor consent nor password of the device owner.
We don't know the details of the implementation. In particular, it may only work on unactivated/unregistered phones. (That would be a reasonable protection, anyways.)
Also, I doubt the device itself is the source of the new firmware -- that probably comes from the Apple servers on the Internet, and of course they'd have to be cryptographically signed as they always are. (That said, how do the devices get access? Connect to a specified (or default) WiFi network?)
Either way, assuming that Apple makes it so
Re: (Score:2)
Re: (Score:2)
Anybody with the device can flash the device with a new firmware remotely
That's not how firmware updates work. Hardware does not indiscriminately allow just anything to get loaded on that. You can see that quite clearly in how many people can't even swap out displays on iPhones without the OS kicking up a stink, or how Lineage OS only has a limited number of phones it supports.
Heat inside Closed Box Wrap and packaging (Score:3)
and if the battery dies midway? damage? (Score:1)
and if the battery dies midway?
the phone has damage that you need to open the box to see and that in come extreme cases lead to an fire
Re: (Score:3)
Nearly every phone on the planet will refuse an update if the battery is too low.
Re:and if the battery dies midway? damage? (Score:4, Informative)
Maybe the update pad includes a wireless charger.
Re: (Score:2)
and if the battery dies midway? the phone has damage that you need to open the box to see and that in come extreme cases lead to an fire
Batteries in iPhones never die, right?
All those people that plug into those charging stations are simply reliving the 'so yesterday' experience of wired networking
Re: (Score:2)
and if the battery dies midway?
the phone has damage that you need to open the box to see and that in come extreme cases lead to an fire
Both new iPhones I have received have arrived with about 80% charge.
Li-Ion batteries have exceedingly slow self-discharge, and iPhones sip very little power in Standby.
Plus, I would be willing to bet that Apple has been using this "internally" for quite some time before rolling it out to their stores.
Re: (Score:3)
It's going to run for a few minutes inside an air conditioned store.
It's not like having the body heat in a pant pocket or the dashboard of your car.
Re: (Score:2)
It's possible heat is going to be a factor. It's also possible this particular cockwomble made the whole thing up.
I mean, he writes for Bloomberg, it's not like being a proper journalist.
Re: (Score:2)
I wonder if it does a full install of the update, or just loads the update blob and quietly installs it on first boot.
Sounds exploitable (Score:5, Insightful)
This is begging to be exploited. Imagine someone being able to wirelessly "update" your phone to a hacked version.
Re: (Score:2)
the FBI will have one to install IOS cop bypass lock version.
Re: (Score:1)
Yeah, this really seems like a bad idea. Doubly so, given how far the quality of Apple's software has fallen over the past decade.
Re:Sounds exploitable (Score:4, Informative)
So you have a way to sign binaries with Apple's key?
Re: Sounds exploitable (Score:2)
I don't, but someone will.
Just a matter of time and resources.
Re: Sounds exploitable (Score:2)
Re: (Score:3)
Just a matter of time and resources.
People have been dedicating time and resources to this problem for the past 15 years. What makes you think they will somehow achieve this now?
Re: (Score:3)
I always update my phone wirelessly.
Re:Sounds exploitable (Score:5, Insightful)
Yep. Even if the box is properly factory sealed you have no way to know whether or not the device has been tampered-with before it got to you.
On a related note, I have noticed that these days many motherboards ship in boxes that have no seals at all. No shrink wrap anywhere. No tape holding anything shut at all. You just unfold it and the board is right there. I read right here on slashdot that a hobbyist can install a spy chip on a motherboard for about 200 bucks. The things are tiny and you would never know. And since the box has absolutely no breakable seals on it, you have absolutely no assurance that your shiny new motherboard hasn't been tampered-with, even if you pull it off the store shelf with your own hands.
Needless to say, I disapprove. I imagine the FBI loves it, though. As do properly-connected criminals.
Re: (Score:2)
In reality you’re not important enough to get spied on.
Re: (Score:3)
In reality youâ(TM)re not important enough to get spied on.
In reality it's now cheap to spy on everyone by having their phone do it for you and send back a transcript. Even a shitty transcript is enough to analyze and flag targets for additional surveillance.
Re: (Score:2)
If you have enough money to be buying a motherboard, you have enough money to be worth stealing from. Criminals have an incentive to try.
Same goes for those who own iPhones.
Re: (Score:2)
If it's done on the 1000 bucks enthusiast motherboards, it probably proves you have a bunch of spare cash for such things.
Especially if it's early in the product cycle where the only people who can afford to buy the expensive high end stuff early on is usually those with spare cash anyway. 3 months later, a regular person who also wanted it could have saved up enough to purchase it. But on the first week, unlikely you are just a regular person.
That may make you a tempting target.
Re: (Score:2)
Yep. Even if the box is properly factory sealed you have no way to know whether or not the device has been tampered-with before it got to you.
On a related note, I have noticed that these days many motherboards ship in boxes that have no seals at all. No shrink wrap anywhere. No tape holding anything shut at all. You just unfold it and the board is right there. I read right here on slashdot that a hobbyist can install a spy chip on a motherboard for about 200 bucks. The things are tiny and you would never know. And since the box has absolutely no breakable seals on it, you have absolutely no assurance that your shiny new motherboard hasn't been tampered-with, even if you pull it off the store shelf with your own hands.
Needless to say, I disapprove. I imagine the FBI loves it, though. As do properly-connected criminals.
If you were worth spending $200 to bug your motherboard somewhere in the delivery chain, I absolutely would shrink wrap it and slap some fancy looking holographic tape on there to make you feel good.
The problem is if you're not authenticating any of it. It's like doing SSL encryption with all the certificate validation logic tuned down. Are you authenticating the holographic seals? Do you trust the company's controls around their tape usage and its supplier? Do you even really trust the company that made th
Re: (Score:2)
There have been a few stories about server equipment supposedly being modified by security agencies before being reaching the end customers.
This included server motherboards from SuperMicro [appleinsider.com] being modified by Chinese agencies, and shipments of Cisco equipment (I'm unsure what, but they have made servers) being intercepted by NSA.
Re: (Score:2)
Didnt your English teacher teach you not to repeat yourself
Re: (Score:2)
I read right here on slashdot that a hobbyist can install a spy chip on a motherboard for about 200 bucks. The things are tiny and you would never know.
I read that same story. It was wholly unsubstantiated.
It's not physically impossible, but first you have to have a place to get a component from that does whatever the original component did plus has a spy device built into it. And that spy device needs to be able to exfiltrate the data, which pretty much means it has to be built into the networking hardware, or have its own wireless communications capable of reaching an open network outside of your machine — which is almost certainly in a shielded bo
Re: (Score:2)
It shouldn't be possible. The iPhone's design, once locked down, has a large master key that is unlocked by some smaller input you provide- and that transformation is in turn guarded by custom hardware that is tamperproof.
In practice, faults are found with this from time to time. Several years ago, a famous case with Muslim mass shooters in California:
https://www.theverge.com/2021/... [theverge.com]
An Austrian company allegedly helped them gain access that time, but there's no shortage of companies that muck with iPhone
Re: (Score:3)
I'm 99% sure this is just a signal to trigger the phone to turn on, connect to the store's wifi, then reach out to Apple's servers for a software update, run it, and shut off.
Sure if you could create a wifi network with the same credentials as Apple's in-store wifi, then run a MITM attack to feed it an update that would have to be signed with Apple's private key so it passes authentication to run you could update it to a hacked version. But uh, there's a *lot* there that is not practical.
This is no differe
Re: (Score:2)
I'm 99% sure this is just a signal to trigger the phone to turn on, connect to the store's wifi, then reach out to Apple's servers for a software update, run it, and shut off.
Sure if you could create a wifi network with the same credentials as Apple's in-store wifi, then run a MITM attack to feed it an update that would have to be signed with Apple's private key so it passes authentication to run you could update it to a hacked version. But uh, there's a *lot* there that is not practical.
This is no different than a phone running and installing an update today - it's just wirelessly triggered.
That's probably exactly how it works.
They also do this in the backroom, where they presumably have full control over store-stock; not on the salesfloor. For obvious reasons, Apple doesn't pile-up their retail stock out in the open.
Think about it.
Re: (Score:2)
I already thought nobody would mention that, but it's the first thing that occurred to me. It sounds like a huge security risk, more than anything useful and convenient. Although, it seems this iPad has to be pretty close to the iPhone. I wonder if they imposed some kind of range restrictions, or something? How can a device know the if iPad is 5m or a metre away? Signal strength?
Re: (Score:2)
This seems to hinge on the assumption that attackers have a way to pass the phone's firmware validation, never mind any further layers of validation that may be involved with Apple's update pads.
Apple's private firmware signing key is the holy grail of iPhone hacking. If you have that (or an exploit to bypass it) then there are far more insidious things you could be doing to the billion iPhones that are already deployed in the
Re: (Score:2)
This is begging to be exploited. Imagine someone being able to wirelessly "update" your phone to a hacked version.
Your phone already wirelessly updates itself automatically.
They need to remotely power them on while inside the box and prompt them to start the update process. Apple's in-store WiFi is already trusted, the firmware images are already signed and trusted, etc. If it were possible to hijack the firmware update process you'd already have seen it.
I can think of ways a wireless wake on lan magic packet thing can go sideways, but I can also think of ways Apple can easily prevent it, and they control the silicon s
Re: (Score:2)
Your phone already wirelessly updates itself automatically.
No, it doesn't. I can set it up to do so if I want, but by default it isn't. And I don't talk only about the confirmation in settings, is also about Wi-Fi: automatic updates happen only on Wi-Fi, not on mobile data.
Re: (Score:2)
I don't know. I'm sure the update itself isn't on the device. all it's doing is 1) turn on phone 2) run update cycle 3) turn off phone. It's not like the device is literally reprogramming the phones.
Plane Crash (Score:2)
Re: (Score:2)
So easy to crash a plane with this. Take a container full of iPhones in the belly cargo of a passenger plane. Use the pad to switch all the phones off before loading by walking around the container in the loading area. Let them run constantly trying to connect to wifi for an update but not finding any. eventually the heat will start a fire in the belly of a passenger plane and we all know what happens to Lithium batteries once they are on fire.
Oh, bullshit
IPhones barely get warm during an Update, anyway.
Plus, you'd actually have to spend time in the cargo hold in flight; which I very much doubt is accessible from the passenger cabin; especially after 9/11.
Re: (Score:2)
Re: (Score:2)
Didnt you read the part about the loading area. All you need to do is plant an activation device on one of the loaders who load pallets into planes. They walk around to do a visual check and all phones switch on. Why would you need someone on the plane? Also cut off a smart phone from wifi and not put it into aircraft mode, it keeps trying to find wifi and keeps boosting its signal till it runs pretty hot.
Nah. It would give up pretty fast, then go back to sleep.
That timeout is handled by a background thread in iOS, and thus will not fail to force Sleep/Standby rather quickly no matter what when on Batteries.
Apple is very good at energy management. Plus, the battery temp sensor would quickly put a stop to any thermal shennanigans.
tl;dr Not gonna happen.
Re: (Score:2)
Re: (Score:2)
You are assuming this backdoor activation will follow the same steps as normal networkmanager thread
Yes, and I also assume a Battery Overtemp will result in a fairly high-priority, possibly even hardware-enforced, shutdown.
Unless you have actual proof, my opinion as a longstanding Embedded Designer/Developer, is that it is essentially inconceivable that any firmware load could cause a thermal runaway condition in an Apple Device. Period.
Re: (Score:2)
This is begging to be exploited. Imagine someone being able to wirelessly "update" your phone to a hacked version.
It is inconceivable that Apple would allow this on a Personalized iPhone.
an stack of phone in cargo are likey not Personali (Score:2)
an stack of phone in cargo are likely not Personalized and ground person just needs the wake up device in there pocket to start the update loop
Re: (Score:2)
an stack of phone in cargo are likely not Personalized and ground person just needs the wake up device in there pocket to start the update loop
And then what?
It times out and goes back to sleep; that's what.
You have no idea how many layers and Signatures and keys and secret moose handshakes and hard ips and a partridge in a pear tree Apple has built into their OTA Update Protocol; but if they are trusting it in the wild, I am cautiously optimistic that this won't be hackable. Now that the cat's out of the bag, we shall soon see. . .
NSA approved (Score:5, Insightful)
Looks like spooks are getting an early Christmas present.
"Wake on LAN" - wirelessly (Score:4, Insightful)
Sooner or later someone will figure out how to exploit this for evil.
Re: (Score:3)
I would think that Apple would not make it overly easy. Perhaps the door is open only while the phone is in a factory fresh state (might even exclude a reset/wiped phone; that is a special factory wipe/embed a factory key in the Secure Enclave?). No doubt not perfect, but a direction that could minimize the attack surface.
Re: (Score:2)
Sooner or later someone will figure out how to exploit this for evil.
Wanna bet?
Apple has probably had this capability for about a decade; I'll wait.
Re: (Score:2)
Sooner or later someone will figure out how to exploit this for evil.
People have been trying to exploit the ability to load custom firmware on iPhones for over a decade. Wireless doesn't bring anything new to the table here.
and the nsa (Score:5, Insightful)
Re: (Score:2)
Walk me through how this would work. They probably use something like near field charging for waking the phone and transferring the files. So you pretty much need physical access.
Re: (Score:2)
Walk me through how this would work. They probably use something like near field charging for waking the phone and transferring the files. So you pretty much need physical access.
1. You are taken into police custody, you refuse to unlock the device, but they will take it anyway
2. They put your phone on such a pad that will update your phone's firmware with one with empty unlock credentials
3. They have full access to your data
4. Profit
Re: (Score:2)
Walk me through how this would work. They probably use something like near field charging for waking the phone and transferring the files. So you pretty much need physical access.
1. You are taken into police custody, you refuse to unlock the device, but they will take it anyway
2. They put your phone on such a pad that will update your phone's firmware with one with empty unlock credentials
3. They have full access to your data
4. Profit
You are assuming the update preserves existing data. In the Apple scenario, the update could wipe the phones before the update or after since there is no data to save; ensuring it could not be used to hack into a phone.
Re: (Score:2)
Walk me through how this would work. They probably use something like near field charging for waking the phone and transferring the files. So you pretty much need physical access.
NFC is waaay too slow for file actual transfer.
That's what I'm talking about (Score:2)
Offers an attack-vector (Score:2)
I've seen US Tv. cop-dramas where the police attempt to turn-on a phone by remote-control. They will be drooling over this Apple-shop-only device and it will quickly stop being Apple-shop-only.
At a minimum, I hope it is NFC (ie. a short-range antenna) and a modulated signal (not merely, sufficient EMF to toggle a relay, so wake-up/boot).
While the purpose is selling up-to-date iPhones and eliminating the 'upgrade OS' step in using a phone for the first time, putting remote-control technology in any devi
The NSA & other US TLAs... (Score:2)
Good news for the NSA (Score:2)
They can now 'update' your phone when putting on the TSA counter to get checked for metal.
Phantasists (Score:2)
Re: (Score:2)
Whatever attacks are possible when it is still in the box are possible at your home. Whatever attacks are impossible at your home are impossible when it is in the box. I havenâ(TM)t heard of anyone being able to install a hacked update on any iPhone.
This.
Security? (Score:2)
Re: (Score:2)
I mean, having the ability to install a firmware without opening a box seems like a huge security problem. How can you be sure your phone has not been backdoored by anyone with this tool?
Oh, STFU and go wrap another layer of foil on that hat. . .
ship a bootloader (Score:2)