> This is all just theatre. The real motivation is to control the platform: to ship a piece of hardware that dictates who can install stuff on it, instead of the traditional hardware that lets you completely overwrite everything in it if you have physical access.
This is already the case. Right now, only firmware signed by Apple can be installed. The next logical step is to build a system where the unit that deals with PINs cannot be updated at all, or at least not without wiping all keys. This would prevent any non-invasive attempts of bypassing the rate-limiting of PIN attempts or auto-wipe.
> There is nothing wrong with that situation, and on such equipment, you can secure your data just fine.
Again, this is also true for an iPhone with a sufficiently complex passphrase, Because Crypto™. Secure Enclave is just an additional layer that protects against everyone not in a position to get custom firmware signed by Apple.
> No machine can be trusted if it fell under someone's physical access. Here is a proof: if I get my hands on your device, I can replace it with a physically identical device which looks exactly like yours, but is actually a man-in-the-middle (MITM). (I can put the fake device's board into your original plastic and glass, so it will have the same scratches, wear, grime pattern and whatever other markings that distinguish the device as yours.) My fake device will collect the credentials which you enter. Those are immediately sent to me and I play them against the real device to get in.
The scenario here isn't an Evil Maid Attack. It's about protecting locked devices while someone else has physical access to them. Right now, you're fairly safe from most attackers in this scenario. In the future, with a read-only Secure Enclave, you're also safe from Apple and anyone who could force Apple to sign firmware. The fact that Evil Maid Attacks are harder to pull off because of this is just a nice extra.
> Apple are trying to portray themselves as a champion of security, making clueless users believe that the security of a device rests in the manufacturer's hands. This could all be in collaboration with the FBI, for all we know. Two versions of Big Brother are playing the "good guy/bad guy" routine, so you would trust the good guy, who is basically just one of the faces of the same thing.
This doesn't make sense. There's no crypto backdoor. The worst case scenario for their current security architecture is that it falls back to how FDE works on a desktop system - i.e., it's completely dependent on your passphrase complexity.
This is already the case. Right now, only firmware signed by Apple can be installed. The next logical step is to build a system where the unit that deals with PINs cannot be updated at all, or at least not without wiping all keys. This would prevent any non-invasive attempts of bypassing the rate-limiting of PIN attempts or auto-wipe.
> There is nothing wrong with that situation, and on such equipment, you can secure your data just fine.
Again, this is also true for an iPhone with a sufficiently complex passphrase, Because Crypto™. Secure Enclave is just an additional layer that protects against everyone not in a position to get custom firmware signed by Apple.
> No machine can be trusted if it fell under someone's physical access. Here is a proof: if I get my hands on your device, I can replace it with a physically identical device which looks exactly like yours, but is actually a man-in-the-middle (MITM). (I can put the fake device's board into your original plastic and glass, so it will have the same scratches, wear, grime pattern and whatever other markings that distinguish the device as yours.) My fake device will collect the credentials which you enter. Those are immediately sent to me and I play them against the real device to get in.
The scenario here isn't an Evil Maid Attack. It's about protecting locked devices while someone else has physical access to them. Right now, you're fairly safe from most attackers in this scenario. In the future, with a read-only Secure Enclave, you're also safe from Apple and anyone who could force Apple to sign firmware. The fact that Evil Maid Attacks are harder to pull off because of this is just a nice extra.
> Apple are trying to portray themselves as a champion of security, making clueless users believe that the security of a device rests in the manufacturer's hands. This could all be in collaboration with the FBI, for all we know. Two versions of Big Brother are playing the "good guy/bad guy" routine, so you would trust the good guy, who is basically just one of the faces of the same thing.
This doesn't make sense. There's no crypto backdoor. The worst case scenario for their current security architecture is that it falls back to how FDE works on a desktop system - i.e., it's completely dependent on your passphrase complexity.