“Error 53” – could an iPhone update turn your phone into a brick?

library
crime | hacking | security

Error 53 is an iPhone message you probably don’t want to see.

It’s been around for months at least, without attracting much attention, until UK publication The Guardian wrote a story about it last week.

The Guardian declared that “Error 53 fury mounts,” suggesting that Apple was threatening to “kill your iPhone 6.” (And that was just in the headline!)

The story seems to be that if you have an iPhone model with a fingerprint scanner built into the home button, and it breaks, or is replaced with an unauthorised aftermarket version, then updating to iOS 9…

…causes Error 53.

Apple, of course, is notorious for its official secrecy about ongoing security issues, and “does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

But in this case, Apple obviously considers the issue done-and-dusted, because it responded quickly to the Guardian, which published a second Error 53 story over the weekend, reporting Apple’s technical explanation:

[Apple takes] customer security very seriously and Error 53 is the result of security checks designed to protect our customers. iOS checks that the Touch ID sensor in your iPhone or iPad correctly matches your device’s other components.

If iOS finds a mismatch, the check fails and Touch ID, including for Apple Pay use, is disabled. This security measure is necessary to protect your device and prevent a fraudulent Touch ID sensor from being used. If a customer encounters Error 53, we encourage them to contact Apple Support.

Apple’s Touch ID is a form of HSM, or Hardware Security Module, a tamper-proof (or, more precisely, a seriously tamper-resistant) device that is used to store important data such as cryptographic keys or login passwords.

A mobile phone SIM card, for example, is a sort of HSM: it contains a unique identification key known as K_i, used to secure your communications, that can be written into the SIM but never read back out.

So too is a pre-paid electricity meter, which is protected against unauthorised changes to its configuration that might give you free power or let you draw too much current.

When security depends on secrecy, and secrecy depends on hardware, then how that hardware fails is at least as important as how it behave under ideal circumstances.

After all, there are no “ideal circumstances” in a world filled with cybercrooks.

WHAT’S THE TRUTH?

What isn’t clear in all of this is:

• Why Error 53 seems to happen only after an iOS update.

Some users who have experienced Error 53 report that their home button was repaired weeks or even months ago, so they’re understandably surprised that a problem of this sort wasn’t detected and reported sooner, if indeed dealing with the issue is as necessary as Apple claims.

Apple should probably consider an earlier warning, especially if the home button has been damaged but not replaced because it still seems to work correctly.

• How bad Error 53 is for your data or device.

The Guardian’s original report, for example, is neither sure nor clear about whether Error 53 effectively bricks your phone, so it can’t be made to work again; requires you to return it to Apple for repair that includes a full wipe; or simply stops the Touch ID from working, as Apple suggests, thus locking you out of Apple Pay and requiring a passcode every time you unlock the device.

Indeed, the Guardian comes out swinging by stating that Error 53 “permanently disables the handset,” while Apple carefully says that “Touch ID, including for Apple Pay use, is disabled.”

What’s the truth, we wonder?

If you have first-hand experience of Error 53, why not tell us in the comments what happened (and how you fixed it or worked around it, if indeed you did)?