| ▲ | Nathan2055 6 days ago |
| Okay so here's the argument I've heard: if arbitrary replacements of the lid sensor were possible, it would be feasible to create a tampered sensor that failed to detect the MacBook closing, thus preventing it from entering sleep mode. This could then be combined with some software on the machine to turn a MacBook into a difficult to detect recording device, bypassing protections such as the microphone and camera privacy alerts, since the MacBook would be closed but not sleeping. Additionally, since the auto-locking is also tied to triggering sleep mode, it would be possible to gain access to a powered off device, switch the sensors, wait for the user to attempt to sleep mode the device, and then steal it back, completely unlocked with full access to the drive. Are these absolutely ridiculous, James Bond-tier threat assessments? Yes, absolutely. But they're both totally feasible (and not too far off from exploits I've heard about in real life), and both are completely negated by simply serializing the lid sensor. Should Apple include an option, buried in recoveryOS behind authentication and disk unlock steps like the option to allow downgrades and allow kernel extensions, that enables arbitrary and "unauthorized" hardware replacements like this? Yes, they really should. If implemented correctly, it would not harm the security profile of the system while still preventing the aforementioned exploits. There are good security reasons for a lot of what Apple does. They just tend to push a little too far beyond mitigating those security issues into doing things which start to qualify as vendor lock-in. I really wish people would start to recognize where the line should be drawn, rather than organizing into "security of the walled garden" versus "freedom of choice" groups whenever these things get brought up. You can have both! The dichotomy itself is a fiction perpetuated to defend the status quo. |
|
| ▲ | ryandrake 6 days ago | parent | next [-] |
| The line should be drawn by the owner of the device. As the user and owner of the product, I should be the sole decider about my own security posture, not some company who doesn’t know my use case or needs. It’s crazy how we’ve managed to normalize the manufacturer making these kinds of blanket decisions on our behalf. |
| |
| ▲ | clickety_clack 6 days ago | parent | next [-] | | Yes it’s wild. Imagine if we decided that people can’t be relied on to install good locks for their doors, so we gave the government responsibility for locking and unlocking your door every time you wanted to leave your house. A lid sensor is just so peripheral. Where do the vendor lock-ins end? | | |
| ▲ | kube-system 6 days ago | parent | next [-] | | Apple is a vendor, not a government. A more accurate analogy, is like a lock installed on your door by a locksmith that uses proprietary parts available only through locksmiths. Which is exactly how a lot of locks work. Proprietary technology exists in a lot of places, Apple didn't invent this. | | |
| ▲ | autoexec 6 days ago | parent | next [-] | | > Apple is a vendor, not a government. Apple is worse than a government. They have more money and reach than many governments and unlike many government officials, the public doesn't have the power to vote the heads of apple out of office or vote for who they want as a replacement. Apple didn't invent proprietary technology, but they leverage the shit out of it in consumer hostile ways just to take even more money from people. | | |
| ▲ | kube-system 6 days ago | parent [-] | | Governments have a monopoly on the use of force, and they exercise it to compel their citizens to do things whether or not they want to. For example, I have to pay taxes, and if I don't, they will use force against me. Your relationship with Apple is very different. If you don't like Apple, you can just simply not buy or use their products. You have a choice and they have no way of compelling you otherwise. | | |
| ▲ | ryandrake 6 days ago | parent [-] | | The inability to use force doesn't make corporate power any less powerful--it only makes it a different kind of power. Yes, BigTech cannot arrest me or throw me in jail, but that doesn't mean that they don't wield other kinds of enormous power over my day-to-day life. And unlike my (technically democratically elected government), corporations do not have to answer to the people they exert their power over. | | |
| ▲ | kube-system 6 days ago | parent [-] | | I'm not trying to say that big tech doesn't have any sort of power at all that significant, of course they do. They certainly have a lot of control over information and how it shared. But I think that is unequivocally a lesser power than being able to imprison someone or put them to death. The fact that some small number of government officials are elected might be a rationale for that power, but it doesn't decrease it in any way. | | |
| ▲ | int_19h 5 days ago | parent [-] | | The problem is that, with enough money, you can buy the people who have the power to imprison someone or worse. |
|
|
|
| |
| ▲ | ryandrake 6 days ago | parent | prev [-] | | Yea, that's a much better analogy. We don't want the lock vendor to decide how and when we lock our doors and how we fix them when they break. We don't want our stove vendor to decide what food we're allowed to cook, how many burners can be running at once, and what parts we use to repair it. We don't want our car manufacturer to decide where we can drive our car and who repairs it. Yet, somehow, when it comes to technology products, we accept the manufacturer butting in to tell us how not to use them, and how not to repair them. | | |
| ▲ | kube-system 6 days ago | parent [-] | | My stove, my car, and my locks are all opinionated in their design and use proprietary parts. None of them were designed to my personal requirements. Many of the products that I buy do in fact, not work exactly how I want them to, nor do they facilitate my desire to change them. I can't name a single product in my house that uses any sort of open hardware design, except for the things, I've 3D printed or built myself. | | |
| ▲ | clickety_clack 6 days ago | parent [-] | | A better analogue then would be that the developer who built your house insists on a specific type of lock. There’s a whole repairability movement going on to maintain access to third party replacement parts for cars and appliances. This is a recent design choice that is being enforced by manufacturers. Historically, people have been able to repair everything they owned. Locking everything down is bad for consumers. | | |
| ▲ | kube-system 6 days ago | parent [-] | | Developers normally do pick the parts that come on a house when they build it. I understand arguments for repairability, and in most cases, I agree with them. But these things aren't boolean situations where things are either repairable or they are not. There's a lot of nuance in how things are designed and how repairable they are as an inherent part of that design. Ultimately, I agree that artificial lock-in for no reason other than that lock-in is a bad thing for consumers. But not everything is really that simple. > Historically, people have been able to repair everything they owned. It all depends on how you define "able". Most people lack technical ability to repair most things for thousands of years. And most things that you own today you are permitted to repair to the best of your ability. |
|
|
|
| |
| ▲ | Configure0251 6 days ago | parent | prev | next [-] | | I quite like this analogy, I hope I can remember it for the appropriate moment. | |
| ▲ | floatrock 6 days ago | parent | prev | next [-] | | I dislike Apple's lock-in tactics, but I dislike gross fear-mongering exaggerations even more. How'd we get to tyrannical government oversight from shitty corporate control? Sorry, I think I slipped on that slippery slope. The better analogy would be "door lock vendor requires you to buy their door frame to make their door lock work with the security guarantees you chose to buy into." Government should stay out of our private lives, but this kind of jumpy fear-mongering is what makes people lose focus, and when people are run by fear that's when the real psychopaths start taking advantage. Your fear mongering is creating the very government tyranny you're mongering about. | |
| ▲ | jbs789 6 days ago | parent | prev [-] | | You mean like a prison? |
| |
| ▲ | tpmoney 6 days ago | parent | prev | next [-] | | > As the user and owner of the product, I should be the sole decider about my own security posture, not some company who doesn’t know my use case or needs. It's not so cut and dry though. The "user" and the "owner" of a product are not always the same person, but hardware security impacts the "user" more than the "owner". | |
| ▲ | vlovich123 6 days ago | parent | prev | next [-] | | How does Apple know the owner of the product has authorized the HW change? There’s a secondary argument you could make here whereby because the replacements must be valid Apple parts that have uniform behavior and tolerances, the strength of the secondary market is stronger and Apple products have a stronger resale value as a result, because you’re not going to encounter a MacBook with an arbitrary part replaced that you as the second-hand buyer know nothing about (this is why the secondary market for cars doesn’t work without the ability to lookup the car history by VIN). | | |
| ▲ | userbinator 6 days ago | parent | next [-] | | Apple doesn't need to know. Once it's sold Apple is no longer the owner. | | |
| ▲ | kube-system 6 days ago | parent | next [-] | | And when Apple designed their products, they get to decide how to design it. You can do whatever you want with your computer. But nobody has to design it the way you like it. | |
| ▲ | aurareturn 6 days ago | parent | prev | next [-] | | What happens when you indirectly cause the machine to fail by installing some shout 3rd party part? Are you still going to claim warranty? Walk into an Apple Store to ask for help? | | |
| ▲ | userbinator 6 days ago | parent [-] | | We have the https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty... to rely on. | | |
| ▲ | aurareturn 6 days ago | parent [-] | | Huh? Explain more. | | |
| ▲ | rcxdude 6 days ago | parent [-] | | Generally speaking companies are not liable for failures due to the customer's own modifications to the product. | | |
| ▲ | kube-system 6 days ago | parent [-] | | Practically speaking, however, they are liable for the time to service those customers and diagnose product issues to determine that the customer was at fault. And, that extends to any future buyers of used devices. And, any resulting displeasure from customers, even though it wasn't Apple's fault. These sorts of things are exactly the types of problems that exist in the used car market, for exactly the same reasons. | | |
|
|
|
| |
| ▲ | fastball 6 days ago | parent | prev [-] | | What about a work computer? You're not the owner, but presumably you appreciate when can feel that your work computer is still secure. | | |
| ▲ | userbinator 6 days ago | parent [-] | | If it's owned by the company then I don't care what they do since that's no longer my responsibility. |
|
| |
| ▲ | doubled112 6 days ago | parent | prev | next [-] | | That car comparison doesn't work here. You can't be sure about the true history of a car, only what was reported. When I replace a wheel bearing assembly in my driveway, you still can't see that by looking up my VIN. Nobody knows except myself and the person I bought the parts from. Was it a dealer part? An OEM part? A poor quality replacement? Can't tell without looking. This might actually support Apple's side of the argument, although I do not. I don't think we need some Carfax equivalent for MacBooks. | | |
| ▲ | chongli 6 days ago | parent [-] | | This might actually support Apple's side of the argument, although I do not. I don't think we need some Carfax equivalent for MacBooks. In some ways, Apple's scheme is better than Carfax. In other ways, it's worse. It's worse because you can't get access to the repair history of a device. It's better because you can actually have a reasonable degree of confidence that no "driveway repairs" have taken place since Apple's scheme is not known to be broken. | | |
| ▲ | ryandrake 6 days ago | parent | next [-] | | I think we should stop using "driveway repairs" as a derogative term. There's nothing wrong with a car owner repairing their own car. Years ago, that was a very usual, normal thing to do. I replaced my own wheel bearings in my garage, and have been driving on them for 5 years. It's not that difficult, and doing it yourself doesn't make your car unsafe or defective. Kind of scary how "repairing your own things yourself" has fallen so far out of fashion. We should be applauding and encouraging people to build these kind of skills, not insulting them. | | |
| ▲ | doubled112 5 days ago | parent [-] | | I would have thought most people here are doing much more complicated work all day. All four bearings are part of an assembly that bolts in. 8 or 12 bolts depending on position. I'm lucky that I don't even need a press. The wheel comes off (5 bolts), the brakes come off (2 bolts), the axle/hub bolt comes out (1 bolt), and then on the front there are four bolts holding the assembly to the car. On the rear, nothing holds it on except that hub bolt. Use a torque wrench to get them to spec. The kits came with new bolts. The axle bolts go on tight tight. |
| |
| ▲ | buzzerbetrayed 6 days ago | parent | prev [-] | | This is my biggest complaint with the strict "my device, my rules" people. I want Apple to lock down my device to customization, repairs, etc.. I know I am never going to install an app through means other than the app store, even if I could. I know I'm never going to repair my device through anyone other than Apple, even if I could. I want to know that my device will be a $1,000 paperweight to anyone who steals it. I want to pay Apple to ensure there are no "driveway repairs". A number of years ago I accidentally ended up with a second hand iPhone with a shitty "fake" screen repair. I had no way of knowing it wasn't an Apple screen. But it fucked me over as soon as it started failing a couple months after I bought it. I get tired of the people demanding that a company, with willing, paying customers, isn't allowed to protect their customers because they want something the company doesn't offer. Fuck right off with that shit and buy from a company that does offer that. | | |
| ▲ | bluescrn 6 days ago | parent | next [-] | | Apple aren’t aiming to protect buyers of pre-owned devices. If they could get away with it, they’d likely prevent resale entirely. | | |
| ▲ | bzzzt 6 days ago | parent | next [-] | | Why would they? Lots of people sell their old phone to pay for the latest model. Killing the resale value will decrease new sales. | | |
| ▲ | pasc1878 6 days ago | parent [-] | | Resale through Apple only - Apple already will give you discounts if you upgrade some things. So the resale value will continue albeit at a fixed price | | |
| ▲ | bzzzt 5 days ago | parent [-] | | They offer a pittance compared to the 'normal' second hand market. If people can't get enough for the phone the upgrade will not be bought. |
|
| |
| ▲ | Bud 6 days ago | parent | prev [-] | | [dead] |
| |
| ▲ | worthless-trash 6 days ago | parent | prev [-] | | I feel your'e just mad because your expectations of buying a second hand phone were not met. | | |
| ▲ | vlovich123 6 days ago | parent [-] | | I had a similar experience myself paying for screen repair in SF and getting back a phone with a butchered display. Why wouldn’t you get mad for spending money and not having your expectations met? | | |
| ▲ | koiueo 6 days ago | parent [-] | | This is solved by repair shop warranty and reputation. They butchered your repair, you demand a fix or a compensation for a new phone. That's what customer protection laws are for. | | |
| ▲ | chongli 6 days ago | parent [-] | | If you need consumer protection laws then clearly reputation isn’t worth much. The issue with reputation is that society has grown so large and impersonal that we’re constantly facing interactions with unknown people. | | |
| ▲ | koiueo 6 days ago | parent [-] | | I'm sorry for my candor, but your argument is so silly, it rubs me the wrong way. Laws are how society operates. If you need traffic rules (those are defined by laws fyi) then clearly individual's ability to drive isn't worth much. Let's abolish car ownership, make Apple operate all ground transportation and prohibit anyone else from deciding where Apple-operated cars go, what are operational hours and where the stops are. | | |
| ▲ | ryandrake 6 days ago | parent [-] | | > Let's abolish car ownership, make [car manufacturers] operate all ground transportation and prohibit anyone else from deciding where [manufacturer]-operated cars go, what are operational hours and where the stops are. Shhhhhh! Don’t give them any more bad ideas or they might actually do it. |
|
|
|
|
|
|
|
| |
| ▲ | N19PEDL2 6 days ago | parent | prev [-] | | It wouldn't be difficult for Apple to add a page in the device settings that shows whether the device contains any non-genuine components. |
| |
| ▲ | amrocha 6 days ago | parent | prev | next [-] | | Does your grandma decide her own “security posture”? Does she even know what that means? | | |
| ▲ | smaudet 6 days ago | parent | next [-] | | Your grandma is not the target of state level spy rings... The noise made about security is absolutely ridiculous. | | |
| ▲ | swiftcoder 6 days ago | parent | next [-] | | She is however the target of pretty much every financial scam on the planet, many of which rely on convincing folks to hand over the keys to their (digital) castle... | | |
| ▲ | eviks 6 days ago | parent [-] | | Which financial scams involve such attacks, so is there a single scam that this measure would prevent? | | |
| ▲ | swiftcoder 6 days ago | parent [-] | | I'm not aware of any that this particular sensor would mitigate. I think the idea that security is only for people targeted by nation-states is not a realistic view of the modern world (and, moreover, if we decide that normal people don't need enhanced security measures, it becomes trivial to identify dissidents by the fact that they implement security measures). |
|
| |
| ▲ | amrocha 6 days ago | parent | prev [-] | | State hacking tech leaks to average hackers and scammers over time. Scammers today are using nation state tech from a decade ago. |
| |
| ▲ | lupusreal 6 days ago | parent | prev | next [-] | | My dude, an Indian is going to call your Apple-using grandmother and tell her that he works for "the Microsoft" and he needs her to give him all her banking details, or go to a bitcoin ATM, or buy a stack of $500 gift cards, and she's going to do it. The sensor in her macbook lid does not matter! Get real. | | |
| ▲ | amrocha 6 days ago | parent [-] | | Who are you to decide what matters and what doesn’t? If you were a journalist reporting on russia or the UAE it would certainly matter. Not to mention that it’s not that hard to imagine an AI tool being paired with 24/7 surveillance that reports back private information it hears. It’s also not hard to imagine your average hackers getting their hands on a tool like that after a couple years of governments deploying it. | | |
| ▲ | lupusreal 6 days ago | parent [-] | | You're wack. Do you think a locked down laptop lid sensor will stop them from spiking your tea with polonium, or shooting you with a ricin BB, or breaking into your home when you're asleep and jabbing a needle into your neck while holding a pillow over your face, or kidnapping you and breaking your bones with a sledge hammer until they've gotten their rocks off? This laptop lid threat is fantasy. Get fucking real. |
|
| |
| ▲ | deadfoxygrandpa 6 days ago | parent | prev [-] | | both my grandmothers are dead | | |
| ▲ | amrocha 6 days ago | parent [-] | | What’s the point of this comment? | | |
| ▲ | defrost 6 days ago | parent [-] | | It answers the question you asked. Another answer, mine, is that one grandmother flew bombers, jets, spitfires, etc. in WWII and ran a post war international logistics company after that. The other did "stuff" with math. ie. Both capable of understanding a security posture. How about your grannies? You might want to ask well formed questions in future, on a site such as HN the set of all grandmothers is hardly homogeneous. | | |
|
|
| |
| ▲ | jbs789 6 days ago | parent | prev | next [-] | | You do get to decide (buy another product with a different value proposition). | |
| ▲ | isaacremuant 6 days ago | parent | prev [-] | | It's not that crazy when people seem to cheer for a nanny state at every turn. Specially if said nanny state bombards them with propaganda about all the dangers they'll face if they just don't "comply". 1984 references may have seen farfetched but after the suppression of rights using covid as an excuse people have little to no recourse to claim control back. Apple was always famous for their walled garden and tight control, but we have Google becoming like apple (can't install things in your device unless you go to them with your private details), ID to track your movements because "protect the children" (effectively blocking news even), chat control (very similar to installing a camera in your home and recording all your conversations). Corps and governments are relying on each other to strengthen their control and it's not a surprise. |
|
|
| ▲ | bri3d 6 days ago | parent | prev | next [-] |
| Keeping a victim device unlocked when the lock state is responsible for encryption key state is a totally legitimate risk. With that being said, I don’t think Apple see this specific part as a security critical component, because the calibration is not cryptographic and just sets some end point data. Apple are usually pretty good about using cryptography where they see real security boundaries. |
| |
| ▲ | echelon 6 days ago | parent | next [-] | | Don't invent reasons for Apple to continue to have a stranglehold over their monopoly of critical computing infrastructure. Companies as big as Apple and Google that provide such immensely important platforms and devices should have their hands tied by every major government's regulatory bodies to keep the hardware open for innovation without taxation and control. We've gone from open computing to serfdom in the last 20 years, and it's only getting worse as these companies pile on trillions after trillions of nation state equivalent market cap. | | |
| ▲ | astrange 6 days ago | parent [-] | | The government regulators also have an interest in knowing the laptops they buy for eg the NSA have authenticated parts to avoid supply chain attacks. If you're selling cell phones you already spend plenty of time satisfying regulators and vendors from all over the world. The cell phone companies aren't the ones with power here. (In general tech people have no political power because none of them have any social skills.) | | |
| ▲ | cwillu 6 days ago | parent [-] | | Because the NSA is buying used laptops? | | |
| ▲ | swiftcoder 6 days ago | parent [-] | | Supply chain attacks don't generally target the second hand market. Much more effective to upstream your attack to the vendor Apple buys parts from in China, and compromise every MacBook in one fell swoop | | |
| ▲ | astrange 6 days ago | parent [-] | | That's too discoverable to work. Supply chain attacks are by state actors who can interrupt specifically your order on its way to you and silently replace parts in it. |
|
|
|
| |
| ▲ | arcticbull 6 days ago | parent | prev [-] | | It doesn't need to be encrypted if it's one-time programmable. The calibration data is likely written into efuses which are physically burned and cannot be reset. | | |
| ▲ | bri3d 6 days ago | parent [-] | | The sensor and its data stream would need to be authenticated, though. | | |
| ▲ | arcticbull 6 days ago | parent [-] | | For the mic cut-off? My understanding is that it outputs an electrical signal that's routed to the audio codec that literally prevents the audio from getting to system memory in the same way a physical switch would. It autonomously, at an electrical level, disconnects the mic without OS or software intervention. As it cannot be programmed again, you would have to crack open the laptop and modify the PCB to override it. | | |
| ▲ | bri3d 6 days ago | parent [-] | | Oh, I understand now - you're right, OTP sensor data does protect against a real threat model I hadn't considered before: * A remote attacker gains whatever privilege lets them get to the sensor SPI.
* Without OTP calibration, the attacker could reprogram the sensor silently to report a different endstop, keeping the machine awake and the hard-cuts active.
* With OTP calibration, this is closed. So perhaps it is more security-related than I initially thought. I was more considering the counterfeit part / supply chain / evil maid scenario, where the fact that Apple's sensors are OTP is meaningless (since a replacement sensor doesn't need to be, plus, you could just put a microcontroller pretending to be a sensor in there since there's no actual protection). Thanks, you made me think again and figure it out! |
|
|
|
|
|
| ▲ | KurSix 6 days ago | parent | prev | next [-] |
| A properly gated, user-authorized override in recoveryOS or similar would give advanced users and third-party repair shops a legitimate path without blowing up the security model |
|
| ▲ | raxxorraxor 6 days ago | parent | prev | next [-] |
| Then Apply tying the angle sensor to microphone status is a security issue. I would read that as a cheap excuse to be honest. |
|
| ▲ | oxguy3 6 days ago | parent | prev | next [-] |
| If repair shops can buy the $130 calibration machine, presumably the super spy in this story (who for some reason couldn't steal the data while they were replacing the lid sensor, nor can they steal the data when the laptop's in use, but somehow can steal the data when it's idle with the lid down) can also get a calibration machine, and then deliberately set the zero point incorrectly. |
|
| ▲ | naikrovek 6 days ago | parent | prev | next [-] |
| Yes. “Sure, you can borrow my laptop. It’s fine. Take it home. I promise not to spy on you while the lid is closed. I promise not to record aaaaaany audio or anything! And I definitely won’t hear any conversation that contains information that I’ll use to stalk you later!” There are a million ways that some nefarious person could spy on another, but at least this isn’t one of them. And I am a very suspicious person, thanks to some eye opening experiences that I’ve had. When someone says that they want to do something that not a lot of people want to do, I immediately wonder how they will use that against myself or someone else. Because that has happened multiple times to me. I also hate that I am suspicious of people who want to at least have the opportunity to fully own their devices; something that is perfectly reasonable to want, but I am. What would that additional ability do for them? What will they be capable of doing that they can’t do now? How and when will they use it to get what they want out of someone? Or out of me? If you don’t think like this, I really envy you. For the longest time, every teacher, every supervisor, every commander, every non-familial authority figure I had until I was probably 35, used and manipulated me for the purpose of advancing themselves. Every single one. The ones in the military didn’t even attempt to hide it. I’m so scarred because of people convincing me to help them screw me over that I no longer trust anyone who is concerned about things like laptop lid angle sensors. Because who are you trying to screw over and why does that angle sensor stand in your way? |
| |
| ▲ | AnonHP 6 days ago | parent | next [-] | | > When someone says that they want to do something that not a lot of people want to do, I immediately wonder how they will use that against myself or someone else. Because that has happened multiple times to me. I’m intrigued. Would you be comfortable sharing some of these real experiences here (with sensitive details fudged/removed)? | | |
| ▲ | naikrovek 6 days ago | parent [-] | | I'd rather not. They're very foggy memories now, and the ones that aren't are all attempted sexual abuse. Conmen are everywhere, and they will say things in the nicest most innocuous ways possible to sway you to do things for them. They'll do it over time, and they will very gradually ramp things up. "this is just a small change from that, what's the matter" ugh. people suck. |
| |
| ▲ | KurSix 6 days ago | parent | prev | next [-] | | I think it's possible to advocate for device ownership and repair rights without having malicious intent | | |
| ▲ | naikrovek 6 days ago | parent [-] | | that is correct. my specific history pushes me in the direction where i suspect malevolence, though. yours might not. but let me tell you; people are absolutely capable of the worst things you can imagine, and if those people require your cooperation they will try the carrot long before they try the stick. |
| |
| ▲ | commandersaki 6 days ago | parent | prev [-] | | I mean nobody expected pager bombs, but here we are. |
|
|
| ▲ | saurik 6 days ago | parent | prev | next [-] |
| If you have access to my laptop long and deep enough to replace the hinge sensor with a fake one that prevents the lid from closing as a way to turn it into a recording device -- which of course would also require installing software on it -- instead of just putting a tiny microphone into it (or my bag), you are simultaneously a genius and dumb. And if you really are going to that level of effort, hoping that I don't notice my laptop failing to go to sleep when I close it so you might be able to steal it is crazy when you can 100% just modify the hardware in the keyboard to log my password. Hell: what you really should do is swap my entire laptop with a fake one that merely shows me my login screen (which you can trivially clone off of mine as it happily shows it to you when you open it ;P) and asks for my password, at which point you use a cellular modem to ship it back to you. That would be infinitely easier to pull off and is effectively game over for me because, when the laptop unlocks and I don't have any of my data (bonus points if I am left staring at a gif of Nedry laughing, though if you showed an Apple logo of death you'd buy yourself multiple days of me assuming it simply broke), it will be too late: you'll have my password and can unlock my laptop legitimately. > There are good security reasons for a lot of what Apple does. So, no: these are clearly just excuses, sometimes used to ply users externally (such as yourself) and sometimes used to ply their own engineers internally (such as wherever you heard this), but these mitigations are simply so ridiculously besides the point of what they are supposedly actually securing that you simply can't take them seriously if you put more than a few minutes of thought into how they work... either the people peddling them are incompetent or malicious, and, even if you choose to believe the former over the latter, it doesn't make the shitty end result for the owner feel any better. |
| |
| ▲ | moshib 6 days ago | parent | next [-] | | I can imagine a different attack vector: A malicious actor doing laptop repairs can absolutely replace the hinge sensor and install software on it. They could draw in people by offering cheaper prices, then steal their info or use it to setup more complex scams. The counterpoint to this is that car body shops can also plant recording devices in your car. This is true, but the signal-to-noise ratio in terms of stealing valuable data is much lower. I don't have data to back this up, but I assume way more people use their laptops for online purchases and accessing their bank account than doing the same with phone calls in the car. | | |
| ▲ | ajsnigrutin 6 days ago | parent [-] | | A repair worker can install software on it without replacing the sensor. Also add a tiny mic without installing the software. Or both. I mean.. someone could replace your cars breakpads with pieces of wood or plastic, which would seemingly brake on the repair shop parking lot but fail horribly (burn and worse) when you needed them after. Somehow we still let people replace brake pads without having to program in the serial numbers.. for now. |
| |
| ▲ | Shorel 6 days ago | parent | prev [-] | | Your laptop can be compromised during a trip to a foreign state, by state actors. Travelling back you would notice a microphone, and would notice nothing on the laptop. |
|
|
| ▲ | knowaveragejoe 5 days ago | parent | prev | next [-] |
| > This could then be combined with some software on the machine to turn a MacBook into a difficult to detect recording device, bypassing protections such as the microphone and camera privacy alerts, since the MacBook would be closed but not sleeping. Isn't this already possible if the MB is connected to a power source like a portable battery? |
|
| ▲ | throwaway314155 6 days ago | parent | prev | next [-] |
| Isn't there software that does exactly this? Called caffeine, I believe? |
| |
| ▲ | classichasclass 6 days ago | parent | next [-] | | ITYM "caffeinate" DESCRIPTION
caffeinate creates assertions to alter system sleep behavior. If no
assertion flags are specified, caffeinate creates an assertion to prevent
idle sleep. If a utility is specified, caffeinate creates the assertions
on the utility's behalf, and those assertions will persist for the
duration of the utility's execution. Otherwise, caffeinate creates the
assertions directly, and those assertions will persist until caffeinate
exits.
| |
| ▲ | vlovich123 6 days ago | parent | prev [-] | | Installing software generally requires user permission. Replacing Hw can be done surreptitiously. At least that’s the strongman variant of the security argument. | | |
| ▲ | wpm 6 days ago | parent [-] | | `caffeinate` is installed by default on macOS. |
|
|
|
| ▲ | nicman23 6 days ago | parent | prev | next [-] |
| those are over-complicated bollocks. there are easier and less detectable software only ways to do all that. |
| |
| ▲ | arcticbull 6 days ago | parent [-] | | If you were to come up with one, I suspect you'd have a solid bug bounty waiting for you. | | |
| ▲ | nicman23 6 days ago | parent [-] | | you just set the pc to not sleep on screen down? it is literally a feature | | |
| ▲ | arcticbull 6 days ago | parent [-] | | As far as I know the mic is still shut off when the machine is set to clamshell mode. That's the point. You cannot use the mic when the lid is closed. It's a hardware cut-off, you cannot configure it in software. Hence my comment about the bug bounty. | | |
| ▲ | aae42 6 days ago | parent [-] | | $5 USB mic? | | |
| ▲ | arcticbull 6 days ago | parent [-] | | If the point is to hide the recording that's not a great way. Especially when many corporate IT solutions monitor USB device connections. |
|
|
|
|
|
|
| ▲ | Lammy 6 days ago | parent | prev | next [-] |
| If we're talking Bond-tier assessments then Apple already sell a covert microphone: AirTags. They “have no microphone” according to product specs, but they do have a huge speaker, and a speaker and microphone are the same thing like a generator and motor are the same thing: https://in.bgu.ac.il/en/Pages/news/eaves_dropping.aspx |
| |
| ▲ | Kirby64 6 days ago | parent | next [-] | | Just because a speaker can technically operate as a microphone doesn’t mean that AirTags would be capable of this. The speaker driver definitely doesn’t have any recording capability. The only reason the 3.5mm jack mentioned in your article is capable of this is because the jack has functionality to allow analog recording for mic/line in cases. No dedicated speaker driver would have this because it would be worthless and costly. | |
| ▲ | ungreased0675 6 days ago | parent | prev [-] | | There’s a fairly large jump between having a microphone and being able to be used as a surveillance device. |
|
|
| ▲ | Spooky23 6 days ago | parent | prev [-] |
| How you can characterize this type of threat as a “James Bond” fantasy in 2025 is breathtaking. The Federal government is forensically collecting phones during routine border crossings to see if you reposted Fat JD Vance memes. That’s publicly disclosed and well know. I have no trouble believing that potential enemies of the state like the governor of California and his cabinet are bugged. If I were a person like that, I’d try to take supply chain countermeasures. |
