Are you talking about DFU mode? I think it would be very difficult for Apple to remove that without causing a lot of issues for people. Being able to completely reset the device if you forget the password is useful, especially since you still need the user's iCloud credentials to activate it (so as to discourage theft).
I'm talking about the time Apple was asked to provide an alternative firmware to unlock the iPhone of the San Bernardino shooter, which suggests that at least Apple itself can put a new firmware on a locked device without having it wiped.
It may be the case you can put a new OS on the device without it being wiped, because the OS partition is separate from the user data partition, and probably unencrypted.
Anyway, a hypothetical alternative firmware couldn't just magically bypass the encryption. What it could have done, and I think this may only apply to older iPhone models as it's now handled by the Secure Enclave(?), is make it easier to brute-force the pincode (no lockout, less delay).
Can you do an OS upgrade on a locked device without unlocking it first ? If so that is terrible regardless of whether the OS partition is encrypted or not.
It also doesn't really matter whether the compromise is a direct key extraction or just defeating the anti-bruteforce protections, the root flaw here is with the phone accepting new privileged software while locked and still retaining its state.
Well the existence of a bypass for that is what is being considered here, such a bypass would constitute a backdoor contrary to Apple's security/privacy posturing.
> a hypothetical alternative firmware couldn't just magically bypass the encryption
No, but it could presumably brute force the pin (unless the rate limiting is hardware controlled?) or wait until the user enters it, then decrypt everything.
I'm talking about having device data preserved and made accessible, while the device is screen-locked, without having any credentials or the passcode - pick all three.
Yes. If the FBI had a signed system image that disabled disk encryption, they would have applied it through Recovery mode and the data would not have been lost. They couldn’t get Apple to make or sign the software, however.
Not the point, If installing such a software on a locked device is technically feasible that's a pretty glaring hole in the entire security approach, essentially making Apple a trusted party to your phone data with the ability to create other such parties.
You already trust them not to make compromised software updates anyway. While I agree that this is definitely a potential issue, I don’t think it changes the threat model.
