In principle this is of course true. However, this is now actually possible (signing rogue software).
The way I read this article is that Apple Premium resellers (and the Apple Store itself) now have the option to update the phone while it’s still in the box.
It categorically states that it is not yet known how it will work. But of course we can imagine that. Let’s say I were to design this, I think it would functionally look like this:
You can configure the board to update serial number 123APPL3789 in a verified manner. This is requested from Apple’s servers, which approve it, and so on. Apple’s servers now know that Pad 123 has updated that specific phone.
The package is placed upside down on a pillow. The panel supplies power with Qi/MagSafe technology, which powers the phone. It then communicates NFC with the plate which is registered as a “real plate” for activation using the serial number. (Just as you can pit an unconfigured phone against an “old” phone. They discover each other to transfer the user profile.) The phone recognizes it as an authenticated board with some encrypted handshake etc. The phone then accepts the encrypted update via BlueTooth LE or any type of WiFi Direct, and installs it. But it keeps the original image as a backup. He logs off the panel and exits.
The panel confirms this and logs the successful transaction from Apple’s servers.
The phone is sold out after 3 days. It is activated by the user. The first thing the phone does is logs into Apple and says it was updated by such-and-such nameplate on such-and-such date. If Apple servers agree to this. Happy flow and beyond. The old backup image is deleted, and so on. If Apple’s servers say “We don’t know anything” or “The transaction was not successfully logged out,” the phone will be locked and its old (stock/factory) image restored before the user can do anything.
The above mechanism will only work for serial numbers that have never been activated. Never again after this. (Or maybe when Apple sets that serial number to work again)
Of course, a potential rogue OS image could contain a piece of software that prevents it from verifying that approval with Apple. Then it’s a matter of keeping that code separate from what can be updated in this way. And if someone can abuse this part, they also deserve to get it done. However, I expect that the person in question also has other ways of doing bad things
once again. All of the above is how I would design it. It says nothing about what it will look like in reality.
“Lifelong zombie fanatic. Hardcore web practitioner. Thinker. Music expert. Unapologetic pop culture scholar.”