I'm not sure I understand what exactly happened here. Was it previously possible for non-apple engineers to replace the home button or was it not? The guardian's article seems to suggest it was: "Indeed, the phone may have been working perfectly for weeks or months since a repair or being damaged."
If that is the case and it was possible to replace these sensors before, apple's narrative that the "error 53" code was introduced for security reasons doesn't seem to make a lot of sense: If the hardware sensor wasn't designed with secure authorization (e.g. via asymmetric cryptography) in the first place, all they could do now in a software update would be to add some kind of cosmetic device ID check.
However, any such newly introduced check in software could not actually prevent "malicious sensor" attacks but would only add a (possibly trivial) additional step to the attack where you have to spoof the correct device id.
Or maybe my reading of the guardian article is imprecise and replacing the home button has always meant loosing access to at least some security-relevant features?
You can get the button exchanged, but since each one is coupled with the secure enclave co-processor, touch ID doesn't work anymore. But home button still works, so does the phone encryption, you just can't identify yourself with the fingerprint anymore. If you go and try to add a fingerprint, it behaves like you have a muddy finger and can't scan it. But this ain't an issue since encryption is done by a PIN code first, then fingerprints are used as a more convenient way to unlock.
Frankly the device bricking is BS, since the encryption PIN code is still there and unknown to a possible attacker. You just can't use the victims fingerprints to unlock it anymore, or attach a hacked fingerprint reader, because it still won't be able to access the secure enclave to open and get the PIN code.
If that is the case and it was possible to replace these sensors before, apple's narrative that the "error 53" code was introduced for security reasons doesn't seem to make a lot of sense: If the hardware sensor wasn't designed with secure authorization (e.g. via asymmetric cryptography) in the first place, all they could do now in a software update would be to add some kind of cosmetic device ID check.
However, any such newly introduced check in software could not actually prevent "malicious sensor" attacks but would only add a (possibly trivial) additional step to the attack where you have to spoof the correct device id.
Or maybe my reading of the guardian article is imprecise and replacing the home button has always meant loosing access to at least some security-relevant features?