Apple is used to fighting leaks about its upcoming products and OS releases, but it’s never had to deal with anything like this before. An anonymous user on the popular code-sharing server GitHub has posted a major component of the iOS source code for all to see, and some experts are fearing it could be “the biggest leak in history.”
As first reported by Motherboard, the leaked code has since been pulled off the site but not before countless people were surely able to get their hands on it. Apple was forced to use the Digital Millennium Copyright Act to get the code taken down, and as UW research scientist Karl Koscher mused on Twitter, the [DMCA] law essentially forces Apple to admit that the code was real or else face perjury charges. In the DMCA takedown letter, Apple’s legal team writes that the content in question is a “reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The ‘iBoot’ source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”
Apple is actively working to take down all instances of the iBoot code on GitHub.
The code in question is for a version of iOS 9.3, which was released in spring 2016 and brought features such as Night Shift and various other improvements. The portion of the code that leaked is called iBoot, and as its name suggests, it controls the trusted boot-up process that springs into action every time you start up your iPhone. According to Apple, the iOS bootloader “is the first step in the chain of trust where each step ensures that the next is signed by Apple.” If it is compromised, it could allow infected software to run on the device.
In a statement, Apple said, “Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
While the leak is certainly embarrassing, it could also be dangerous. Apple’s boot process is the most essential part of its iOS code, providing front-line protection against malware and other attacks. It’s so sensitive, in fact, that Apple shells out up to $200,000 to developers who find vulnerabilities, according to reports on the invitation-only program.
While the code is for a two-year-old OS and nearly 95 percent of users are on later versions of iOS, it’s likely that parts of it are still in use even in the most recent version of iOS 11. The most likely use for the iBoot code would be for creating jailbroken versions of iOS, but intimate knowledge of iOS’s source code could benefit hackers as well, as it provides an unprecedented look at how the iOS sausage is mode. By digging through the source code, malicious coders could spot vulnerabilities and inconsistencies in the code that could be used to attack all version of iOS, not just 9.3.
The impact on you at home: For the average user, there probably isn’t much to fear, at least not yet. To attack your phone using anything discovered in the iBoot leak, a hacker would likely need physical access to your phone and a bit of time to install a new OS on it. However, it does mean that hackers will be hard at work to find exploits in the code, as well as designers looking to emulate the iOS system. And it’s just one more unfortunate security story Apple has to deal with.
Secret iOS Source Code Has Leaked Onto the Internet
Apple has bad news for their more than 700 million iPhone users around the globe. A version of the code that allows iOS devices like iPhones and iPads to boot-up has been leaked on the web-based hosting service GitHub. Apple just about confirmed the leak by sending GitHub a Digital Millennium Copyright Act takedown notice and making the site remove the code just 13 hours after Motherboard broke the news on February 7, 2018.
The leak released the source code for iBoot, the very first program that runs when a device is turned on. The source of the leak is unknown, but you can imagine Apple will be cleaning house to find the culprit. The code’s widespread availability on GitHub means that hackers likely already have their hands on it.
Is this this leak really such a big deal, given that computer-savvy folks are able to reverse engineer code all the time? The unfortunate answer is yes. Apple tends to keep its source code secret, because the code can provide insight into system vulnerabilities.
What’s the Damage?
While the leak certainly isn’t good for Apple, it could be worse. The version posted on GitHub was supposedly iOS 9, a previous version of Apple’s operating system. This means that updated devices are not completely at risk to vulnerabilities hackers might find in the source code. However, Apple could have co-opted elements of its previous operating systems in the current software, so parts of the iOS 9 code may be used in iOS 11.
Exactly what hackers are able to do with the leaked iBoot will depend on what security flaws are present in the source code, if those flaws have been retained in new versions of the operating systems, and whether those flaws can be exploited.
More than likely, hackers may have an easier time jailbreaking, or removing imposed software restrictions, on iOS devices. Again, the typical iPhone user is probably not in any danger, thanks to Apple’s recent security upgrades on their devices.
In an increasingly digital age, keeping our devices — and the private data we entrust them with — safe needs to be a top priority. There have been a number of high profile hacks in recent memory, so news like this will certainly cause Apple a lot of grief. Here’s hoping they plug the leak before something like the iOS 11 source code makes its way onto the internet.