Published: Fri, February 09, 2018
Science | By

IOS 9 Source Code Posted to GitHub in Unprecedented Leak

IOS 9 Source Code Posted to GitHub in Unprecedented Leak

iBoot is described as the BIOS of the iPhone and is responsible for loading and verifying that the kernel is signed by Apple and then executes that kernel.

The event captured the attention of several security experts, including one who told Motherboard that it was the 'biggest leak in [Apple's] history'. It's also not known whether the code was posted to Github accidentally, or whether it was a deliberate leak. Apple managed to keep it completely secret until now. Apple considers bugs in iBoot to be so important that it pays security researchers up to $200,000 per vulnerability. However, it appears to belong to iOS 9.3.x.

That's still an if because Apple's trust design intentionally minimises the harm that can be caused by a compromise of one element. "Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it".

The code allows all iPhones and iOS devices, including iPads, to turn on.

iPhones used to be relatively easy to jailbreak before Apple introduced the "secure enclave co-processor" with the TouchID of the iPhone 5s.

Fortunately, numerous risks associated with the leak have been mitigated.

The code in question is for a version of iOS 9.3, which was released in spring 2016 and brought features such as Night Shift and various other improvements.

Reportedly, the leaked code relates to iOS 9, so it's unclear how much of the code will still be present in the latest image for iOS 11. Apple issued a takedown notice on the posted code overnight which likely confirms the code was indeed leaked, although it was accessible for hours before being taken down.

Shortly after that article was posted, the publication updated its report to say that Apple had sent GitHub a Digital Millennium Copyright Act (DMCA) takedown notice demanding removal of the source code link. 'It is not open-source'.

In 2004, for example, millions of lines of code were leaked for Microsoft's Windows NT and 2000 operating systems.

Like this: