Apple Downplays Impact of iBoot Source Code Leak

Apple said the leak of its iBoot source code will have little to no impact on iOS device security.

Apple is responding to reports the leak of its iBoot source code is a serious security blow to iOS devices. In statement released Thursday it confirmed the leak, but emphasized the source code is three years old and would have no impact on iOS device security.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection,” Apple said in a statement.

Apple’s statement comes a day after it slapped GitHub with a copyright takedown request forcing the company to remove iBoot source code tied to iOS 9.3.x posted to the repository. The code had previously been available on various sites such as Reddit for up to a month prior to the takedown notice.

The iBoot code is two years old, however some security experts said that parts of it are likely still in use by the latest version of Apple’s iOS 11. Knowledge of the code, could be a boon for the iOS jailbreaking community, said Rusty Carter, VP of product management for Arxan Technology.

“Exposure of the source code, even for an older version of the boot loader (of iOS), does provide risk,” Carter told Threatpost in an interview. He said malware authors often leverage the latest jailbreaks as part of attacks against iOS.

Apple identifies iBoot as “code that’s loaded by LLB, and in turn loads XNU, as part of the secure boot chain.” Through its bug bounty program, Apple offers a $200,000 reward to researchers who find vulnerabilities in secure boot firmware.

Patrick Wardle, chief research officer at Digita Security, said the code leak benefits offensive minded adversaries. But he said, it’s not a huge boon to advanced hackers who don’t rely on source code.

“If other things leaked – like (iOS) signing keys – then that would be a real issue,” Wardle told Threatpost.

According to reports, the source code taken down from GitHub was incomplete and couldn’t be compiled. However, it did include Apple documents relevant to iBoot, that experts said could help researchers identify vulnerabilities.

The leak puts Apple in a tricky spot, Wardle said. It can’t fix something that’s not broken. Instead, Apple appears more peeved its intellectual property was leaked onto GitHub.

Experts said, so long as Apple implements iBoot properly the code won’t offer adversaries much of a leg up. Apple’s current approach to keeping the iOS secure is multi-layered and goes beyond iBoot. Source code is by no means the Holy Grail when it comes software security, according to Wardle.

According to Apple’s latest statistics, 93 percent of iOS devices are running iOS 10 or later.

Suggested articles