Apple plays down iBoot iOS code leak
Apple has encouraged its customers to update to the newest software releases
Apple has moved to play down fears regarding a recent leak of the iBoot source code that forms a core part of iOS.
Initially it seemed as though Apple's much-vaunted security had been threatened by the unknown postage of portions of its source code for a critical iOS component to Github.
But now Cupertino has issued a statement acknowledging the leak but insisted that the security of their products didn't "depend upon the secrecy" of their source code.
Apple stated that the leaked source code was out-dated and encouraged customers to "update to the newest software releases to benefit from the latest protections".
The leaked code could enable hackers to find loopholes and exploits in Apple's trusted boot systems, which would then undermine the security of iOS entirely.
Security experts warned that though the leaked code was for the iOS 9, which is used only by about 7% of iOS devices, modern systems would still be vulnerable to attacks, as much of the components in iOS 9 can be found in the latest version of Apple mobile operating system.
Apple is highly protective of the code surrounding its devices' boot services, offering a bug bounty scheme that rewards people with $200,000 for identifying any potential flaws in their systems.
The leak of the source code had stirred concern; Andy Kays, CTO of the UK security firm Redscan noted: "Vendors relying excessively on code obfuscation to maintain the security of their products will always be vulnerable to leaks. Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it."
However, he also pointed out that iPhone owners do not currently need to worry about any imminent security threats resulting from this leak. "Sensibly, Apple has taken other steps to improve the protection of its products, such as improving the security of copprocesses, so users of its latest devices don't need to be unduly concerned by the release of the iBoot firmware."
08/02/18: Apple's legendary security may be in serious trouble, after an unknown party posted portions of the source code for a critical iOS component to Github.
According to Motherboard, the section found on the code-sharing platform governs iOS' 'iBoot' function, which controls the operating system's trusted boot functionality and is a core part of how iOS remains so secure.
The leaked code could allow hackers to find loopholes and exploits in Apple's trusted boot systems, which could then be used to compromise the security of iOS as a whole. While the iBoot source code which appeared on Github was for iOS 9 rather than the most recent releases, security experts have warned that it could still be used to exploit modern systems as much of the code is likely to remain the same.
Although Apple expert Jonathan Levin told Motherboard that the code appears to be genuine based on what he has reverse engineered from iOS, it's still officially unconfirmed whether or not this is actually leaked code or merely a hoax. It's also not known whether the code was posted to Github accidentally, or whether it was a deliberate leak.
Apple is extremely protective of the code surrounding its devices' boot processes finding a flaw in one will net you the maximum payment of $200,000 that the company offers through its bug bounty scheme. It has also firmly eschewed making any part of its boot code open source, despite making certain parts of its source code freely available.
IT Pro contacted Apple for comment on the matter, but hadn't received a reply at the time of publication.
Digitally perfecting the supply chain
How new technologies are being leveraged to transform the manufacturing supply chainDownload now
Three keys to maximise application migration and modernisation success
Harness the benefits that modernised applications can offerDownload now
Your enterprise cloud solutions guide
Infrastructure designed to meet your company's IT needs for next-generation cloud applicationsDownload now
The 3 approaches of Breach and Attack Simulation technologies
A guide to the nuances of BAS, helping you stay one step ahead of cyber criminalsDownload now