Apple plays down iBoot iOS code leak

Apple has encouraged its customers to update to the newest software releases

Apple has moved to play down fears regarding a recent leak of the iBoot source code that forms a core part of iOS.

Initially it seemed as though Apple's much-vaunted security had been threatened by the unknown postage of portions of its source code for a critical iOS component to Github.

But now Cupertino has issued a statement acknowledging the leak but insisted that the security of their products didn't "depend upon the secrecy" of their source code.

Apple stated that the leaked source code was out-dated and encouraged customers to "update to the newest software releases to benefit from the latest protections".

The leaked code could enable hackers to find loopholes and exploits in Apple's trusted boot systems, which would then undermine the security of iOS entirely.

Security experts warned that though the leaked code was for the iOS 9, which is used only by about 7% of iOS devices, modern systems would still be vulnerable to attacks, as much of the components in iOS 9 can be found in the latest version of Apple mobile operating system.

Apple is highly protective of the code surrounding its devices' boot services, offering a bug bounty scheme that rewards people with $200,000 for identifying any potential flaws in their systems.

The leak of the source code had stirred concern; Andy Kays, CTO of the UK security firm Redscan noted: "Vendors relying excessively on code obfuscation to maintain the security of their products will always be vulnerable to leaks. Any provider that takes security seriously should always conduct rigorous threat modelling based on the assumption that source code will be exposed as some point and put in place appropriate controls to counter it."

However, he also pointed out that iPhone owners do not currently need to worry about any imminent security threats resulting from this leak. "Sensibly, Apple has taken other steps to improve the protection of its products, such as improving the security of copprocesses, so users of its latest devices don't need to be unduly concerned by the release of the iBoot firmware."

08/02/18: Apple's legendary security may be in serious trouble, after an unknown party posted portions of the source code for a critical iOS component to Github.

According to Motherboard, the section found on the code-sharing platform governs iOS' 'iBoot' function, which controls the operating system's trusted boot functionality and is a core part of how iOS remains so secure.

The leaked code could allow hackers to find loopholes and exploits in Apple's trusted boot systems, which could then be used to compromise the security of iOS as a whole. While the iBoot source code which appeared on Github was for iOS 9 rather than the most recent releases, security experts have warned that it could still be used to exploit modern systems as much of the code is likely to remain the same.

Although Apple expert Jonathan Levin told Motherboard that the code appears to be genuine based on what he has reverse engineered from iOS, it's still officially unconfirmed whether or not this is actually leaked code or merely a hoax. It's also not known whether the code was posted to Github accidentally, or whether it was a deliberate leak.

Apple is extremely protective of the code surrounding its devices' boot processes finding a flaw in one will net you the maximum payment of $200,000 that the company offers through its bug bounty scheme. It has also firmly eschewed making any part of its boot code open source, despite making certain parts of its source code freely available.

IT Pro contacted Apple for comment on the matter, but hadn't received a reply at the time of publication.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Survey finds web app attacks are up 800% compared to 2019
Security

Survey finds web app attacks are up 800% compared to 2019

23 Nov 2020
Digital Shadows’ context-based security alerts expand sensitive doc management
Security

Digital Shadows’ context-based security alerts expand sensitive doc management

23 Nov 2020
More than half of businesses saw rising fraud levels this year
Security

More than half of businesses saw rising fraud levels this year

23 Nov 2020
Manchester United resists ‘sophisticated’ cyber attack
Security

Manchester United resists ‘sophisticated’ cyber attack

23 Nov 2020

Most Popular

Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020