six colors

by Jason Snell & Dan Moren

Support this Site

Become a Six Colors subscriber and get access to a special weekly podcast, monthly newsletter, and community.

Linked by Jason Snell

iOS 9 boot source code leaks

In what one writer called “the biggest leak in history,” someone posted the source code for the part of iOS that is responsible for booting the system on GitHub, Motherboard reported Wednesday:

Having access to the source code of iBoot gives iOS security researchers a better chance to find vulnerabilities that could lead to compromising or jailbreaking the device….. That means hackers could have an easier time finding flaws and bugs that could allow them to crack or decrypt an iPhone. And, perhaps, this leak could eventually allow advanced programmers to emulate iOS on non Apple platforms.

On Thursday Apple responded with a statement confirming the news. (GitHub has removed the code after a takedown request by Apple.) Here’s Apple’s statement:

Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built in to our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.

Security researcher Will Strafach told TechCrunch that while it gives hackers some hints about how iOS boots that might become useful vectors of attack, it probably doesn’t mean much to iPhone owners:

“In terms of end users, this doesn’t really mean anything positive or negative,” Strafach said in an email. “Apple does not use security through obscurity, so this does not contain anything risky, just an easier to read format for the boot loader code. It’s all cryptographically signed on end user devices, there is no way to really use any of the contents here maliciously or otherwise.”

Not great, Bob, but it sounds like this is more likely information that would be used to build a jailbreak than something that could fuel a zero-day attack on modern iPhones.