Apple found itself in damage control mode today after the source code, called iBoot, for the iPhone’s operating system was somehow posted to Github potentially giving anyone the ability to spot vulnerabilities.
Apple used the Digital Millennium Copyright Act (DMCA) to have the code successfully removed from GitHub on February 8. To do so the company had to confirm, under the penalty of perjury, that the code posted was in fact the company’s source code and an Apple property according to the DMCA statement posted on GitHub.
According to published reports the code posted is from iOS 9.3 and because there were some missing files it could not be compiles, but it is a valuable resource to anyone searching for vulnerabilities. reported Macworld.
“iBoot is critical to the secure boot process of the device, so this is a considerable compromise to iOS security. The code that was leaked is for an older version of iBoot, however, it can enable an attacker to develop exploits against vulnerabilities or jailbreak the operating system and find new ways to bypass controls. It is not yet clear which current i0S versions are specifically impacted by this release,” said Andrew Howard, CTO of Kudelski Security.
CNET posted a response from Apple that stated its products do not depend upon its source code to remain secure.
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” CNET reported Apple said in a statement.
The purpose behind making the code public is somewhat perplexing as a cybercriminal would likely rather use the code to find a vulnerability, Rusty Carter, Arxan Technology’s VP of Product Management, told SC Media.
“A ‘or profit’ criminal would likely keep for their own use to develop malware (including adware or spyware attached to a jailbreak kit), use it to reverse-engineer / compromise iOS applications (like those from banks, payments, or, connected medical devices), or try to sell it on the black market,” he said.
However, the disclosure should compel Apple to re-evaluate its practice of using older versions of its source code in newer incarnations of iBoot, Carter said, noting that the company is probably now involved in an internal investigation to discover the source of the leak.