Earlier this week someone anonymously published a key piece of Apple’s iOS source code onto GitHub.
Which bit of iOS was it?
It was an integral part of iOS known as “iBoot” – the section of code which controls the security of your iPhone or iPad as it starts up.
So it’s an important part of iOS?
Very important and highly sensitive. The secure boot firmware ensures that iOS will only run apps digitally signed by Apple, and checks that the operating system has not been tampered with by a hacker.
Does that make this leak interesting to hackers?
Yes, and to other parties (I’m looking at you principally law enforcement agencies) who might be interested in finding vulnerabilities that could be exploited to help them compromise and unlock iOS devices.
So finding a vulnerability in iOS’s boot-up code could be pretty valuable?
Put it this way. Apple’s bug bounty program is prepared to pay you up to $200,000 for vulnerabilities you uncover in its secure boot firmware components. Chances are that there are others out there (intelligence agencies, for instance) who may be prepared to pay you even more.
Would Apple want code like that leaked to the public?
Definitely not. Apple is famous for its secrecy, and its desire to control information. Don’t believe me? If you’ve got a good memory you may recall the lengths it has gone to in its attempts to retrieve prototype iPhones when they have fallen into the laps of the media.
But more importantly than that – Apple knows that having access to this critical source code could provide a head-start for attackers looking for ways to exploit the operating system.
Give me some good news
As Motherboard describes, the leaked code appears to be for iOS version 9, which was released in September 2015.
Phew! I’m running iOS 11
Good for you! Unfortunately there’s a high chance that portions of the leaked code have remained the same in iOS 11. Furthermore, there are believed to be tens of millions of older iPhones and iPads in circulation that are still running iOS 9 as they are unable to be updated.
I think I still have an old iPad that only runs iOS 9. What should i do with it?
Sadly, from the security point of view, it’s coming to the end of its natural life. If you have devices running iOS 9 then you probably need to start thinking about moving to something else – at least for anything critical such as email or online banking – as they are no longer receiving security updates.
Also, always take care about the links which you click on – as you could be taken to a boobytrapped webpage designed to exploit a security hole that isn’t patched on your iOS 9 device.
So, I need more good news.
The code is no longer available on GitHub. Apple acted promptly after the first revelation that the sensitive source code had leaked and issued a DMCA legal notice demanding it be taken down.
However, anyone who was keen to get their hands on the code is now certain to have it in their possession.
Take care out there.
This is a Security Bloggers Network syndicated blog post authored by Graham Cluley. Read the original post at: HOTforSecurity