The proprietary source code to Apple’s iBoot firmware in iPhones, iPads and other iOS devices has leaked into a public GitHub repo.
Apple had noted earlier that the iBoot source code leak was genuine but also mentioned that the source code was created around three years back for iOS 9 and wasn’t officially released to public domain. Therefore, there was nothing to worry about because the source code is out-dated.
Furthermore, Apple stated that its products’ security never relies upon the confidentiality of the source code but now that the baseband source code has been released online, Apple couldn’t come up with an instant response.
Apple sent a DMCA legal notice to GitHub for taking down the baseband source code and to remove it altogether.
Lawyers acting on behalf of Apple on Thursday described the leak as a “reproduction of Apple’s iBoot source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software.”
The takedown request said that “the iBoot source code is proprietary and it includes Apple’s copyright notice. It is not open source.”
GitHub was quick to respond and took down the code almost immediately. However, the act of sending notice to GitHub has further reinforced the fact that the leaked code is indeed genuine.
Apple in a statement said,
“Old source code from three years ago appears to have been leaked,”
But by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections.”
It is worth noting that the source code was present on GitHub and the code happened to be that of a core component of iPhone OS. Due to its unceremonious leaking online, hackers and security researchers would easily identify flaws in iOS software as well as carry out jailbreaks without much difficulty. That’s because the iBoot code is part of iOS and its responsibility is to verify that the OS is being booted appropriately.
It is the iBoot program that loads the iOS and turns on the iPhone. It is also responsible for verifying that kernel is signed by Apple before executing it. Apple is claiming that the software is out-dated but experts noted that some of its portions are still being used, for instance, it is present in iOS 11.
Thanks to the use of the Secure Enclave Processor chip in modern iPhones, jailbreaking iOS and accessing a phone’s data has been made into an unattractive challenge by Apple.
But leaks of this kind potentially open up the scope for iPhone hacking and no doubt a degree of furore will be churning away in communities that love nothing more than getting stuck into a piece of private code.