Apple has confirmed that it was aware of a source code leak that could have compromised the iPhone’s security system and has asked web-based hosting service GitHub to remove the code.
An Apple employee told technology website Motherboard that the company knew of the leak before it was posted on GitHub but the employee did not mention any time. Apple has also rubbished that security threat to iPhones.
The leak of the iBoot source code is not a security risk for most users, Apple said, but it is an embarrassment for a company that prides itself in secrecy and aggressively goes after leaks. “Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code.
“There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” the company was quoted as saying. On Wednesday, an unidentified person with a user named “ZioShiba” published the source code on GitHub.
The iBoot code was for iOS 9 and was two years old but it could help iOS security researchers and the jailbreak community find new bugs and vulnerabilities in a key part of the iPhone’s locked-down ecosystem.
When Motherboard probed the source of the post, they found that the leak happened when a low-level Apple employee passed on some of the iPhone’s sensitive iBoot source codes — the part of iOS responsible for ensuring a trusted boot of the operating system — to a group of friends, who were associated with a jailbreak community. Jailbreaking is privilege escalation for the process of removing software restrictions imposed by Apple on iOS.
That low-level employee took the code from Apple while working at the company’s Cupertino headquarters in 2016. Two people, who originally received that code from the employee told Motherboard. The five friends of that employee encouraged the worker to leak internal Apple code as they wanted them for their security research.
“He pulled everything, all sorts of Apple internal tools and whatnot,” a friend of the intern was quoted as saying. According to the people, they never wanted the code to leave the group ever but eventually, the code was shared widely and the original group lost control of its dissemination.
“We personally never wanted that code to see the light of day. Not out of greed but because of fear of the legal firestorm that would ensue,” they said. “It can be weaponized. There’s something to be said for the freedom of information, many view this leak to be good. [But] information isn’t free when it inherently violates personal security,” the group said.
“We did our best to try to make sure that it got leaked [only after the code] got old,” they added. A year later, some of the original group members, who had the codes delivered to them, posted the screenshots of the leak and boasted about them. The screenshots were later shared on Reddit. But the post was automatically removed by a moderator bot and on Wednesday, a copy of the original leak was reposted on GitHub.
It went viral — first inside the jailbreak community and then within the larger iOS security research community. Within hours, people on Twitter were talking about it. “None of this was ever supposed to leave a handful of people, what’s happened is quite disastrous,” one of the people who originally received the code said, adding that the original intentions were non malicious.