[Infowarrior] - Apple Facing Security Nightmare as iOS 9 Source Code Leaks

[Richard Forno]

(it's already off github but you can expect to find it elsewhere.  --rick)

Apple Facing Security Nightmare as iOS 9 Source Code Leaks

The iBoot source code, which handles loading and verifying iOS, was uploaded to GitHub for all to see.

By Matthew Humphries
February 8, 2018 6:30AM EST

https://www.pcmag.com/news/359090/apple-facing-security-nightmare-as-ios-9-source-code-leaks
 
Apple is today facing up to a potential security nightmare due to source code from iOS 9 being uploaded to GitHub. The identity of the person who leaked the code is currently unknown.

iOS 9 is old you may think, as we're now up to iOS 11, but that doesn't mean parts of the code from iOS 9 aren't still in use. As Motherboard explains, the situation is made worse for Apple because the source code that did leak is for iBoot.

Apple uses iBoot to handle booting iOS when you first turn on your iPhone. It is the first process to run and it verifies iOS has been properly signed by Apple. In other words, it's the first security check performed by Apple, meaning the code will be of great interest to hackers who would like to jailbreak newer versions of the mobile operating system.

Jonathan Levin, author of a trilogy of books on macOS and iOS internals, describes the source code leak as "the biggest leak in history" and "a huge deal." He has checked the code and believes it is the real iBoot code iOS 9 uses. It's also worth noting that Apple's bug bounty program pays out the most money ($200,000) for vulnerabilities discovered in the boot process. According to Levin, this leak means tethered jailbreaks could soon re-appear for iOS.

Apple will by now be well aware of the leak and the software team who handle iBoot development will be reviewing what exactly leaked, what if anything it could reveal in terms of security vulnerabilities, and how to best mitigate any future hacks with an update to iOS 11.

Apple needs to react quickly because this source code leak isn't exactly new. It was first posted last year on Reddit, but mostly went unnoticed. Now the code is available on GitHub many more will take notice of it, but some hackers/researchers may have been reviewing it for months already.