Apple issues DMCA takedown for iBoot code, says recent devices should be safe

Posted:
in iOS
The iOS 9 iBoot source code published this week is old and shouldn't pose a threat to people who keep their iPhones and iPads updated, Apple said on Thursday.




"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code," the company told AppleInsider. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."

Users who keep their device up to date with the latest iOS versions should be well protected against potential vulnerabilities, and judging from Apple's own metrics a majority of users -- 93 percent -- are running iOS 10 or above.

Sill, the company has had the code removed from GitHub via a DMCA takedown notice, but not before it spread to other locations online.

iBoot is essential to loading iOS, for instance verifying kernel signing. Hackers could theoretically use source code to uncover vulnerabilities, though it's not clear how much of iOS 9's code has carried over to iOS 11, and other security measures are in place -- such as the hardware-based Secure Enclave, which stores critical Face ID and Touch ID data.

Apple offers a $200,000 bounty to security researchers who discover holes in iBoot, given the potential damage a successful hack could cause. Even without malicious intent hackers could produce new jailbreaks -- something Apple is keen to prevent both for security and to keep people paying at the App Store.

Comments

  • Reply 1 of 13
    dewmedewme Posts: 5,332member
    Yup, we all clearly understand the defense in depth strategy that nullifies this leak. Unfortunately the non tech savvy news outlets that drool over anything anti-Apple are already presenting this as an Armageddon level security breach involving Apple's most critical products. It's too bad there is no reliable digital chain of custody so the authorities can determine who the lowlife scumbag is who originated the leak. 
    mike1lolliverTomEmagman1979jony0
  • Reply 2 of 13
    MplsPMplsP Posts: 3,911member
    But wait - isn’t Android open source? If that’s a concern for you then an iPhone is still a better option. (Or a windows phone, since no one even cares about the source code of those!)
    lolliverbaconstangwillcropointnetmagejony0argonaut
  • Reply 3 of 13
    Whistleblowers are to be lauded which ever sector they work in: National Security, Commerce, governmental administartions. From what I've gleaned this release of iBoot is of no threat to current iOS devices running the latest software. Should this leaked sourcecode lead to the discovery of other security risks you'll all be glad it was outed and squashed. "Every cloud..."
  • Reply 4 of 13
    SoliSoli Posts: 10,035member
    I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.
  • Reply 5 of 13
    Rayz2016Rayz2016 Posts: 6,957member
    Soli said:
    I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.
    In what way have they called attention to themselves?  They didn’t leak the source code, someone else did. 

  • Reply 6 of 13
    SoliSoli Posts: 10,035member
    Rayz2016 said:
    Soli said:
    I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.
    In what way have they called attention to themselves?  They didn’t leak the source code, someone else did. 
    What do you think I'm referring to when I wrote "I don't see why Apple would do this"? Did you think I'm suggesting Apple leaked their own source code?
    gatorguynetmage
  • Reply 7 of 13
    Soli said:
    I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.


    Sure, there's no way to stop it from being distributed. But I think it's just about sending a message. The horse may have fled the stable, but closing the stable door clearly indicates that what happened was illegal and should not happen again.

    As a developer myself, I am curious to take a look at the code.

    netmage
  • Reply 8 of 13
    SoliSoli Posts: 10,035member
    Soli said:
    I don't see why Apple would do this. I thought they learned their lesson about calling attention to themselves this way, especially knowing that you can't stop the distribution once it's hit the internet.


    Sure, there's no way to stop it from being distributed. But I think it's just about sending a message. The horse may have fled the stable, but closing the stable door clearly indicates that what happened was illegal and should not happen again.

    As a developer myself, I am curious to take a look at the code.

    But telling people not to look at the horses that are already loose isn't closing the door. They need to deal with that internally, just like they need to keep people from being able to create hidden links from within the company that will allow for any internal data to be copied out, like we saw last year with the iPhone X and iOS 11 leaks.
    edited February 2018
  • Reply 9 of 13
    chasmchasm Posts: 3,273member
    Soli said:
    But telling people not to look at the horses that are already loose isn't closing the door. They need to deal with that internally, just like they need to keep people from being able to create hidden links from within the company that will allow for any internal data to be copied out, like we saw last year with the iPhone X and iOS 11 leaks.
    So ... you’re saying Apple should just let Github leave it there? That’s ... what’s the word ... stupid.
    jony0
  • Reply 10 of 13
    SoliSoli Posts: 10,035member
    chasm said:
    Soli said:
    But telling people not to look at the horses that are already loose isn't closing the door. They need to deal with that internally, just like they need to keep people from being able to create hidden links from within the company that will allow for any internal data to be copied out, like we saw last year with the iPhone X and iOS 11 leaks.
    So ... you’re saying Apple should just let Github leave it there? That’s ... what’s the word ... stupid.  

    As opposed to claiming it's not a big deal and then issuing the loudest takedown notice possible just to call attention to something that 1) wouldn't have tripped most people's radars until Apple made a big deal of it, and 2) without actually doing a damn thing to stop the code from getting into the hands of those that want it. That's… what's the word… stupid. It's not a fucking trademark so you don't need to make empty gestures.
    edited February 2018 netmage
  • Reply 11 of 13
    I think what Apple needed to address was devices currently stuck in iOS9, I think it goes without saying that anyone on iOS 10 capable devices are safe. 

    As of January 5th, 18% of active iOS devices were still running iOS 9, that's a helluva lot of iPhones and iPads around the world that owners will now be worrying about. And before anyone suggests it, telling people to "just buy a newer device" is not a good PR move (but then, they've not been the best in that respect recently).
  • Reply 12 of 13
    airnerdairnerd Posts: 693member
    adm1 said:
    I think what Apple needed to address was devices currently stuck in iOS9, I think it goes without saying that anyone on iOS 10 capable devices are safe. 

    As of January 5th, 18% of active iOS devices were still running iOS 9, that's a helluva lot of iPhones and iPads around the world that owners will now be worrying about. And before anyone suggests it, telling people to "just buy a newer device" is not a good PR move (but then, they've not been the best in that respect recently).
    THIS!  This is my thought as well. There was just an article this week about older devices which can't be upgraded to newer iOS's. 

    The tinfoil-hat-wearer in me wonders if there wasn't coordination in this "leak" to justify a push for older Apple devices to be encouraged to upgrade.  

    The rational-hat-wearer in me doesn't really believe Apple would, or needs, to stoop to that level.  However, I do think some information directly from Apple about the ramifications of this leak for those running older hardware would be a good idea.  Something with a tone of "not much to worry about, here is what you could expect at worst", otherwise imaginations are going to run wild and Southpark did a great mini-series about the dangers of our imaginations.  
    [Deleted User]
  • Reply 13 of 13
    airnerd said:
    The rational-hat-wearer in me doesn't really believe Apple would, or needs, to stoop to that level.  However, I do think some information directly from Apple about the ramifications of this leak for those running older hardware would be a good idea.  Something with a tone of "not much to worry about, here is what you could expect at worst", otherwise imaginations are going to run wild and Southpark did a great mini-series about the dangers of our imaginations.  
    American's don't have imaginations, they have unimaginative syndromes. The effects of which ensure the employment of vapid psychoanalysts who divest them of dollars while guiding them through their collective paranoia.
Sign In or Register to comment.