Apple issues DMCA takedown for iBoot code, says recent devices should be safe
The iOS 9 iBoot source code published this week is old and shouldn't pose a threat to people who keep their iPhones and iPads updated, Apple said on Thursday.
"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code," the company told AppleInsider. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
Users who keep their device up to date with the latest iOS versions should be well protected against potential vulnerabilities, and judging from Apple's own metrics a majority of users -- 93 percent -- are running iOS 10 or above.
Sill, the company has had the code removed from GitHub via a DMCA takedown notice, but not before it spread to other locations online.
iBoot is essential to loading iOS, for instance verifying kernel signing. Hackers could theoretically use source code to uncover vulnerabilities, though it's not clear how much of iOS 9's code has carried over to iOS 11, and other security measures are in place -- such as the hardware-based Secure Enclave, which stores critical Face ID and Touch ID data.
Apple offers a $200,000 bounty to security researchers who discover holes in iBoot, given the potential damage a successful hack could cause. Even without malicious intent hackers could produce new jailbreaks -- something Apple is keen to prevent both for security and to keep people paying at the App Store.
"Old source code from three years ago appears to have been leaked, but by design the security of our products doesn't depend on the secrecy of our source code," the company told AppleInsider. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."
Users who keep their device up to date with the latest iOS versions should be well protected against potential vulnerabilities, and judging from Apple's own metrics a majority of users -- 93 percent -- are running iOS 10 or above.
Sill, the company has had the code removed from GitHub via a DMCA takedown notice, but not before it spread to other locations online.
iBoot is essential to loading iOS, for instance verifying kernel signing. Hackers could theoretically use source code to uncover vulnerabilities, though it's not clear how much of iOS 9's code has carried over to iOS 11, and other security measures are in place -- such as the hardware-based Secure Enclave, which stores critical Face ID and Touch ID data.
Apple offers a $200,000 bounty to security researchers who discover holes in iBoot, given the potential damage a successful hack could cause. Even without malicious intent hackers could produce new jailbreaks -- something Apple is keen to prevent both for security and to keep people paying at the App Store.
Comments
Sure, there's no way to stop it from being distributed. But I think it's just about sending a message. The horse may have fled the stable, but closing the stable door clearly indicates that what happened was illegal and should not happen again.
As a developer myself, I am curious to take a look at the code.
As of January 5th, 18% of active iOS devices were still running iOS 9, that's a helluva lot of iPhones and iPads around the world that owners will now be worrying about. And before anyone suggests it, telling people to "just buy a newer device" is not a good PR move (but then, they've not been the best in that respect recently).
The tinfoil-hat-wearer in me wonders if there wasn't coordination in this "leak" to justify a push for older Apple devices to be encouraged to upgrade.
The rational-hat-wearer in me doesn't really believe Apple would, or needs, to stoop to that level. However, I do think some information directly from Apple about the ramifications of this leak for those running older hardware would be a good idea. Something with a tone of "not much to worry about, here is what you could expect at worst", otherwise imaginations are going to run wild and Southpark did a great mini-series about the dangers of our imaginations.