Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Source Code of iOS Security Component iBoot Posted on GitHub

What appears to be the source code of iBoot, a key component of Apple’s iOS platform responsible for trusted boot operation, was posted on GitHub yesterday.

What appears to be the source code of iBoot, a key component of Apple’s iOS platform responsible for trusted boot operation, was posted on GitHub yesterday.

The code was posted on the open-source portal by an individual going by the username of ZioShiba. The repository, labeled iBoot, has since been taken down, after Apple filed a copyright takedown request with GitHub.

The code in question is what loads the iOS, being the first piece of software that runs when an iOS device is turned on. It is responsible for checking the integrity of the platform and whether the kernel is properly signed.

This clearly makes iBoot a critical operating system component, and Apple is aware of that. As part of its bug bounty program, the tech giant is willing to pay as much as $200,000 for critical flaws in secure boot firmware components, the highest award.

Vulnerabilities in the secure boot firmware components can be used to jailbreak devices. Hackers could also abuse them to gain access to vulnerable devices.

In the DMCA Notice sent to GitHub, Apple appears to confirm the legitimacy of the leak.

“Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source,” the notice reads.

Following the takedown, the repo is no longer accessible, but its contents were undoubtedly already downloaded by interested parties.

Advertisement. Scroll to continue reading.

This means that the iBoot source code likely continues to be available online for cybercriminals to abuse to find vulnerabilities they can exploit in attacks.

In fact, flaws in iOS have long already proved highly valuable, with some companies willing to pay millions of dollars for zero-day vulnerabilities in the mobile operating system. In fact, one team of hackers already earned $1 million for such a security bug.

Just like any other operating system out there, iOS isn’t infallible, and the new code leak clearly proves that, Rusty Carter, Vice President of Product Management for Arxan Technology, told SecurityWeek in an emailed comment.

“Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It’s only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS,” Carter said.

SecurityWeek emailed Apple for an official comment and additional details on this incident.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” an Apple spokesperson said.

Most of the iOS devices out there (93%) are already running newer platform releases, which diminishes any security impact of the leak. In fact, 65% of them run iOS 11, which includes Apple’s latest security improvements.

Apple is also running its own open source program, offering the platform to researchers interested in analyzing it.

*Updated with statement from Apple

Related: Google Researcher Releases iOS 11 Jailbreak Exploit

Related: PoC Released for Dangerous iOS Kernel Exploit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.