Friday, February 9, 2018 [Tweets] [Favorites]

iOS 9 Source Code Leak

Lorenzo Franceschi-Bicchierai (Hacker News, MacRumors):

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.

[…]

“This is the biggest leak in history,” Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told me in an online chat, referring to Apple’s history. “It’s a huge deal.”

Via Jake Williams:

Remember that debate about the FBI adding backdoors to the iPhone and “don’t worry, it will stay secret?” None of us believed that, ever. But now I’d say we have evidence that even Apple can’t keep backdoor code a secret…

Sean Gallagher:

The DMCA notice required Apple to verify that the code was their property—consequently confirming that the code was genuine. While GitHub removed the code, it was up for several hours and is now circulating elsewhere on the Internet.

Steve Troughton-Smith:

The scary part about the iBoot source code leak isn’t that iBoot code leaked, it’s that somebody (from Apple) passed around Apple source code. And if this happens in public, what would you imagine is being sent in private to the most malicious of bad actors or hostile powers?

Sean:

I happen to have a copy of the System 7 source code that I acquired so long ago that I can’t even remember where it came from. So Apple employees passing around source code is nothing new.

Previously: FBI Asks Apple for Secure Golden Key.

Update (2018-02-09): Lorenzo Franceschi-Bicchierai:

A low-level Apple employee with friends in the jailbreaking community took code from Apple while working at the company’s Cupertino headquarters in 2016, according to two people who originally received the code from the employee. Motherboard has corroborated these accounts with text messages and screenshots from the time of the original leak and has also spoken to a third source familiar with the story.

Motherboard has granted these sources anonymity given the likelihood of Apple going after them for obtaining and distributing proprietary, copyrighted software. The original Apple employee did not respond to our request for comment and said through his friend that he did not currently want to talk about it because he signed a non-disclosure agreement with Apple.

According to these sources, the person who stole the code didn’t have an axe to grind with Apple. Instead, while working at Apple, they were encouraged to use their access to help their friends in the jailbreaking community with their security research by leaking them internal Apple code. And they did.

Update (2018-02-13): See also: MacRumors.

7 Comments

> Instead, while working at Apple, they were encouraged to use their access to help their friends
> in the jailbreaking community with their security research by leaking them internal Apple code.
> And they did.

What the F.

I'm not surprised that source code leaks. Developers need to have the code on their computers in order to work on it. As soon as it's on your computer, you basically own it, and there's nothing Apple can do. But the fact that they ostensibly had a policy (albeit possibly an informal one) of intentionally leaking source code to encourage external security research is just insanely unprofessional.

"But the fact that they ostensibly had a policy (albeit possibly an informal one) of intentionally leaking source code to encourage external security research is just insanely unprofessional."

This isn't about a "policy". This is about someone unprofessionally giving in to peer pressure like a kid on the playground.

And if you think the friends in the jailbreaking community wanted to do "security research", I have a bridge to sell you.

Oh, they were encouraged *by people in the Jailbreak community*. I misread that as them being encouraged by somebody inside Apple. Yeah, that makes much more sense.

>And if you think the friends in the jailbreaking community wanted to do "security research", I have a bridge to sell you.

Meh, I don't think it matters what they "wanted" to do, security research is literally what they actually do.

The article has apparently been reworded to make this clear:

"According to these sources, the person who stole the code didn’t have an axe to grind with Apple. Instead, while working at Apple, friends of the employee encouraged the worker to leak internal Apple code. Those friends were in the jailbreaking community and wanted the source code for their security research."

Note at the bottom of the article:

"One line in this post has been changed for clarity because the original phrasing was ambiguous. Apple did not encourage the employee to leak source code; the employee's friends did."

I read it wrong at first too. The gender-neutral-singular "they" confused it up a lot. I thought "they" was Apple.

[…] iOS 9 Source Code Leak, FBI Asks Apple for Secure Golden […]

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment