Brian Jackson - Fotolia
How bad is the iBoot source code leak for Apple security?
The iBoot source code on Apple devices was leaked to the public on GitHub. Expert Michael Cobb explains how it happened and what the implications are for iOS security.
The source code of Apple's iBoot firmware on iOS devices was leaked and exposed on GitHub. How big of a deal is leaked source code? What are the potential implications for iBoot firmware?
When a device running iOS starts up, the processor immediately executes code known as the boot ROM, which was designed during chip fabrication and is implicitly trusted. This boot ROM contains Apple's root certificates, which are used to signature check the loading of the next stages: Low-Level Bootloader, followed by iBoot.
According to Apple's iOS security guide, the iBoot source code is responsible for verifying the integrity of the lowest levels of software in iOS before loading only the software that was signed by Apple, and then launching the full operating system. Device bootloaders like iBoot are critical to keeping operating systems safe, so does public access to its source code threaten the security of iOS devices?
The iBoot source code is written in the general-purpose C programming language and it was first posted on the Jailbreak subreddit last year, but garnered little attention, as the poster was new, with little Reddit karma. However, when it appeared on a GitHub repository, it became big news.
Apple sent a Digital Millennium Copyright Act (DMCA) takedown notice to GitHub. While this ensured the code was removed, it also confirmed that the code was genuine, as the DMCA notice required Apple to verify that the code was its property.
Apple has made certain sections of code for iOS and macOS open source, but iBoot has remained proprietary. Even so, a lot of it has already been reverse-engineered as bugs in the boot process reported to Apple through its bounty program can receive Apple's maximum payout of $200,000.
Theoretically, a vulnerability in the iBoot source code could allow unsigned code or code with a forged signature to be executed as iOS boots up, so the source code is certainly of interest to cybercriminals, security experts, and those looking to jailbreak or otherwise bypass Apple's security controls. Instructions for fuzzing the code with tools designed to discover weaknesses in code have already been posted online.
Vulnerabilities in previous versions of iBoot did allow hackers to brute force their way through the iPhone's lock screen and decrypt a user's data, but Apple has added additional security measures since then. The leaked code is three years old and written for iOS 9, though portions of it may still exist in iOS 11.
The majority of Apple devices are already running iOS 11, which includes Apple's latest security improvements, including updates for a chip called the Secure Enclave Processor, a hardware-based key manager that's isolated from the main processor to provide an extra layer of security.
Even though this leak offers an unfettered view of the internal workings of iBoot, it's still unlikely that any bug discovered would be exploitable because of the way Apple has layered the security of iOS devices. And although iBoot has provisions for interaction over the phone's USB tethering cable, it's unlikely any flaw would allow an attacker to bypass the boot chain and cryptographic security on the iOS device.
Apple iOS is widely viewed as the most trusted mobile operating system, so it's embarrassing for Apple that it failed to keep its proprietary iBoot source code secure. While this breach may not have serious implications for iOS users' security, it does show that software and hardware development teams can't rely on security through obscurity. There must be defense in depth, with multiple layers of hardware or software protections built into the design of any product. Also, access controls to proprietary data, such as source code, need to be robust and regularly audited to ensure only those who need access have it.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)