Apple is in the middle of a serious security scare after the source code for iBoot was anonymously posted on GitHub.

The development is extremely serious, as iBoot is a critical component of the iPad and iPhone’s operating system. Hackers and security researchers could use it to find vulnerabilities in the iOS operating system or make jailbreaking iOS devices easier.

It has led Apple to quickly file a copyright takedown request with GitHub in an effort to force the company to remove the code.

Source Code

The discovery of the iBoot source code on GitHub was first noticed by security website Motherboard.

It said that the iBoot source code is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In summary, it is the program that loads iOS, and is the first program that runs when an iOS device is booted up.

It loads and verifies the kernel is properly signed by Apple and then executes it. Essentially, it is like the BIOS code found in PCs.

According to Motherboard, the iBoot source code says it is for iOS 9, but portions of it are highly likely to be still in use in iOS 11.

It is reported that Apple has in the past been reluctant to release source code to the public, although it has made certain parts of iOS and MacOS open source in recent years. That said, iBoot is highly sensitive code, and Apple apparently pays up to $200,000 under its bug bounty program to anyone who discovers bugs in the boot up procedure.

“This is the biggest leak in history,” Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Motherboard in an online chat. “It’s a huge deal.”

Levin said the code appears to be the real iBoot code because it aligns with code he reverse engineered himself. A second security researcher also said they believe the code is real.

Legal Takedown

It is not known who has leaked the source code, but there is sure to be investigation at Apple HQ.

And in a sign of serious the matter is, within hours of the leak being discovered, Apple filed a legal notice demanding that GitHub remove the source code.

“The ‘iBoot’ source code is proprietary and it includes Apple’s copyright notice. It is not open-source,” said the legal document.

At the time of writing on late Friday morning, it seems that GitHub has taken down the offending web pages.

Security Issues

Apple until recently has enjoyed a fairly decent security reputation. That said, the firm’s reputation has been hit after a number of vulnerabilities have been disclosed recently.

In late November for example, a root flaw came to light that anyone running an Apple Mac with version 10.13. and 10.13.1 of its latest operating system (i.e High Sierra), could be exposed to a serious flaw with admin privileges.

Essentially, the flaw could have allowed admin access to Apple Macs by using the username ‘root’ and no password, which bypasses (in some cases remotely) local security settings.

Apple compounded the problem when it rushed out a patch within 18 hours of the flaw being reported. But it was found that the fix did not actually fix the problem, as the bug returns if Mac owners upgrade to the latest version of High Sierra after they have applied the patch.

And last October a flaw was discovered that could have allowed anyone to gain access to encrypted hard disk volumes on Mac OS. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago