Computer code for Apple’s iOS mobile operating system has been leaked onto the internet, giving hackers a Rosetta Stone with which to infiltrate and control Apple devices across the world.
The source code in question, called iBoot, was posted to GitHub – an online tool where users can anonymously share and manage computer code with others – where it is freely available for download.
The very backbone of iOS devices, anyone with the knowledge and skills could dissect this code and develop a way to compromise certain iOS devices, gaining access to personal and financial data in the process.
What is boot code?
Potentially ‘the biggest leak in history’, Apple has closely guarded the computer code that forms the bedrock of any iOS device.
“The easiest way to understand it, is it (iBoot) loads the actual operating system, which then runs the phone,” said Sebastian Zander, a lecturer in Cyber Forensics and Information Security at Murdoch University.
“[This leak] means everyone can look at the code and see how the boot loader authenticates the operating system, for security purposes – you can see how the whole process works, you can see any flaws and anything you could potentially exploit,” Dr Zander said.
Imagine that you have all your life savings, family photos, your address book with all your friends and family’s details all locked up at your local bank. Only you can access your money and possessions; not even the bank can walk into the room and count your money.
Then one day the blueprints to the bank are posted on Facebook, with every security measure, every air duct, every room and its complete dimensions, even the details about how thick the walls are; all there for anyone to see. Would you be worried? Would you think your possessions are still safe?
The malicious potential
Because of the way boot (start) code works – it is a gatekeeper that carries out security checks and ensures only safe software is loaded onto the device – compromised software could be installed on the device without the user every knowing.
“If there’s an ‘exploit’ coupled with the way the iPhone updates, it’s possible to deploy operating systems on this device without the user being aware,” said Dr Zander.
A device compromised in such a way could look and feel like it is running correctly, but below the surface all manner of malware could be collecting personal data – such as usernames and passwords and even financial details.
“It’s possible some of the good guys will find an exploit first and Apple will patch it first,” said Dr Zander.
“Otherwise, it’s quite likely the bad guys will find something. How easy it is to use these exploits? We don’t know.”
Don’t panic just yet
The version of iBoot posted appears to be from iOS 9, which means it may not have a huge impact on the current version of Apple’s mobile operating system, iOS 11.
However, considering there are still devices at large using iOS 9 – such as iPhone 4S, iPad (3rd gen), iPad Mini and iPod Touch (5th gen) – plus the possibility that portions of code from iOS 9 are still in use in the current operating system, there is a real possibility this leak will have wide-ranging security implications.
“What is a bit concerning is that the code has leaked in the first place,” said Dr Zander.
“Who knows? The person who leaked it may have other pieces of code. This may not be the end.”
It is unknown at this point if the iBoot code that appeared on GitHUb is indeed authentic, but until Apple (the company has already issued a DMCA takedown notice to remove the code from GitHub) or recognised security researchers deny the authenticity of the code, we should assume it is legitimate.