Cybersecurity

Leak of Stale iOS Source Code Could Trigger Fresh Problems

Apple lawyers on Wednesday sent a copyright violation notice to Github, following the publication of leaked iOS 9 source code on the site. Though iOS 9 is a dated version of the company’s mobile operating system, it’s possible that the leaked code could be used to jailbreak older devices or worse.

Publication of the code violated Apple’s rights under the Digital Millenium Copyright Act, the attorneys wrote, demanding that the iBoot source code be removed.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code,” Apple said in a statement provided to TechNewsWorld by spokesperson Fred Sainz. “There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the protections.”

Ninety-three percent of users have downloaded iOS 10 or later, and 65 percent have downloaded iOS 11, which includes the latest protections, according to the company.

Source code can be leaked in a number of ways, Apple acknowledged — voluntarily, accidentally or through malicious intent.

It contributes source code to the open source community, Apple pointed out.

Partial Release

While only a portion of the iOS 9 code was released on GitHub, the part that was made public is important to the overall security structure of the operating system, according to Ryan Spanier, director of research at Kudelski Security.

While the source code could have been leaked using malware on a developer machine, the more likely scenarios range from a mistaken leak, or a deliberate leak by an employee or a third-party who had access to the code, he told TechNewsWorld.

Protecting such large repositories of source code is difficult when many employees have access, Spanier said.

“No company is 100 percent secure, so it’s not surprising this happened even at a company like Apple,” he told TechNewsWorld.

“However, this is a big blow to iOS security as iBoot is critical to the secure boot process on the phone,” Spanier continued. “The code is for an older version of iBoot, but still could be used to help people jailbreak the system and find new ways to bypass controls or allow an attacker to develop an exploit against a vulnerability.”

Having access to the source code also makes it easier for researchers to find bugs, according to Brian Gorenc, director of vulnerability research at Trend Micro. That’s applies to this case in particular, since the leaked source code is said to contain documentation.

“If the documentation contains some crucial pieces — say file formats, interfaces or even Apple’s fuzzing methodology — the impact could be even greater,” he told TechNewsWorld. “An attacker can look at how Apple has documented their fuzzing process and look for bugs outside of that process, specifically so that the bugs they find will last longer.”

Since the code that was leaked handles loading the OS, the bugs can be used for anything from enabling jailbreaks to loading something prior to the OS, Gorenc noted.

That’s why Trend Micro spent US$225,000 for iPhone-related bugs at Mobile Pwn2Own last year, he said. [*Correction – Feb. 12, 2018]

Boot Vulnerable

Leaking even part of the source code can facilitate the search for vulnerabilities in the boot loader, which can lead to new ways to jailbreak the device, said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

It also could open up access to data on the device, she told TechNewsWorld.

Seventy percent of iOS devices are highly vulnerable to such exposure, recent research suggests.

*ECT News Network editor’s note – Feb. 12, 2018: Our original published version of this column incorrectly stated that Apple spent $225,000 for iPhone-related bugs at Mobile Pwn2Own. We regret the error.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by David Jones
More in Cybersecurity

Technewsworld Channels