The confidential source code to Apple's iBoot firmware on iOS devices was leaked on GitHub.
Motherboard's Lorenzo Franceschi-Bicchierai reported on Wednesday that someone posted the iBoot source code on a GitHub repository. The code had been posted by a new user on Reddit last year, but very few people took notice of it until the code was uploaded this week to GitHub, where anyone could find it.
Apple's iBoot source code is the program that loads iOS when the device turns on. It verifies the kernel is signed by Apple and then executes it. According to Motherboard, the code that was posted said it's for iOS 9, though it's likely aspects of it are still used in the current version, iOS 11.
Apple quickly responded to the release of the code with a Digital Millennium Copyright Act (DMCA) takedown notice, which required the source code to be removed from GitHub. In doing so, Apple further confirmed -- under the penalty of perjury -- the legitimacy of the source code.
However, copies of iBoot source code were made before GitHub took it down after the DMCA, so the code is still available for those who know where to look.
Fun thing about the DMCA: it required Apple to state, under penalty of perjury, that the iBoot source code was legit: https://t.co/PKHZqcEe6h— Karl (@supersat) February 8, 2018
Apple later issued a statement confirming the iBoot source code leak, but the company said the code was 3 years old and added that, "by design, the security of our products doesn't depend on the secrecy of our source code." However, Apple did not explain how the source code ended up being exposed to the public.
Device bootloaders like iBoot are critical to keeping operating systems safe, and Apple has been particularly protective of its iBoot source code. The largest bounty the company offers in its bug bounty program goes to vulnerabilities found in iBoot. While the availability of the source code will enable security researchers to find and report bugs, it will also enable hackers to exploit any weaknesses in the iBoot code.
Access to the iBoot source code means Apple devices are likely vulnerable to jailbreaking again, which relies on imperfections in the operating system. These attacks affected devices running iOS a few years ago, but the operating system has since been updated with security features that can prevent them.
In other news:
- The United States Consumer Financial Protection Bureau (CFPB) has reportedly pulled back from investigating the massive Equifax data breach that came to light in September. The CFPB is run by Mick Mulvaney, who was appointed by President Donald Trump in November and took over for Richard Cordray. Cordray authorized the CFPB's investigation into the data breach the same month it became public. Equifax said in September that hackers stole the personal data of over 145 million Americans stored within the credit rating agency. Mulvaney has since stopped taking new steps in the investigation into the credit bureau, according to reports. Many people have spoken out against the move, including Sen. Elizabeth Warren (D-Mass.). Warren released a report on the data breach and condemned Equifax's handling of the breach and the subsequent investigation.
- A security researcher has ported three National Security Agency exploits to work on all versions of Microsoft Windows since Windows 2000. The exploits, EternalChampion, EternalRomance and EternalSynergy, were leaked in April 2017 by the group known as the Shadow Brokers; these Windows exploits were leaked along with EternalBlue, which was later used in the WannaCry, NotPetya and Bad Rabbit ransomware attacks. The other exploits were less popular than EternalBlue, because they didn't work on as many Windows systems. Now, security researcher Sean Dillion has modified three exploits to work on every version of Windows created in the last 18 years -- 32- and 64-bit alike. Dillion merged the exploits with the Metasploit Framework, which is an open source program for designed for penetration testing. EternalChampion uses a race condition with transaction request vulnerability; EternalRomance uses a type confusion vulnerability between WriteAndX and Transaction requests; and EnternalSynergy takes advantage of both of those vulnerabilities.
- The security researcher who demonstrated last year that 509 certificate exchanges could carry malicious traffic published his proof-of-concept code. The security researcher, Jason Reaves from Fidelis Cybersecurity, found that X.509 extensions can be used for covert channel data transfer. In his report, Reaves "describes a system that could be used to send or receive data from both a client and a server perspective utilizing research into X.509 certificates specifically in areas where you can place arbitrary binary data into the certificate or utilizing them as a covert channel." In a blog post, Fidelis explained the certificate exchange happens before the TLS session is established, so "there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself." This means if an organization's systems were taken over by attackers, they could exfiltrate sensitive data over the X.509 path without being detected.