- An anonymous source posted the private code of iBoot, the software that allows iOS to run on iPhones and iPads, on GitHub.
- The code could allow people to exploit the security of iOS devices.
- Apple has confirmed that the leaked code is genuine.
The code that allows iOS devices to boot up – and that Apple makes sure to keep private – has leaked online.
A report from Motherboard said the code, aptly named iBoot, could be retrieved on GitHub, a hosting service for software developers to publish and share code.
Apple later requested GitHub take down the code – and in doing so confirmed the leaked code is real.
The code seems to belong to an older version of iOS (presumably iOS 9, released in 2015) but parts of it might be used in iOS 11, the latest version.
iBoot essentially turns on iPhones and other iOS devices. It’s the very first thing activated when someone pushes the sleep/wake button. It loads, verifies that the kernel – the heart of the operating system’s code – is signed by Apple, then executes the code and takes you to the lock screen.
Jonathan Levin, the chief technology officer of the software security firm Technologeeks who has written several books on the subject, told Motherboard that “this is the biggest leak in history” and said it appeared that the code – whose source is unknown – was legit.
“It’s a huge deal,” Levin said.
Levin later said in a tweet that he didn’t say the leak was the biggest in history.
Apple did not respond to Business Insider’s request for comment.
Access to iBoot’s code could allow researchers to more easily find vulnerabilities in the systems. But it might also open the door to hackers wanting to exploit the hole.
Hackers could find bugs that let them crack or decrypt an iPhone – despite extra security steps built into each new iOS device – or even emulate the operating system on non-Apple products.
Levin told Motherboard that the code was most likely circulating widely in the underground iOS jailbreaking community.
“iBoot is the one component Apple has been holding on to, still encrypting its 64-bit image,” Levin said. “And now it’s wide open in source code form.”