With the iPhone’s closed source code being leaked on the internet by a low-level Apple employee, at the request of a couple of his close friends in the jailbreak community, the internet is abuzz with comments calling this the “biggest leak in the history of iPhone.”
Apple has responded saying that the leak of its iBoot code from IOS 9—basically the very first program that runs when you fire up the iPhone, ensuring a trusted, secure bootup—does not compromise user security. This iBoot code is indeed old, with Apple now running IOS 11, but the potential threats for iPhone users are actually very real.
While the three-year-old code will differ from that of IOS 11, there is sure to be some overlap. Experts say this will allow hackers an opportunity to find new bugs and vulnerabilities to exploit. The moment the code went viral on GitHub last week (it was originally posted to Reddit a few months earlier but a moderator removed it), hackers and IOS researchers will be clamoring to discover any flaws that could lead to the cracking or decrypting of iPhones.
Traditionally, Apple has been especially wary of releasing code to the public, but in the case of its iBoot code, keeping that safe and secure has been of utmost importance. In fact, without the code, it is so tough for researchers to look for vulnerabilities that Apple set up a bounty of up to $200,000 per piece of information.
According to Motherboard, who anonymously spoke to one of the Apple employee’s friends, the code was never intended to find its way onto the web. Originally, it was just five of them who had access and they used it to help their security research in the jailbreak community. Inevitably, though, the code did get into the wrong hands and it was posted online for bragging rights. The source said the Apple employee never had an ax to grind with the company and that the group is devastated it went so far: “The original intentions were not malicious,” he said.
The code will now be doing the rounds in the hacking community. With well over 1 billion iPhones having been sold to date, it puts into perspective quite how large a potential security breach this could be (the giant Equifax breach last year affected 145 million, by comparison).
That’s not to say 1 billion people will be affected, of course. Nor that hackers will indeed discover any flaws that will allow them to access the iPhone’s data. And Apple is now fully aware of the leaked data and therefore will be on full alert. But, the possibility remains.
If a vulnerability was found, this wouldn’t be the first time iBoot was hacked. Previous versions allowed jailbreakers and hackers to ‘brute-force’ their way through an iPhone’s lock screen and decrypt the data. But this was a long time ago, and Apple now uses a chip called Secure Enclave Processor that has made the iPhone’s security considerable safer.
The fact that a low-level employee decided to share the code with his friends is one of the primary reasons data breaches exist — human error, or in this case, a lack of judgment. 2017 was the worst year in history for data breaches, with 8 of the top 20 biggest attacks of all time occurring within the past 12-months. In total, 8 billion user records were exposed—5.4 billion of which was due to human screw-ups. These errors revolved around faulty backups, misconfigurations, and other errors—including emailing confidential code to friends.
With so much of our sensitive data being stored by large conglomerates housing tens of thousands of employees, it is remarkably easy for leaks to happen. What can we do about it? Well, there’s an argument to be made about companies providing better training to all employees and educating them on the risks of sharing private company information, but corporations like Apple do that already and, in truth, it clearly didn’t stop the employee who leaked the iBoot code. Having now seen what happened, however, he might think twice about doing the same thing again in the future.
To better protect your mobile device from hackers, download and run the Hotspot Shield app to encrypt your data and shield it from prying eyes. And follow all online security and privacy best practices to ensure you and your family remain safe. While you can’t control other people’s stupidity, you can take online security into your own hands.