Apple has shot down the significance of an apparent source code leak for the iPhone’s iBoot bootloader which loads the operating system. The original report flagged the source code leak as the ‘biggest leak in history’ based on one researcher’s description, but Apple has significantly downplayed any risks associated with the leak while seemingly confirming its authenticity.
Motherboard reported the leak last night after what appeared to be source code for iBoot was posted publicly online. Apple issued a takedown notice on the posted code overnight which likely confirms the code was indeed leaked, although it was accessible for hours before being taken down.
Now Apple has officially responded to the potential security risk with a statement shared by CNET:
Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” Apple said in a statement.
As we speculated last night, the source code being years old from the iOS 9 era likely minimizes any risks associated with it becoming public, and Apple is saying that iBoot source code leaking would not necessarily compromise iPhone security anyway.
As ever, Apple recommends updating the latest version of iOS to ensure current security fixes are in place. Apple’s latest iOS adoption numbers show that fewer than 10% of active devices are running software older than iOS 10 with 65% on iOS 11.
Apple does take secure boot firmware security seriously, however, with the category topping out the payment amount for its bounty program aimed at rewarding researchers for discovering current flaws in Apple’s software.
As per Apple’s statement, the company likely is referring to hardware components like the Secure Enclave that help maintain privacy and security on iPhones and iPads.