How a Low-Level Apple Employee Leaked Some of the iPhone's Most Sensitive Code - Motherboard

["Dave Farber" <farber () gmail com>]

https://motherboard.vice.com/en_us/article/xw5yd7/how-iphone-iboot-source-code-leaked-on-github

How a Low-Level Apple Employee Leaked Some of the iPhone's Most Sensitive Code
This is how a small group of friends lost control of the leaked iBoot source code. The story behind one of Apple's most 
embarrassing leaks.

On Wednesday, an anonymous person published the proprietary source code of a core and fundamental component of the 
iPhone’s operating system.

A user named “ZioShiba” posted the closed source code for iBoot—the part of iOS responsible for ensuring a trusted boot 
of the operating system—to GitHub, the internet’s largest repository of open source code.

Jonathan Levin, an iPhone researcher, called it the “biggest leak” in the history of the iPhone. The iBoot code is for 
iOS 9 and the code is two-years old. But even today, it could help iOS security researchers and the jailbreak community 
find new bugs and vulnerabilities in a key part of the iPhone’s locked-down ecosystem.

“He pulled everything, all sorts of Apple internal tools and whatnot.”

The leak of the iBoot source code is not a security risk for most—if any—users, as Apple said in a statement. But it’s 
an embarrassment for a company that prides itself in secrecy and aggressively goes after leaks and leakers.

How does something like this happen?

A low-level Apple employee with friends in the jailbreaking community took code from Apple while working at the 
company’s Cupertino headquarters in 2016, according to two people who originally received the code from the employee. 
Motherboard has corroborated these accounts with text messages and screenshots from the time of the original leak and 
has also spoken to a third source familiar with the story.

Motherboard has granted these sources anonymity given the likelihood of Apple going after them for obtaining and 
distributing proprietary, copyrighted software. The original Apple employee did not respond to our request for comment 
and said through his friend that he did not currently want to talk about it because he signed a non-disclosure 
agreement with Apple.

According to these sources, the person who stole the code didn’t have an axe to grind with Apple. Instead, while 
working at Apple, friends of the employee encouraged the worker to leak internal Apple code. Those friends were in the 
jailbreaking community and wanted the source code for their security research.

The person took the iBoot source code—and additional code that has yet to be widely leaked—and shared it with a small 
group of five people.

“He pulled everything, all sorts of Apple internal tools and whatnot,” a friend of the intern told me. Motherboard saw 
screenshots of additional source code and file names that were not included in the GitHub leak and were dated from 
around the time of this first leak.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo () jabber ccc de, 
or email lorenzo () motherboard tv

According to two people who were in that original group, they hadn’t planned on the code ever leaving that circle of 
friends; a third friend who didn’t want the code but saw it on a friend’s computer also confirmed this account.

Eventually, however, the code was shared more widely and the original group of people lost control of its dissemination.

"I was really paranoid about it getting leaked immediately by one of us," one of the original people to receive the 
code told me. "Having the iBoot source code and not being inside Apple...that's unheard of.”

“I personally never wanted that code to see the light of day. Not out of greed but because of fear of the legal 
firestorm that would ensue,” they said. “The Apple internal community is really full of curious kids and teens. I knew 
one day that if those kids got it they’d be dumb enough to push it to GitHub.”

According to the source, if the code had been spread around too much, it could have helped less well-intentioned people 
create exploits and malicious jailbreaks to attack iPhone users.

"It can be weaponized,” they said. “There’s something to be said for the freedom of information, many view this leak to 
be good. [But] information isn’t free when it inherently violates personal security.”

“We did our damnedest best to try to make sure that it got leaked [only after the code] got old,” they added.

Around a year after the code was stolen and circulated among the small group of friends, someone inside that group gave 
it “to someone else who shouldn’t have had it,” one of our sources said.

“None of this was ever supposed to leave a handful of people, what’s happened is quite disastrous.”

At that point, the story gets murky. No one I spoke to is exactly sure who leaked it outside of the first tight-knit 
group of friends. And no one knew exactly what happened next. But everyone I spoke to agrees that at some point they 
lost control of the code and it slowly spread further and further. Motherboard confirmed that this particular source 
code began circulating more widely in 2017 with a fourth and fifth source who are familiar with the jailbreaking and 
iPhone research communities.

Then in the fall of 2017, people far-removed from that initial group of friends started sharing screenshots of the code 
in a Discord group of jailbreakers as a way to brag and tease other members of the group, according to one of the 
people I spoke to.

“When I heard about that Discord group, I burned all the copies of iBoot that I had,” they said. “I don't need it 
anymore, and if this is going public I don't want to be part of leaking it. If it gets out there it gets out there but 
it is not coming from me.”

At that point, however, it was too late. Soon after, someone with a throwaway Reddit account named “apple_internals” 
posted a link to a Mega archive with the iBoot source code on r/jailbreak.


A screenshot of the little noticed Reddit post where the iBoot source code was first shared with the whole internet.
Still, very few noticed because the post got automatically removed by a moderator bot. But then Wednesday, it was 
posted again to GitHub.

Both of our sources say they believe that someone not associated with the original leak ultimately posted it on GitHub: 
“What leaked yesterday isn't even the full leak really. It’s not the original leak—it’s a copy,” one of them said.

At that point, it went viral, first inside the jailbreak community, then within the larger iOS security research 
community. Within hours, infosec Twitter was talking about it, and then we (and the rest of the tech press) wrote about 
it.

Apple declined to answer questions on whether the company knew about the leak before Wednesday, and whether they are 
investigating.

“By design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of 
hardware and software protections built into our products,” the company said in an emailed statement.

On Wednesday, an Apple employee told me they knew of the leak before it was posted on GitHub, but didn’t say when the 
company learned the code was stolen.

“None of this was ever supposed to leave a handful of people, what’s happened is quite disastrous,” one of the people 
who originally received the code told me. “It’s obviously ended up being a clusterfuck, but the original intentions 
were non malicious.”

Clarification: One line in this post has been changed for clarity because the original phrasing was ambiguous. Apple 
did not encourage the employee to leak source code; the employee's friends did.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180210141413:90E48A26-0E96-11E8-9FEA-F34EEFFA8637
Powered by Listbox: http://www.listbox.com