FYI.

This story is over 5 years old.

Tech

How a Low-Level Apple Employee Leaked Some of the iPhone's Most Sensitive Code

This is how a small group of friends lost control of the leaked iBoot source code. The story behind one of Apple's most embarrassing leaks.
Image: Che Saitta-Zelterman/Motherboard

On Wednesday, an anonymous person published the proprietary source code of a core and fundamental component of the iPhone’s operating system.

A user named “ZioShiba” posted the closed source code for iBoot—the part of iOS responsible for ensuring a trusted boot of the operating system—to GitHub, the internet’s largest repository of open source code.

Jonathan Levin, an iPhone researcher, called it the “biggest leak” in the history of the iPhone. The iBoot code is for iOS 9 and the code is two-years old. But even today, it could help iOS security researchers and the jailbreak community find new bugs and vulnerabilities in a key part of the iPhone’s locked-down ecosystem.

Advertisement

“He pulled everything, all sorts of Apple internal tools and whatnot.”

The leak of the iBoot source code is not a security risk for most—if any—users, as Apple said in a statement. But it’s an embarrassment for a company that prides itself in secrecy and aggressively goes after leaks and leakers.

How does something like this happen?

A low-level Apple employee with friends in the jailbreaking community took code from Apple while working at the company’s Cupertino headquarters in 2016, according to two people who originally received the code from the employee. Motherboard has corroborated these accounts with text messages and screenshots from the time of the original leak and has also spoken to a third source familiar with the story.

Motherboard has granted these sources anonymity given the likelihood of Apple going after them for obtaining and distributing proprietary, copyrighted software. The original Apple employee did not respond to our request for comment and said through his friend that he did not currently want to talk about it because he signed a non-disclosure agreement with Apple.

According to these sources, the person who stole the code didn’t have an axe to grind with Apple. Instead, while working at Apple, friends of the employee encouraged the worker to leak internal Apple code. Those friends were in the jailbreaking community and wanted the source code for their security research.

Advertisement

The person took the iBoot source code—and additional code that has yet to be widely leaked—and shared it with a small group of five people.

“He pulled everything, all sorts of Apple internal tools and whatnot,” a friend of the intern told me. Motherboard saw screenshots of additional source code and file names that were not included in the GitHub leak and were dated from around the time of this first leak.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

According to two people who were in that original group, they hadn’t planned on the code ever leaving that circle of friends; a third friend who didn’t want the code but saw it on a friend’s computer also confirmed this account.

Eventually, however, the code was shared more widely and the original group of people lost control of its dissemination.

"I was really paranoid about it getting leaked immediately by one of us," one of the original people to receive the code told me. "Having the iBoot source code and not being inside Apple…that's unheard of.”

“I personally never wanted that code to see the light of day. Not out of greed but because of fear of the legal firestorm that would ensue,” they said. “The Apple internal community is really full of curious kids and teens. I knew one day that if those kids got it they’d be dumb enough to push it to GitHub.”

Advertisement

According to the source, if the code had been spread around too much, it could have helped less well-intentioned people create exploits and malicious jailbreaks to attack iPhone users.

"It can be weaponized,” they said. “There’s something to be said for the freedom of information, many view this leak to be good. [But] information isn’t free when it inherently violates personal security.”

“We did our damnedest best to try to make sure that it got leaked [only after the code] got old,” they added.

Around a year after the code was stolen and circulated among the small group of friends, someone inside that group gave it “to someone else who shouldn’t have had it,” one of our sources said.

“None of this was ever supposed to leave a handful of people, what’s happened is quite disastrous.”

At that point, the story gets murky. No one I spoke to is exactly sure who leaked it outside of the first tight-knit group of friends. And no one knew exactly what happened next. But everyone I spoke to agrees that at some point they lost control of the code and it slowly spread further and further. Motherboard confirmed that this particular source code began circulating more widely in 2017 with a fourth and fifth source who are familiar with the jailbreaking and iPhone research communities.

Then in the fall of 2017, people far-removed from that initial group of friends started sharing screenshots of the code in a Discord group of jailbreakers as a way to brag and tease other members of the group, according to one of the people I spoke to.

Advertisement

“When I heard about that Discord group, I burned all the copies of iBoot that I had,” they said. “I don't need it anymore, and if this is going public I don't want to be part of leaking it. If it gets out there it gets out there but it is not coming from me.”

At that point, however, it was too late. Soon after, someone with a throwaway Reddit account named “apple_internals” posted a link to a Mega archive with the iBoot source code on r/jailbreak.

Still, very few noticed because the post got automatically removed by a moderator bot. But then Wednesday, it was posted again to GitHub.

Both of our sources say they believe that someone not associated with the original leak ultimately posted it on GitHub: “What leaked yesterday isn't even the full leak really. It’s not the original leak—it’s a copy,” one of them said.

At that point, it went viral, first inside the jailbreak community, then within the larger iOS security research community. Within hours, infosec Twitter was talking about it, and then we (and the rest of the tech press) wrote about it.

Apple declined to answer questions on whether the company knew about the leak before Wednesday, and whether they are investigating.

“By design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products,” the company said in an emailed statement.

On Wednesday, an Apple employee told me they knew of the leak before it was posted on GitHub, but didn’t say when the company learned the code was stolen.

“None of this was ever supposed to leave a handful of people, what’s happened is quite disastrous,” one of the people who originally received the code told me. “It’s obviously ended up being a clusterfuck, but the original intentions were non malicious.”

Clarification: One line in this post has been changed for clarity because the original phrasing was ambiguous. Apple did not encourage the employee to leak source code; the employee's friends did.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.