iBoot leak: Central part of Apple iPhone operating system leaks online

Andrew Griffin

One of the most important parts of the software powering the iPhone has been leaked.

iBoot, which makes sure that the phones start up properly, has made its way online. Such software is usually entirely locked down and leaks could allow hackers to break into the most sensitive parts of the iPhone and iPad.

The iBoot source has found its way online, but since been taken down. The code is old and it's unlikely that hackers could use it to break into a device, but the very fact that it has been leaked will be worrying for Apple.

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code," Apple said in a statement. "There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections."

Initial reports referred to the leak as potentially the biggest in history. But the code is old, mostly useless and probably doesn't pose any risk for reasons laid out by Apple.

Still, leaks of and bugs in the firmware that powers phones as they turn on is taken incredibly serious by Apple, since it is one of the most sensitive things the phone does. It is the most valuable category in Apple's bug bounty programme, which pays out rewards to researchers who find potentially dangerous problems with its products.

And Apple's operating system source code is supposed to be entirely locked down and never leave the company. It is not just a central part of its commercial secrets, but reading through the code that powers the iPhone could allow malicious attackers to find holes they could exploit to attack phones.

It's the first time that such code has become public, after it was posted on Github, a site that stores files of this kind. It's not clear who it was posted by and it has now been taken down after Apple filed a copyright request with the site.

The leak has led to fears that more information could be available in private. The files posted to Github are thought to have been passed around security researchers for some time before they were made public, suggesting that yet more code could be available but not have yet made its way into the open.