iOS 10 Beta Has an Unencrypted Kernel; Makes It Easier to Discover Security Flaws and Jailbreaks

MIT Technology Review has discovered that the kernel in iOS 10 beta is unencrypted, making it a lot easier for technology-minded users, jailbreak developers and the like to take a peek under iOS’s hood and pinpoint any potential vulnerabilities.
For those wondering, kernels in all prior iOS betas used to be encrypted. Is this a bold move meant to help strengthen security in iOS 10 or will this decision actually introduce further security risks and open new attack vectors for hackers to exploit?
“Crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see,” reads the article, adding that the move “would aid anyone looking for security weaknesses in Apple’s flagship software.”
Why Apple has suddenly opened up its code is unclear. One hypothesis in the security community is that, as Levin puts it, someone inside the company “screwed up royally.” But he and Solnik both say there are reasons to think it may have been intentional. Encouraging more people to pore over the code could result in more bugs being disclosed to Apple so that it can fix them.
Jonathan Zdziarski, the well-known hacker and security hacker seems to agree with the hypothesis. He doesn’t think that Apple accidentally forgot to encrypt the kernel. He says that would be an elementary mistake and akin to “forgetting to put doors on an elevator”.

When Apple refused to comply with the request from FBI to unlock San Bernardino shooter’s iPhone, the law enforcement agency took help from a third-party to break into the device. So one of the reasons that Apple may have opened up its code is to weaken the expanding trade where hackers sell security exploits to law enforcement.

Does releasing iOS 10 beta containing an unencrypted kernel signal that someone at Apple screwed up royally? And if so, shouldn’t have Apple pulled iOS 10 beta already? Or, was it a deliberate decision after all? 


blog comments powered by Disqus
Octofinder Blog Catalog