The beta of iOS 10, released earlier this week, contains some interesting security upgrades and changes, but perhaps the most surprising feature of the software is its unencrypted kernel. That change is a big one for Apple, and security researchers say it could have some interesting effects in the future.
In past versions of iOS, Apple has encrypted the operating system’s kernel, a move that protects the code from analysis, whether by researchers or attackers. The encryption prevents researchers from being able to identify security flaws easily and also makes life more difficult for attackers and groups looking for bugs to use in jailbreaks. But encrypting the kernel wasn’t a complete show-stopper, either.
“Apple choosing to leave the iOS 10 beta kernel unencrypted means that researchers can simply pull it off the phone’s storage to investigate it, instead of following the previous, complicated process of dumping the unencrypted kernel from memory,” Chris Czub, security researcher at Duo Security, said via email.
The increased visibility into the inner workings of iOS could be a boon for security researchers. Apple historically has been rather opaque about its security and development practices, although that has begun to change recently. The company now publishes security guides for iOS and macOS, but its engineers and executives still don’t say much publicly about their security policies and technology. Now, researchers who are interested in getting a detailed look at the security and architecture of the iOS kernel will have an easier path, something that may lead to the discovery of more vulnerabilities, though that’s no certainty.
“We don’t yet know if Apple intends only to leave kernels unencrypted on the beta builds or if it will continue to the production release, but it lowers the bar of entry for researchers wanting to look for iOS kernel flaws,” Czub said.
“By the same token, security vulnerabilities often exist for years in open source projects before they’re publicly disclosed and it’s far from a guarantee that two iOS researchers looking at the same code will find the same defect in a timely fashion.”
For attackers, access to the unencrypted iOS kernel is nice, but Czub said that most high-level attackers would have already found a way to get to it.
“There is some value to attackers — they now have an easier time looking into the kernel for potential bugs, but motivated attackers would have already been taking memory dumps of phones with encrypted kernels,” he said.