Unencrypted iOS 10 kernel poses no risk to platform security or user data

By , Aug 9, 2016

iOS 10 Messages teaser 001

Apple’s unexpected decision to leave certain parts of the iOS 10 kernel unencrypted didn’t sit well with some privacy advocates over fears that the move could aid nefarious users to look for security weaknesses in the iOS software. But as it turns out, we now know that an unencrypted kernel allows iOS 10 to run faster: Ivan Krstić, Apple’s head of Security Engineering and Architecture, explained at the Black Hat security conference that the unencrypted iOS 10 kernel has absolutely no impact on platform security nor does it decrease security of encrypted user data.

So, what’s a kernel?

The kernel manages the system’s memory, communicates with peripherals and controls low-level services, hardware and security. It also contains any necessary low-level device drivers and hardware configuration files, but no user data.

iOS 10 unencrypted kernel Ivan Krstic slide 002

In presenting his segment, titled “Behind the Scenes of iOS Security”, Krstić pulled up a slide, which you can see right above, spelling out specific parts of iOS 10’s kernel that Apple’s engineers have left unencrypted.

The following parts of iOS 10 are unencrypted:

  • iBoot— iBoot is a boot loader than verifies and runs the iOS kernel
  • Kernel caches—These caches do not contain any user data
  • Boot logos—iOS boot logo images are no longer encrypted

Krstić went on to say that the above changes are part of a wider set of performance optimizations in iOS 10 because encryption for these objects “was no longer adding a lot of value”. He underscored that iOS 10’s unencrypted kernel poses “no impact to platform security or encryption of user data”.

iOS utilities so-called secure boot chain to ensure that each step of the startup process contains components that are cryptographically signed by Apple. This establishes the chain of trust by ensuring integrity of the bootloaders, kernel, kernel extensions and baseband firmware.

“This secure boot chain helps ensure that the lowest levels of software are not tampered with and allows iOS to run only on validated Apple devices,” says Apple.

Last Thursday, Apple announced an official bug-bounty program that will pay researchers cash for discovering vulnerabilities in its products. The firm is offering anywhere between $25,000 and $200,000 for an exploit, depending on where it is and what it does.

News that the first beta of iOS 10 leaves parts of its kernel unencrypted left some people scratching their head. After the second beta arrived with even more unencrypted kernel segments, Apple went on the record to say that leaving the iOS 10 kernel unencrypted was a conscious choice.

“The kernel cache doesn’t contain any user info, and by unencrypting it we’re able to optimize the operating system’s performance without compromising security,” said Apple.

Prior iOS editions had a fully encrypted kernel.

Source: Black Hat

  • Share:
  • Follow:
  • Bugs Bunnay

    Well hey. Only time will tell.

  • Rares

    Pfeww, I was afraid they will add encryption again when the beta stages are over.

  • ExoticWaves

    So I have a couple of questions:
    1) How does this affect performance? Does iOS 10 boot more quickly than iOS 9?
    2) Given the new unencrypted surface: iBoot, Kernel caches, and Boot logs: are any of these used in Jailbreaks? Or do jailbreaks use other components of the kernel/OS? If the latter, then why do we think that un-encrypting these 3 portions of the OS would stop jailbreaks from taking place?

    • rockdude094

      Leaving a comment in case an answer pops up

    • John Smith

      Well, usually a bootrom exploit is needed to look for potential bugs. When you have a bootrom exploit, you can look through kernal caches and boot logs to find anything that will allow you to get access to root. This definitely does have a connection with the FBI case. It benefits the FBI because they can find all the exploits they want, and it benefits the researchers as well, as they can start collecting a shit ton of bugs, and report them all to Apple for a reward. With all the possible bugs to discover, slowly the researchers will find everything that is already known by the FBI, and it would be patched by Apple in the end. It’s a loss in the beginning, but a complete win in the long run.

      • ExoticWaves

        Don’t google and Microsoft have unencrypted kernels too? And don’t they also have bug bounty programs too? I heard that Apple was one of the last companies to the game in terms of adopting bug bounty procedures. If so, we already know that Windows/Android are exploitable, despite any bug bounty programs in place, so why would we expect iOS to have a different fate?