Apple firmware: Leaks, links, and locking it all down

White HomePod on a dresser
White HomePod on a dresser (Image credit: Apple)

I'm genuinely more excited for Apple's September 12, 2017 special event than I have been for any event since the iPhone 6. Still, Apple has now had two leaks leading up to the event, widely expected to include the announcement of iPhone 8, iPhone 8 Plus, and iPhone X, Apple Watch LTE, and Apple TV 4K HDR. The first one was an accident. The second one, not so much.

John Gruber, writing for Daring Fireball

Again: these URLs were not discovered by guessing the URLs, or because they were published at obvious URLs prematurely. Someone who works at Apple emailed these URLs to 9to5Mac and MacRumors — possibly without even knowing just how much information could be gleaned from these builds compared to the last developer beta builds. UPDATE: Let me clarify that sentence: whoever leaked these URLs knew it would be an incredibly damaging leak, if for no other reason than that they included the IPSW image for iPhone D22. The list of URLs they leaked included every device. The least amount of heretofore unknown information that was going to come out of this leak was massive, and whoever leaked it knew that. What I'm saying is they quite possibly didn't even know just how many little things, things I won't mention here for the sake of DF readers who are trying to stay spoiler-free for Tuesday's event, were spoiled by this leak.That person should be ashamed of themselves, and should be very worried when their phone next rings.

My understanding is the same as John's: The leak was internal and malicious. And it was incredibly damaging to the company — a company that relies on surprise as a key way to generate marketing buzz and maintain excitement in the media. It's just about impossible to believe anyone in a position to leak those links wouldn't know that.

From Apple's perspective that means, come Tuesday afternoon, instead of hearing about the announcements and the surprises, we'll be hearing about how the leaks were confirmed and, from those in the media who continually mistake cynicism for intelligence, how "boring" Apple has become. (Imagine a movie critic reading a leaked plot to "The Last Jedi" and then claiming the movie lacked surprises...)

As hard as it is to believe someone inside Apple would leak the firmware, it just as hard to believe such a leak was possible. The firmware was live on the internet, protected only through obscured URL. That means, when the URLs were leaked, anyone could access the firmware. No VPN, login credentials, or other security checks required.

It's absolutely the fault of the leaker but my guess is that the days of security through obscurity are done and Apple locks down the firmware delivery process asap.

Update: Great point by Will Strafach on Twitter: Convenience is the enemy of security.

Same with the HomePod firmware leak from last month. That leak wasn't malicious. It was the result of a mistake, at least at first. Someone copied an un-flagged version of the file to a public rather than a private directory.

It's not at all hard to believe that mistakes happen. It's still hard to believe that those kinds of mistakes can happen, though.

My guess is that Apple locks down that process asap as well, with both digital and human checks and safeguards.

I'm sure most people at Apple are too apoplectic to look for it right now, but if there's a silver lining for them in all this, that's it. Legacy has hellacious inertia and old processes don't die easily. Often, people are too busy to even stop and think about improving things that currently get the job done, even if imperfectly.

Then something like this happens, and top to bottom, everyone's will becomes bent on making sure it doesn't happen again.

Update: I've got no beef with leaks or the coverage thereof. But the world is nuanced and there are multiple perspectives and truths. Leaks provide considerable attention for websites that cover Apple, including iMore. They also inform customers who may be considering whatever products are about to be released. From Apple's perspective, though, they're damaging. They cost sales [on current devices], depress marketing, and the security enhancements that follow make it harder for many to do their jobs. That, in turn, can affect the next generation of products.

Update 2: There's a narrative going around that claims these were "controlled leaks" or "publicity stunts" from Apple. No, they weren't. This is not the kind of publicity the company wants or needs. Apple lives for the big reveal at the big event on the big stage. You can love or leave the leaks, whatever suits you. But don't think for a minute Apple wanted them or is anything other than extremely frustrated by them.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.