On July 20, I wrote an article about what we then were referring to as the iPhone 8 and ways that Apple may have been involved in those rumors to either sow misinformation or to control the media narrative about the device. One of the things I addressed in this article was Tim Cook’s comment five years ago that Apple would be doubling down on secrecy. At the time I wrote my post, Apple was coming off the great success of keeping all the details of iOS 11 completely hidden leading up to their WWDC Keynote, and it looked like Cook had made good on his promise of controlling all the information outside of the leaky supply chain.
What a Difference a Month Can Make
I definitely wasn’t the only one in the tech blogger and media community praising Tim Cook for seemingly making good on his promise. I referenced a couple of articles in my aforementioned post detailing the steps, programs, and hires that Apple has made to work on shoring up leaks, and there were also plenty of reports and podcasts with similarly glowing comments. But that was then and this is, well, a very different now.
Supply Chain Sieve
I don’t hold Apple responsible for any of the leaks coming out of the overseas supply chain. Whatever agreements or oversight they may have with Foxconn and others, this is a problem that goes far beyond them and their reach. The money that is thrown around to get access to supply chain secrets almost always wins out, and we see the fruits of it in leaked photos and rumors all the time.
This problem of supply chain leaks also affects not just Apple, but all other tech companies, as well. There is only one way to combat it, and that is to move more production and supply chain in-house. However, despite all of Apple’s cash reserves, they have shown no signs of being interested in taking over any of their own manufacturing the way that Samsung has. If Apple continues to rely on the Southeast Asian electronics supply chain for their components, so too will the hardware leaks.
Cracks in the Dam
The Apple hardware leaks from the supply chain are one thing. The two device firmwares that have leaked over the last month and a half are quite another. According to most accounts, the HomePod leak was either an honest mistake or simple oversight. A firmware meant for internal testing use by Apple employees was uploaded to a server to update devices in the field. While it wasn’t publicly linked, it was on a server that was visible to the outside and this is Apple we are talking about. NOTHING goes unnoticed. Someone found it and the next thing we all know, it was yielding all kinds of details about coming Apple devices.
The reason this leak was such a fountain of information was because Apple device firmwares have a program flag that determines whether they contain the information for only the device that they load on, or ALL iOS devices. Since the HomePod runs a slightly modified version of iOS and it’s firmware was only meant to be used internally until release, this firmware included info on all Apple’s devices under development.
All the rumors and leaks that came before this one don’t amount to a hill of beans in comparison to the goldmine that it was. The HomePod firmware gave Apple fans, the tech community, and even a slice of the general public, a far better understanding of Apple would be unveiling in a few days. There is no way that this much information could have come from anywhere else, or from any other source.
As egregious as this leak was, it is something that should be preventable in the future with better internal security practices governing test and prototype firmwares. I’m sure Apple’s internal IT and security teams have already started making sure that a test firmware such as this won’t leak again, and if it does, it won’t have all the goods on EVERY OTHER iOS device.
A Trickle Becomes a Flood
The HomePod firmware leak was indicative of lax testing practices, but again, those are correctable mistakes under the right leadership. However, Friday’s leak of the iOS 11 Gold Master is a very different matter. I’ve been looking around, and trying to find clear answers, and I’m not sure there are any yet. I know that the file showed up linked on Reddit, and that it was eventually picked apart by several popular Apple blogs and tech sites. If you’ve been paying attention since Friday night, I’m sure you know what I’m talking about.
What is more interesting is that, in one of their articles breaking down information learned from the new leak, Jeff Benjamin of 9to5Mac mentioned that they had “received” the firmware. If someone sent tech media outlets the iOS 11 GM ahead of or independently of the Reddit link, there are really only three logical explanations for that. One is that Apple is behind the whole thing, and leaked the iOS 11 Gold Master intentionally. With an event so close and a huge amount of media coverage already, I highly doubt this is the case.
The second possible reason for the leak is that Apple was hacked, and that this firmware was compromised in the process. It is extremely unlikely that this is a similar situation to the HomePod leak, as Apple would have at least temporarily plugged that hole by now. If a hack is the answer, then it would have taken a severe breach from the outside of some kind. However, I think such a breach would have revealed more than just the iOS 11 Gold Master. Unless other Apple information starts to come out, I will be skeptical of this being the source of the leak.
The third, and in my opinion, most likely answer for what happened here is that this leak was an “inside job” of some kind. There are plenty of reasons why such a thing could happpen, chief among which is money. If Apple wasn’t hacked, the firmware had to get out somehow. Now, it is possible that an Apple employee who had access to the file accidentally left it exposed and someone else took advantage of the situation. That’s exactly how the prototype iPhone 4 found its way into the media’s hands years ago, so it is definitely possible. However, whether intentional or accidental, this is not a good situation for Apple.
No matter what the reason for such a leak (assuming it wasn’t an intentional stunt), it presents a very big problem for Apple. Obviously an outside hack would be a massive issue that would reach well beyond just an early leak of iOS. However, an employee leaking a Gold Master of an OS intentionally isn’t that much better, as it would cast doubt on the effectiveness on Apple’s recently praised internal security staff and measures. Similarly, if an employee left it exposed and allowed someone else to take advantage, it still casts doubt on Apple’s revamped security policies.
Right after WWDC, it looked like Apple had built an impressive security infrastructure, and had made good on Tim Cook’s promise that they would double down on secrecy. Today, it is apparent that Apple’s work isn’t done. Not by a long shot. It is one thing for all of the hardware and component leaks that come from other sources to happen, but this is a whole different ballgame. Having a firmware leak out and expose information early due to sloppy internal handling of a file is bad. Having a Gold Master version of iOS that contains most of the details that will be revealed in a product event four days later is absolutely inexcusable. Paying lip service isn’t enough now, Mr Cook. Time to actually double down, fix the problems, and get these leaks plugged permanently.
What do you think of these firmware leaks? Do you have a theory on how they happened? Do you believe that Apple can fix them? Let me know in the Comments section below, on Flipboard, on our Facebook page, or on Twitter @iPadInsightBlog.
[Update: in a recent post at Daring Fireball, John Gruber is saying he believes that a disgruntled employee inside of Apple is the source of the leak. Considering his connections in and around Apple, this is as good a confirmation as we will ever get.
Gruber also said that the URLs that people were downloading the iOS 11 GM from were actually publicly accessible from Apple, but were just highly obscured to prevent discovery. So, it sounds like Apple may not have learned enough lessons from the HomePod firmware leak. They need to come up with a better private security solution than gibberish URLs, because that obviously isn’t getting it done.]