White-hat hackers Richard Zhu and Amat Cama at the Mobile Pwn2Own contest on Wednesday leveraged a previously unknown exploit that allowed the pair to extract a supposedly deleted photo from an iPhone X running the latest iOS 12.1.
According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.
The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.
As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.
A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.
When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.
As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.
Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.
Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.
Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.
16 Comments
title makes the issue much worse than it seems. annoyed with journalism these days. yeah...it's technically true, but it's also misleading.
The fact that the file was a “deleted photo” isn’t really relevant.
Congrats to the white hat for finding the vulnerability and getting a payday.
Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.
Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.
Google is doing it to keep the ad revenue flowing, so there’s that. Personally, I’d never use Googles...
And while there are articles about ONE iOS flaw which is probably patched as I write, Android on the other hand is so ridiculously insecure, no one bothers to write anything about it.
According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked. Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack? If it’s the former as implied, I don’t we need to get too lathered about it. The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.