White-hat hackers Richard Zhu and Amat Cama at the Mobile Pwn2Own contest on Wednesday leveraged a previously unknown exploit that allowed the pair to extract a supposedly deleted photo from an iPhone X running the latest iOS 12.1.
Amat Cama (left) and Richard Zhu (middle) demonstrate an iPhone X attack at Mobile Pwn2Own 2018.
According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.
The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.
As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.
A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.
When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.
As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.
Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.
Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.
Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.