Safari vulnerability lets hackers swipe recently deleted photos from iPhone X
White-hat hackers Richard Zhu and Amat Cama at the Mobile Pwn2Own contest on Wednesday leveraged a previously unknown exploit that allowed the pair to extract a supposedly deleted photo from an iPhone X running the latest iOS 12.1.
Amat Cama (left) and Richard Zhu (middle) demonstrate an iPhone X attack at Mobile Pwn2Own 2018.
According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.
The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.
As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.
A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.
When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.
As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.
Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.
Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.
Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.
Amat Cama (left) and Richard Zhu (middle) demonstrate an iPhone X attack at Mobile Pwn2Own 2018.
According to show sponsor Trend Micro's Zero Day Initiative, Zhu and Cama successfully demonstrated an attack involving Apple's Safari web browser to earn $50,000 on the Pwn2Own show floor in Tokyo.
The duo, operating as team Fluoroacetate, connected to the target iPhone X via a malicious Wi-Fi access point, then combined an unpatched just-in-time (JIS) compiler bug with an Out-Of-Bounds Access to grab a file from the phone's disk. A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi.
As noted by Forbes, the potent attack can theoretically grab any number of files from a target device, but the photo happened to be the first file the pair came across in the exercise.
A closer look at the hack reveals the stolen photo was merely marked for deletion, meaning it was still on disk and showed up in Photo's "Recently Deleted" folder. Apple's iOS maintains a Recently Deleted album as a safeguard against accidental image deletion.
When a user "trashes" a photo, it remains on disk for 30 days, presenting an opportunity to recover the file. Images can be permanently destroyed by manually deleting them from the Recently Deleted album.
As per Pwn2Own's rules, Apple has been informed of the exploit and is presumably working on a fix that should be delivered in a future iOS update.
Apple's iPhone X was the target of multiple attempts at this year's Pwn2Own, including an unsuccessful browser attack from MWR Labs and a failed baseband exploit from Zhu and Cama.
Fluoroacetate racked up a total of $215,000 in prizes to win Mobile Pwn2Own 2018. Zhu is a veteran iOS hacker with a record of successful attacks, including the bypass of iPhone 7 security protocols using two Safari bugs at last year's Mobile Pwn2Own event.
Started in 2007, Pwn2Own is an annual hacking contest that offers cash and prizes to security researchers who find, share and demonstrate zero-day vulnerabilities impacting a range of modern software and hardware. Vendors are provided information about the exploits, giving them a chance to patch the bugs, hopefully before they are leveraged for nefarious means.
Comments
Congrats to the white hat for finding the vulnerability and getting a payday.
Browsers are the easiest attack vectors besides social engineering attacks, always use a VPN.
Google has a VPN service, I’m surprised Apple hasn’t offered one... probably doesn’t want to step on government toes.
Google is doing it to keep the ad revenue flowing, so there’s that. Personally, I’d never use Googles...
I pay for a VPN service which I use on Public WiFi, but CloudFlare, which introduced their fast, secure, no-tracking DNS service about a year ago now has an iOS and Android app. It's not a VPN for protecting all your data traffic, but on iOS (at least) it uses the VPN service for their DNS.
Despite some potentially confusing language, you can use other VPN services, you just have to switch between them as you normally would once you get to an unsecured network.
PS: My only qualm with how Apple treats all VPN services is they don't intelligently keep all their Apple-based traffic (or rather all non-VPN and local router splash screen) from being paused automatically until your VPN service connects. They don't even need to add this as an actual feature, but create the APIs so you can control this data flow from within the VPN apps themselves.
It's kind of like breaking into and hot wiring a car. You got props if you can crack all the advanced security in a 2019 Bugatti Chiron in under 10 minutes, but no one cares that you can hotwire a 1984 Toyota Tercel in less than 60 seconds.
According to the article, the victim would need to connect to a “malicious Wi-Fi access point” in order for this rarefied exploit to be worked. Does that mean that the attacker has to setup a WiFi access point and hope that the victim(s) connects or can an attacker make use of any public WiFi access point to work the attack? If it’s the former as implied, I don’t we need to get too lathered about it. The problem with an article like is it fails to provide a clear understanding of the exploit or translate the risk; it's just a headline piece to get people worked up.
That really made me laugh!
You know you want to say it...Fake News!
Unless it says that the attacker only needs to be on the same network, then it’s implied that they must be able to intercept, and manipulate, data.
In either case you should basically never connect to any WiFi that you don’t trust (and you can’t trust any of them until you actually can; including that you must verify that it isn’t a rogue spot with the same name as a trusted network).
I don't need to know the full details of the exploit for the article to be interesting. It's a news piece, not a public service, self-protection tutorial.
Details won't make it any less FUDdy for many of us anyway, since the concepts are well beyond what most average users understand. Knowing that it only happens if the attacker sets up a certain kind of network doesn't help me, because I haven't the slightest idea how to determine what kind of network I'm connected to!
If you or anyone else is part of the IT-savvy cool-kid set that understands this stuff, I'm sure a quick search will turn up all kinds of nuts-and-diodes articles just oozing with detailed techie goodness. The rest of us, who are too stupid, lazy, or otherwise-occupied to learn what any of this means will come away with the message that no photo or document on our phones is every really secure. That's not a bad message.
Slightly off-topic digression: