A pair of hackers have earned themselves $50,000 for a hack of an iPhone X that allowed them to grab a photo that was supposed to have been deleted from the device.
Benevolent hackers Richard Zhu and Amat Cama teamed up as Fluoroacetate to come up with an attack on an Apple device running the latest iOS (12.1) that exploited weaknesses in the Safari browser. Apple has now been informed, as per the rules of the Mobile Pwn2Own contest that’s wrapping up Wednesday in Tokyo.
Confirmed! The @fluoroacetate duo combined a bug in JIT with an Out-Of-Bounds Access to exfiltrate data from the iPhone. In the demo, they grabbed a previously deleted photo. In doing so, they earn themselves $50K and 8 Master of Pwn points. #P2OTokyo
— Zero Day Initiative (@thezdi) November 14, 2018
The attack could have retrieved more information than just a photo. During the setup of the device, a photo was deleted but remained on the disk. As it was the first file Zhu and Cama found with their hack, they used it for their demo.
More specifically, the vulnerability was resident in what’s known as a just-in-time (JIT) compiler—these are programs that translate computer code while a program is running, rather than before. It’s supposed to make the iPhone faster, but as with all software, it can be vulnerable to attack.
The hackers found a way to exploit the JIT compiler via an attack over a malicious Wi-Fi access point. As a spokesperson for the event said, this was a “coffee shop scenario.”
When deleted means deleted
As with many modern devices, the process of permanently deleting files isn’t as simple as clicking a button. On iPhones, the user first has to move the file to trash, where it will stay for 30 days until it’s “gone forever.” It’s possible to go into the Recently Deleted file to make the photos permanently disappear, too. And, as confirmed by iPhone and Mac forensic specialist Vladimir Katalov, Apple properly destroys files as it promises and there’s “no chance for recovery.”
Right now, as Zhu and Cama proved, it’s possible for remote attackers to get access to those “recently deleted” photos. And the vulnerabilities that allowed them to do that will remain open until Apple issues patches.
Apple hadn’t responded to a request for comment at the time of publication.
Android phones owned too
As part of the competition, the Fluoroacetate team also found a way to pilfer information from Google Android devices, including the Samsung Galaxy S9 and the Xiaomi Mi6. Researchers from F-Secure’s MWR Labs also showed off hacks against the same devices.
As with Apple, the vendors have been informed and patches should be with users at some point in the not-too-distant future.
Source: forbes