Over the years, Apple has spent countless hours refining and updating the software being implemented on its devices. The iOS developers at the company comb through seemingly endless lines of code to locate and eradicate bugs that could potentially comprise the security of the information stored by consumers. Unfortunately, not all bugs are squashed by the developers and hackers are often able to exploit these bugs to access private information like previously deleted photos and files, according to a report from Forbes.
This new iOS 12.1 privacy bug was discovered at the Pwn2Own 2018 mobile hacking competition held in Tokyo, which is an annual event that challenges white-hat hackers to find vulnerabilities in popular software being used on mobile devices.
According to the report, hacking duo Richard Zhu and Amat Cama, also known as Fluoroacetate, were able to find and exploit weaknesses in the Safari browser which allowed them to access files and photos that had already been deleted from the iPhone X. The vulnerability was found in a just-in-time (JIT) compiler, which is supposed to make the iPhone faster but has instead left an open door for intruders. Zhu and Cama managed to carry out their JIT exploit through a malicious Wi-Fi access point.
Deleting a photo from an iPhone isn’t a one-step process. When a user attempts to delete a photo, the phone’s operating system will show a prompt with a Delete Photo button. After hitting the delete button, the photo still isn’t completely gone from the iPhone. It will then go to a Recently Deleted folder where it will remain until it expires, usually after 30 days. Users are able to go into the Recently Deleted folder and make the photos disappear permanently and it has been confirmed by iPhone and Mac forensic specialist Vladimir Katalov that Apple does actually destroy those files as promised and there’s “no chance for recovery.”
The hackers were able to remotely access these recently deleted photos without alerting the user of the iPhone. The team won $50,000 for their discovery and Apple has been made aware of the bug, but has yet to address the issue. It’s likely the company won’t patch the vulnerability until its next iOS update.
Pwn2Own was first held in 2007 and was created by network security researcher Dragos Ruiu. “Pwn2Own is a great opportunity to develop and test ourselves while helping to secure technology many of us rely on. We’re very proud of the team’s latest win and their overall track record in the competition,” managing director of MWR InfoSecurity Ed Parsons said in a press release.
The iPhone X wasn’t the only well-known device to be hacked at the event. The Samsung Galaxy S9 and Xiaomi Mi6 were also hacked along with 15 other devices, earning hackers an overall total of $325,000 in cash prizes.