Security Researchers Discover iPhone X Vulnerability at Tokyo Pwn2Own Hacking Contest
A pair of hackers has earned themselves $50,000 USD for hacking an iPhone X and retrieving a photo that was supposed to have been deleted from the device.
At the Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, hackers demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked.
Pwn2Own, which was started in 20017, is an annual hacking contest that offers cash prizes to security researchers that are able to find and demonstrate zero-day vulnerabilities in modern hardware and software. Vendors are then provided with information of the exploits, allowing them a chance to fix the bug before it can be used by other parties.
“We use research to push the boundaries of the cybersecurity industry, helping our clients predict, protect, detect and respond to modern cyber attacks,” said Ed Parsons managing director of MWR InfoSecurity, in a press release. “Pwn2Own is a great opportunity to develop and test ourselves while helping to secure technology many of us rely on. We’re very proud of the team’s latest win and their overall track record in the competition.”
Three major flagship smartphones — iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 — were among the 18 devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 USD in reward.
Hackers Richard Zhu and Amat Cama — who go by the name moniker Fluoroacetate — managed to break into the iPhone X using a vulnerability in Safari browser, and according to new details that were shared after the event, the bug can be used to gain unauthorized access to user files.
The duo combined a just-in-time (JIT) vulnerability in the Safari web browser along with an out-of-bounds write bug for the sandbox escape and escalation to exfiltrate data from the iPhone running iOS 12.1, explains a report from The Verge.
For their demonstration, the pair chose to retrieve a photo that had recently been deleted from the target iPhone; their research earned the duo a cool $50,000 USD in prize money.
The Zero Day Initiative said that the competition resulted in 18 zero-day exploits and that the vendors whose devices were compromised have been given 90 days to patch the newly uncovered bugs. As per Pwn2Own’s rules, Apple has been informed of the exploit and is likely working on a fix that should be delivered in a future iOS update.