Thought you deleted your iPhone photos? Hackers find a way to get them back

Twice a year, an international contest called Pwn2Own – the Olympic Games of competitive hacking, if you like – gives the world’s top bug-hunters a chance to show off their skills.

The word pwn, if you aren’t familiar with it already, is hacker jargon for “own”, as in “owning” someone’s computer – and, with it, their data – by taking control of it behind their back.

In case you’re wondering, pwn is a deliberate mis-spelling, based on the fact that O and P are adjacent on most keyboards. In theory, therefore, it should be read aloud as own, the word it denotes, in much the same way that the word St is read aloud as saint, or Mr as mister. In practice, however, it’s pronounced pone – just treat it as own with a p- added in front.

Like the Olympics, which alternates every two years between summer and winter sports, Pwn2Own alternates between desktop hacking at the start of the year, and mobile device hacking at the end.

Even though we’re talking flippantly about hacking, pwning and breaking into other people’s computers, and even though the content requires competitors to complete a hack live in person within a 30-minute period, Pwn2Own isn’t a free-for-all endorsement of cybercrime.

The rules are pretty clear cut – and clean-cut, for that matter.

Finding new zero-days

Brand new, genuinely exploitable zero-day bugs are hard to find these days, and vendors dearly like to find out about them before the crooks do, so it’s fair that top bug hunters get paid for their efforts.

So, Pwn2Own winners can earn loads of money, but they only get paid out if they conform to strict guidelines of responsible disclosure.

A successful contest entry has to be practicable – participants have half an hour to show that the vulnerabilities they’ve discovered really can be chained together to form a working exploit.

Also, the details of how the attack works have to be properly written up. (Anyone who’s worked as a programmer knows that there’s nothing more frustrating than chasing down a badly-documented bug – a task that’s like searching for the right haystack in which to search for what may or may not be a needle in a haystack.)

In other words, competitors only get paid if they find a working exploit; document it properly so that it can be repeated and investigated; and then keep quiet about it while the vendor gets a fair chance to fix it.

Well, the standout winners at Mobile Pwn2Own 2018, which finished on Tuesday in Tokyo, Japan, were a team known as @fluoroacetate.

Despite their confrontational moniker (fluroacetate is an acute and lethal toxin, sold commercially as 1080, for poisoning unwanted wild animals), the duo also go by the names Amat Cama and Richard Zhu, and look like perfectly pleasant people:

The hack that really got our attention, given the many recent controversies to do with recovering data from iPhones, was news that @fluoroacetate figured out a way to access one or more deleted files on an iPhone running the latest version of iOS.

In their live exploit demo, the file they used was a photo from the Recently Deleted directory, a holding location where deleted photos go to “rest” for a few weeks, in case you have deleter’s regret and decide you want to undelete them.

Deleted-but-not-yet-overwritten files have been a cybersecurity risk for years on most desktop operating systems, where users can, at least in theory, log in as root or an administrator and go digging for leftover data right down at disk sector level.

This opens the path to forensic recovery of data, or perhaps data fragments, by bypassing the usual hierarchical structure and controls imposed by the filing system and the operating system.

But Apple’s iOS isn’t supposed to be open to spelunking of this sort – users aren’t supposed to be able to get root powers or the ability to dig around behind the scenes, whether for deleted data or moved-out-of-the-way files.

To exfiltrate deleted photos, Cama and Zhu used exploitable bugs in the Safari browser to trick iOS into letting them at content that shouldn’t have been accessible.

The risk of browser bugs of this sort is that they can be triggered by booby-trapped web pages, and are therefore generally remotely exploitable – you only have to entice your victim to look at a website, rather than to convince them to download a file, change some settings and then launch it themselves.

That hack earned the intrepid duo $50,000, but that was less than a quarter of their total earnings.

They also bagged:

  • $30,000 for tricking a Xiaomi Mi6 phone (running Android MIUI, Xiaomi’s alternative to Google’s proprietary flavour of Android) into launching a web browser automatically, and then downloading a working exploit, all via NFC.
  • $50,000 for taking over a Samsung Galaxy S9 by exploiting a bug in the baseband firmware. (That’s vendor-provided firmware, distinct from the operating system itself, programmed to look after the mobile telephony aspects of the device such as making calls and connecting to the 4G network.)
  • $60,000 for exploiting an iPhone X via a Wi-Fi bug.
  • $25,000 for a JavaScript bug on the Xiaomi Mi6 that allowed them to exfiltrate data from the device.

The pair also had a go at hacking the iPhone X’s baseband firmware, but didn’t get their exploit to work correctly within the time limit.

Nevertheless, they took home $215,000 from five successful zero-days.

But those zero-days will now be reported to Apple, Samsung and Xiaomi and will therefore very likely be patched before they’re found by any cybercrooks.

What to do?

What to do about those not-so-deleted photos on your iPhone?

Our advice is not to panic – this bug doesn’t feel like one that will be independently rediscovered by cybercrooks before it gets patched.

However, if you’re worried about photos you thought you were rid of, remember that there’s a second “delete” stage in the iPhone Photos app.

In the list of Albums, you’ll find one called Recently Deleted, which is a sort of short-term limbo for photos you no longer want.

As far as we know, permanently deleting them from the Recently Deleted halfway house puts them beyond recovery, even using @fluoroacetate’s new hack.