The Fluoroacetate duo of Amat Cama and Richard Zhu used a pair of bugs to recover a recently deleted photo from the device. The hackers ran their demonstration on an iPhone X running iOS 12.1.
To recover the deleted photo, the hackers made use of a malicious Wi-Fi access point along with a JIT (just-in-time) compiler exploit. They earned $60,000 and 10 Master of Pwn points for their successful demonstration. The exploit can be used to recover more than just deleted photos though.
Next up, Amat and Richard returned to the Short Distance category. This time, they were targeting the iPhone X over Wi-Fi. They used a pair of bugs – a JIT vulnerability in the web browser followed by an Out-Of-Bounds write for the sandbox escape and escalation.
The duo of hackers also demoed an exploit on Xiaomi’s Mi 6 over NFC and its touch-to-connect feature to route the device to a custom website. For this, they won $30,000 and 6 Master of Pwn points.
Our day began with Fluoroacetate (Amat Cama and Richard Zhu) successfully exploiting the Xiaomi Mi6 handset via NFC. Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage. During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world.
Apple has already been informed of the bug and will likely address it in the coming iOS 12.1.1 update.
[Via Zero Day Initiative]