65

iPhone X bug lets hackers steal deleted photos

If you have any particularly embarrassing or otherwise compromising photos on your iPhone you might want to think twice about how to keep them from being discovered by someone else. Simply deleting them might not be enough.

A vulnerability allowing hackers to access deleted photos and other files on the iPhone X was discovered by two researchers this week at the Pwn2Own hacking contest for finding iOS and Android bugs.

Richard Zhu and Amat Cama demoed the issue by connecting the iPhone X with iOS 12.1 to a malicious Wi-Fi network and exploiting a vulnerability in a so-called just-in-time (JIT) compiler which is designed to help iPhones to perform certain tasks faster.

The couple could then retrieve a photo from the Photo app's Recently Deleted album where images are stored for 30 days after you delete them from the camera roll. This feature allows users to recover deleted photos should they have a change of mind. Through the same method other files processed by the JIT compiler could be accessed as well.

Zhu and Cama received a $50,000 reward for their findings and Apple has been informed of the bug. According to Forbes, the issue has yet to be fixed, though.

View Comments (65)

Comments

All (65)
Most popular (8)
Editors' picks (0)
DPR staff (0)
Oldest first
wasTF

This is not front page news, it belongs in the side coloumn at best.

1 month ago
cdembrey

The best way to become more secure is to stop using FREE services, such as G-mail or social media sites. People share personal info with unknown "friends" everyday on FaceSpace. They sign-up to push info services frequently. Many apps track your movements in the physical world. Not much reason to hack your phone ;-)

1 month ago
The Silver Nemesis
The Silver Nemesis

Just imagine stealing the deleted photos from Ansel Adams iPhone...

1 month ago
falconeyes
falconeyes

Ansel Adams uses a Pureview 808 ;)

1 month ago
The Silver Nemesis
1 month ago
George1958

Hard to not want to poke fun, I am sure that there will be personal content that iPhone users would wish to keep private.

That said there will be a lot of crap that is of no interest to anyone. Hackers hack for a purpose. It requires effort and time. Hard to image that any one would be motivated to go after a load of bad selfie and food shots etc, but then again?

1 month ago
SteveAnderson

This is a lot of people with no imagination.

I use my phone camera to document serial numbers and such for daily work.

I then delete them when the paperwork is done.

My deleted photos are highly sensitive material,

I thought we were photographers, and supposed to have some imagination. At least try to be on the above average intelligence side folks. Your phone shouldnt be smarter than you.

1 month ago*
Mortal Lion
Mortal Lion

Bug in my garbage can lets hackers steal my garbage.

1 month ago
Franz Weber
Franz Weber

I‘m glad that I have sold my old iPhone X and bought the iPhone XS instead.

Old tech is always susceptible to failure

1 month ago*
kelpdiver

no reason to think this bug is restricted to the X. This is an IOS bug. Or feature, if you will - users have needed safe undelete abilities since the 80s.

1 month ago
SteveAnderson

He is being sarcastic or is not quite right.

1 month ago
mr.izo

try to steal photos with cb station

1 month ago
Photo Pete

The more I hear and the more ‘advanced’ we get the more I like the idea of film, processed at the local camera store, of getting money out of a local bank in person, served by a cashier you know, of writing things with pen and paper, of buying things with cash from a real world shop with real people serving, of talking to friends in a local cafe or pub rather than on-line.

I just can’t stand this virtual world of mistrust and fraud. You certainly won’t find me pouring out my feelings on some internet forum. ;-)

1 month ago
Wye Photography
1 month ago
falconeyes
falconeyes

> film, processed at the local camera store

you mean as in “how did my wife’s nudies make it from the store to the town’s kids?”

1 month ago
cosinaphile

great points ...
a virtual world is a world almost anonymous to you and unaccountable but makes you transparent to those who seek your personal information and seek invading your privacy. government, megacorps who trade in mined info, [ you are the ore to be smelted ] internet criminals [including corporations ] all represent dangers to the citizen

banking in person, actually going to a store, and socializing with people in person is a healthy alternative to the newest human disease ...virtual laziness

1 month ago*
mxx
mxx

Like with so many things, the solution is probably finding the correct balance between virtual/digital and real/analogue. Each one has its pros and cons.

1 month ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

One of the many reasons I use a dumb phone. No camera, no photos to lose, no texts with info to steal. If I want to take pictures, I use a camera (with WiFi and any other such stuff turned off).

1 month ago
quiquae

Oh boy, if you think traditional phone voice and SMS are secure, have I got a camera company in Brooklyn to sell you....

If you're paranoid about keeping your data out of the bad guys' hands, use encrypted messaging and VoIP apps on smartphones. At least they try to help you.

1 month ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

I agree, those services are not secure either. One of the reasons to not always speak plainly. As long as both parties know the code, nothing is said that anybody else will be able to use. Otherwise only talk in person.

1 month ago
fuego6
fuego6

@Wild Bill - Paranoid much? Yeesh!

1 month ago
Wild Bill - Polo Protog
Wild Bill - Polo Protog

Just because you are paranoid does not mean they are not out to get you. It is better to be over paranoid and wrong, then to not be paranoid enough. Trust no one, and then not even him.

1 month ago
Ebrahim Saadawi
Ebrahim Saadawi

Maybe if you're a very important individual this is waranted, otherwise noone is out to get you. We studied such a documented condition back in medical school and saw many paranoid people in psychiatry wards which was very very sad.

1 month ago
quiquae

If you are truly that scared, I do not understand why you feel comfortable having an account at DPR, an entity owned by Amazon, one of the most voracious collector of information in the world.

1 month ago
fuego6
fuego6

@Wild Bill - Lol.... look out Bill - them Polo riders are comin to get ya.... data!!

1 month ago
Gmon750

One iPhone security hole (most likely patched now) and the media and haters go nuts.

Meanwhile... with all the countless insecurity holes in Android, there's a reason why no one bothers to write any articles about that. Where to start?

1 month ago
Mortal Lion
Mortal Lion

The media are the enemy of the iPeople. Right?

1 month ago
cosinaphile

@gmon,
in other words,....." what about Hillary "!!!

lol

1 month ago*
Gmon750

Going for those "Alternative Facts" eh?

1 month ago
cosinaphile

that the hills are murderers, .....that trumps is a clown?...naaaaa.......,cause both are real

"what about android ?" when talking about apples,?....id say its apples and oranges ....lol

1 month ago*
otto k

Ok, it pays to read a bit before dismissing the issue:
"As noted by Forbes, the potent attack can theoretically grab any number of files from a target device..."
"A day earlier, Fluoroacetate plied a similar method for a sandbox escape and escalation on iPhone X over Wi-Fi."

This is not tied to the deleted photo collection, but could also access other files. So, it's not just your "selfie" it could also be a bank or credit or other report giving bad actors enough info for identity theft, etc.

This seems to be serious, but, knowing Apple, the fix should not be far in the future.

Btw, couple exploits like this with easily remote-hackable Wi-Fi access points and you have a more serious problem on your hands.

1 month ago
princecody
princecody

Why is there ONLY 2 operating systems for phones-Apple & Droid? It’s like Coke & Pepsi without the aspartame 🙄🙂

1 month ago
ecologer

People use smartphones because of the possibilities that apps give.
A smartphone without apps is just a big expensive dumb phone. Microsoft tried to gain traction for their Windows Phone system but one of the reasons they failed was because there are simply much more apps for iOS and Android.

Developers are interested to develop apps for systems that people actually use. More users mean potentially more profit for developers.

And unless there's a significant reason to do otherwise, manufacturers will avoid using an OS which doesn't have large enough user base.

1 month ago
LiangMing

It is like the Recycle Bin in a PC, right? If someone can hack into your Recycle Bin, what can you do?

1 month ago
Wye Photography
Wye Photography

Keep it empty. Problem solved.

1 month ago
photophile
photophile

They can have my deleted photos.

1 month ago
Wye Photography
Wye Photography

And mine. Thats where all the crap goes.

1 month ago
Bobthearch
Bobthearch

Few people have even bothered stealing my best photos. :D

1 month ago
DrHook59
DrHook59

Not only can they have my deleted photos, they can have my iPhone X, too

Oh wait, I have an iPhone 4.

What the hell, they can have that too.

1 month ago
elefteriadis alexandros

I am not an apple-ios fun, is to expensive for what you get and have to many restrictions. But this schizophrenia with security is insane. Ho cares about deleted photos.
I am sure if someone search all the garbage around neighbors they found something useful, but this is a reason to secure the garbage??

1 month ago*
Satyaa

The problem is this, from the article's first line... "embarrassing or otherwise compromising photos"

A simple fix would be to allow users not to keep the images for 30 days. Delete them immediately for good.

1 month ago*
Paul_R_H

You can. Or at least you can on my iPhone, which isn't an X. Simply go to the 'Recently deleted' album, then hit 'delete all'

1 month ago
tkbslc

Sometimes you delete a photo because you don't want it to ever be seen again.

1 month ago
Mariano Pacifico

Why bother about deleted photos? If they deleted it it is good for the taking.

It is like soda pop cans. They throw it in the trash somebody picks it up for money.

Here is my advice. DO NOT TAKE NAKED COMPROMISING PHOTOS OF YOU AND YOUR GIRLFRIENDS.

***USE "REAL CAMERAS" like FF and dSLRs. NEVER BEEN HACKED! Just be careful when you are upgrading to Firmwares because that is where they come in while connected to computers***

1 month ago*
HowaboutRAW

MP:

"If they deleted it it is good for the taking."

The trash diving for account numbers and other important personal information is okay argument.

True, DSLR is very unlikely to be hacked. One can sometimes do firmware updates without a web connection.

1 month ago
cosinaphile

a deleted photo is as likely to contain sensitive private and compromising pictures as any saved, a photo a teenage girl foolishly takes for her boyfriend, deleted for compositional reasons ,a photo of a document too dark, a Weiner sexting Weiner pics ,oops...too light

my idiot android device saves deleted photos for a month , cause technology as it evolves treats us more and more as the children we've become

use a real camera ,....exactly

1 month ago*
Roland Karlsson

Ah! Interesting! How about Copyright and deleted photos?

1 month ago
Bobthearch
Bobthearch

"How about Copyright and deleted photos?"

Moving a photo from one computer folder to another has no impact on Copyright.

1 month ago
Roland Karlsson

I am talking about deleting. Not moving to a folder.

1 month ago
Bobthearch
Bobthearch

I was thinking of deleting files on a PC. When you 'delete' something it goes into the Recycle Bin that is just another folder on the computer.

But no, there's nothing in the Copyright Law that reassigns copyright based on the owner's intent to destroy it.

1 month ago
HowaboutRAW

I'm betting that's a built in feature for various security agencies, one that's been discovered now.

1 month ago
nwcs
nwcs

No conspiracy theories needed. It’s in all likelihood just a minor bug with overall small impact. If someone really wanted to delete something they can go into that folder and delete and then purge.

1 month ago
Dave Andrade

One of the downsides of the internet age.
We have all this information at our fingertips.
But wild conspiracies (that don't hold up to logic) get spread like wildfire.

1 month ago
Mariano Pacifico

This is not about hackers stealing deleted photos ... IT IS ABOUT iPHONE x BEING HACKED. If it can be hacked they can steal anything that is left un-deleted.

If they deleted it. They do not need it. Why bother?

1 month ago
Dave Andrade

Well this could still be a dangerous situation.
Lets say they had the phone in their hand while using the urinal. They accidentally snap a pic. They then say "oops" and delete it. Then someone hacks it and sends their manhood around the internet. It's probably something that should be addressed.

And yes, I am not that aloof to know that those kind of pics could be taken on purpose, too. But lets not assume that all deleted pics are of the ceiling or a blurry pic of their cat.

1 month ago
zw1975

@Mariano Pacifico: I agree with your first point. I don't think the hackers stole "deleted" photos. Instead, they stole photos tagged for deletion in the future. The article's title could mislead some readers.

1 month ago
HowaboutRAW

DA:

Right, it's "illogical" that various parties would want a way into deleted iPhone data files.

1 month ago
heiner71

"Recently Deleted" is not deleted. To really delete photos you have to delete them from the "Recently Deleted" album, which is just one step more. Otherwise you can always (30 days) go back to the "Recently Deleted" folder and see the image. So it has really just been moved from one folder to another, with a TTL added to it.

1 month ago
Dave Andrade

Yet another reason to go Android :)
Yes, I "went there".

1 month ago
nwcs
nwcs

Android doesn’t need the vulnerability. Google already copies your photos to its servers. :)

1 month ago
Dave Andrade

fair point :)

1 month ago
Charlie Jin

I heard that hackers already handed over Android hacking to highschoolers, since it’s not challenging ;-)

1 month ago
Mariano Pacifico

Android is for geeks. I love Android. I drooled over Android. It is geeky. Plenty of customization. Lovin' it. Life is Good. Go Android.

1 month ago
Charlie Jin

Yes. All the geeks can hack Android. It’s so easy to hack Android. Average Android users are either geeked or hacked ( = screwed )

1 month ago
sunhorse

@Dave Andrade
It really helps to read the article, even if details are sparse. Here, I'll help you out:

"Android phones owned too
As part of the competition, the Fluoroacetate team also found a way to pilfer information from Google Android devices, including the Samsung Galaxy S9 and the Xiaomi Mi6. Researchers from F-Secure’s MWR Labs also showed off hacks against the same devices."

The link to the Forbes article is right in the DPR text above. I use both iOS and Android devices and do not have illusions about the relative security of those.

1 month ago