In 2022, security researchers and Apple engineers discovered a vulnerability - CVE-2022-32867 - that affected iOS devices and macOS computers. This issue let anybody with physical access to a device read past diagnostic logs, which could include sensitive data. Luckily, Apple addressed this problem by improving how data is protected, and released a fix in iOS 16 and macOS Ventura 13.
This long read will explain what this vulnerability was, how it could have been exploited, show code illustrating the problem, and discuss the fix. If you’ve ever wondered how logs can leak secrets or why device security matters even if an attacker just “borrows” your phone, read on.
What is CVE-2022-32867?
CVE-2022-32867 is a security vulnerability found in previous versions of iOS and macOS. The official Apple security note describes the problem like this:
> “A user with physical access to an iOS device may be able to read past diagnostic logs. This issue was addressed with improved data protection.”
> (Source: Apple Security Updates – iOS 16; Apple Security Updates – macOS Ventura 13)
Diagnostic logs contain detailed information about how your device works, including errors, processes, sometimes even app or user data in rare cases. Normally, access to these logs should be restricted, especially when your phone or Mac is locked.
The issue: The problem was that with certain actions, a person who had your device in their hands (even without your code) could get copies of old diagnostic logs.
Exploit Details
This vulnerability was not remotely exploitable. The attacker needed *physical access* to an unlocked or locked (but not wiped) iOS or macOS device. Using built-in tools or unauthorized software, they could target and extract files from the diagnostic logs directory.
1. Physical Access
Attacker gets physical access to your device (stolen, borrowed, left on a desk, etc).
On iOS devices
- Diagnostic logs are typically stored at /var/mobile/Library/Logs/CrashReporter/ or similar path.
- On a non-encrypted device, or if the device is unlocked, certain tools (including Apple’s own Configurator or third-party forensic tools) could access this folder.
On macOS
- Users can find logs under /Library/Logs/DiagnosticReports/.
Example shell command on an unlocked macOS Terminal
cd /Library/Logs/DiagnosticReports/
ls -al
# Copy logs out, for example:
cp * /Users/attacker/ExtractedLogs/
Or using the iOS File System (through a jailbroken device or forensic hardware)
# On a jailbroken device
cd /var/mobile/Library/Logs/CrashReporter/
cp * /var/mobile/Documents/logs/
*Note: iPhones are harder to attack unless they're jailbroken or a lockscreen bypass exists — but some diagnostic tools, with device owner consent or in certain settings, can still access some logs.*
A log might look like
{
"CrashReporterKey" : "SENSITIVE-DEVICE-ID",
"Application" : "com.sample.App",
"Triggered by" : "com.sample.App",
"UserID" : "johndoe@example.com"
...
}
This could allow social engineering, malware targeting, or privacy abuses.
What Was the Fix?
Apple improved the way logs are encrypted and restricted who and when someone can access the diagnostic logs. In:
- iOS 16: Released September 12, 2022 (security notes)
- macOS Ventura 13: Released October 24, 2022 (security notes)
The logs are now protected by stronger encryption and permissions, and physical access is no longer enough. Even with the device in hand, the attacker can’t see or extract protected logs without authenticating.
How Can You Stay Safe?
1. Update: Always use the latest iOS and macOS versions. If you’re on iOS 16 or Ventura 13 or later, you’re protected.
Real-World Impact
While this bug needed someone to physically get your device, forensic companies and malicious actors sometimes target phones in repair shops, during border crossings, or from lost/stolen devices. Ensuring critical data isn’t left in plain diagnostic logs is a basic but important part of device security.
Reference Links
- Apple iOS 16 Security Content
- Apple macOS Ventura 13 Security Content
- CVE Record for CVE-2022-32867 (NIST)
- Mobile Forensics and iOS: How Logs Leak Data (SANS DIgital Forensics)
Conclusion
CVE-2022-32867 reminds us that security doesn’t just mean keeping hackers out over the internet. Even a diagnostic log — something made for troubleshooting — can leak your data if not properly protected. Apple’s swift fix shows why regular software updates matter, and why you should care about who can touch your device, even for a moment.
Timeline
Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/02/2022 15:47:00 UTC