Comment by krupan
14 hours ago
I followed the link to the Pixel 9 bug/exploit and saw this:
"Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user"
Haven't we learned our lesson on this? Don't read and act on my sms messages without me asking you to!
Google owns Android. Google does not care about you or other users. Their customers are ads publishers. 0days does not matter for them! Because there is hardly one alternative: iphone (and Huawei, but maybe not everywhere). Not much to care about.
We all need a new phone OS and hardware level. Urgently.
> Google owns Android. Google does not care about you or other users. Their customers are ads publishers. 0days does not matter for them
"Google does not care about zero-day vulnerabilities" is an absolutely ludicrous claim.
> Haven't we learned our lesson on this?
What is the purported lesson we should have learned? Users choose phones with rich messaging features. This was a major selling point for iPhone, first, with iMessage, and later with Android until iOS caught up with RCS.
One of the things Apple's Lockdown mode does is disable previews of images or links that are sent to you.
It seems like the lesson is that you shouldn't be processing data sent to the device by random strangers without the user explicitly choosing to open the file or follow the link.
That should be the default behavior, not a special lock down option that also disables other features.
Why can't they just make it like most email clients? No preview by default, give a banner with an option to explicitly allow a preview for that specific message or conversation?
4 replies →
Sorry, but that is an insanely defeatist attitude blended with a hint of blaming users for wanting features.
Image decoders are pure functions and all should have been rewritten as 100% safe Rust years ago.
Users need functionality.
It’s up to us to figure out how to provide that safely.
Saying to users they shouldn’t have those features isn’t sage advice, it’s admitting failure.
4 replies →
Well, one could argue that the lesson from CVE-2017-0780[1] should've been "don't automatically decode rich messages from untrusted sources".
[1]: https://www.trendmicro.com/en_us/research/17/i/cve-2017-0780...
Where are users being given an actual choice? There is no option for "iphone without these features", and I would wager that it has 0 bearing on anyone's decision to purchase a new iphone
There is a choice, but almost nobody uses it: https://support.apple.com/en-us/105120
> What is the purported lesson we should have learned?
Not to automatically execute things within data that we have been sent.
The subtle lesson, which we won't learn is [astronaut meme] all communication is potentially remote code execution. This isn't a computer thing, it's in the inherent nature of how communication works for us too. You can be more or less careful, but you can't eliminate the problem entirely or else communicating ceases to be effective.
I think it's "don't use parsers written in unsafe languages".
2 replies →
Didn't Android switch their codec stack to rust?
Even that's not sufficient. Consider an email client that doesn't parse images until you interact with the message. So you click on it, realize it's dodgy, but it's too late now because all the complex bug prone machinery has already been triggered.
Or my favorite, I marked an extremely suspicious message with what was almost certainly a malicious attachment as junk in a certain BigTech webmail client (the only other option was phishing which it most certainly was not) and it "helpfully" opened the unsubscribe link in my local browser without first asking me for permission. It's difficult to imagine the level of incompetence and dysfunction required to not only write but review, approve, and deploy such a feature in a security and privacy sensitive context.
The email client I use doesn't display images in an email until I explicitly ask it to.
That has no bearing on the points made in the comment you replied to.
> Don't read and act on my sms messages without me asking you to!
Being an accidental or curious tap away from an RCE isn't actually much better. The fix is using sanitizing and safe parsers.
Windows had autorun starting Windows 95, but stopped shipping it as a default in Windows 7 (2009). So, yeah, no we haven't learned our lesson.
Getting users to open a message isn’t a terribly high bar. As a user I would not find it acceptable if needed to be careful with which message I open. We tried putting the responsibility on the user with email attachments and I think it’s fair to say it’s been a disaster. Malicious attachments are probably the most important distribution vector for malware.
This isn't even an exploit if the crappy AI or whatever that's trying to do something fancy never "processes" the message. At least give me a choice before you automatically do that
> Don't read and act on my sms messages without me asking you to!
Doesn't that just turn a 0-click exploit into a 1-click exploit? It's unlikely the user can make an informed decision to not process a potentially malicious message, without clicking on the message.
Preferably a two-click exploit. One to view the message and one (if I decide it's safe) to process it through your buggy code.
A 0-click exploit is horrendously worse than even a 1-click one. I often don't even open messages from numbers I don't recognize
I don't know if that is the right lesson. It's kind of like "don't click on links"... Err, no. You should be able to click any link without getting hacked.
Wr aren't talking about clicking links even. This is a bug in some stupid code that tries to read your messages for you and act on them. No thank you!
Sure, in an ideal world different from this one. You should be able to do anything on any device and never worry about security.
Unfortunately, since we don't live in that world, we need to not open links, emails, text messages, etc, if they are sketchy.
A better solution may someday exist, but as of yet has not been found.
"Don't click on links" is not a solution, and it's not something people actually do, it's just something they think they do.
Corporate Security will tell you that it's ok to click links to the payroll system or hr or vanta or the 'secure email service' or jira or github or to docusign or the microsoft office document that a partner company sent you or an amazon delivery notification, but not ok to click links in the phishing email that looks exactly like one of those that they sent you.
It's not possible to tell whether a message giving you a link to something is 'sketchy' or not before clicking the link, and any 'security' that relies on people knowing whether a message is malicious or not by magic is broken in the real world.
2 replies →
> Don't read and act on my sms messages without me asking you to!
Somewhere there's an NSA agent reading this and laughing like a gin addict on payday.
How are they going to make trillions of dollars if not!?
"move fast and break things"
"But the users never know what they want to do! We have to shove suggestions and recommendations at them at every! waking! moment!"