[jonathanmayer]

(Context: I teach computer security at Princeton and have a paper at this week's Usenix Security Symposium describing and analyzing a protocol that is similar to Apple's: https://www.usenix.org/conference/usenixsecurity21/presentat....)

The proposed attack on Apple's protocol doesn't work. The user's device adds randomness when generating an outer encryption key for the voucher. Even if an adversary obtains both the hash set and the blinding key, they're just in the same position as Apple—only able to decrypt if there's a hash match. The paper could do a better job explaining how the ECC blinding scheme works.

[jobigoud]

> only able to decrypt if there's a hash match

This is one of the concerns in the OP, have an AI generate millions of variations of a certain kind of images and check the hashes. In this case it boils down to how common false positives neural hashes are.

[NTroy]

Yes, this ^^^^^^

> The proposed attack on Apple's protocol doesn't work.

With all due respect, I think you may have misunderstood the proposed attack @jonathanmayer, as what @jobigoud said is correct.

[amelius]

There may be another attack.

Given some CP image, an attacker could perhaps morph it into an innocent looking image while maintaining the hash. Then spread this image on the web, and incriminate everybody.

[GistNoesis]

Yes perceptual hashes are not cryptographically secure so you can probably generate collisions easily, (i.e. a natural looking image which has a attacker-specified hash).

Here is a proof of concept I just created on how to proceed : https://news.ycombinator.com/item?id=28105849

[AwaAwa]

Sounds like a fantastic way for law enforcement to get into your phone with probably cause. Random message you a benign picture from some rando account with a matching hash. Immediate capture for CP, data mine the phone, insert rootkit, 'so sorry about the time and money you lost - toodles'.

[mbrumlow]

Don’t warrants have to name why ?

Like a warrant for CP can’t be used to collect evidence on another cases for say tax fraud.

[HWR_14]

Warrants do have to name why, and where. However, anything they find along the way is fair game. If they open your trunk to find drugs and see a dead body, then the dead body is still admissible. (Assuming that the opening the trunk for drugs is okay.)

[cube00]

It'd be interesting to see how the way common images are reused (for example in memes by only adding text) would be enough to change that hash. If it wasn't enough it could spread very quickly.

Of course I'd dare not research or tinker with it lest I'll be added to a list somewhere such is the chilling effect.

I guess in that case they'd delete that single hash from the database because they'd still have an endless (sadly) supply of other bad image hashes to use instead.

[macintux]

> Then spread this image on the web, and incriminate everybody.

You'd still have to generate several images and persuade people to download multiple of them into their photo roll. And as I understand it there's yet another layer of Apple employees to review the photo metadata before it ever makes its way to law enforcement.

[RHSeeger]

That does seem like an interesting protest vector, though. Generate a bunch of images that match CSAM images but are mundane. Then have everyone download them and send them to their cloud. Someone then needs to spend resources determining that the images are _not_ actual matches. Basically, a DDOS attack on the functionality.

[macintux]

Indeed, that thought occurred to me as well.

It's a risky bet, though: if somehow that intermediate layer fails and you find yourself locked up and accused of storing/disseminating CSAM material, it's not like the civil rights era when your friends and neighbors (and hopefully employers) will understand you've been arrested for a peaceful protest.

[esyir]

The smarter, if potentially less ethical solution is to encode such images and make memes with them. One of them going viral is likely to flag an enormous number of people along the way.

[tomjen3]

>several images and persuade people to download multiple of them into their photo roll.

I believe such images are called "Dank Memes" these days.