[ddod]

Four things of note:

1. I've not seen anyone explain whether this could be exploited by anyone with access to phone lines (i.e. Twilio users) or not and if it would be trivial to try the vuln with every phone number you could find in any DB. If those things are the case, it seems like the chances would be very high that this would be or has already been exploited and affecting every unpatched phone.

2. It seems like Project Zero mistakenly thought that Google devices were already patched when they made their announcement ("affected Pixel devices have received a fix"). Whoops! Thanks for giving attackers a heads up.

3. When contacting Google support (specifically Fi) multiple CS reps told me repeatedly this was all fake news and that Project Zero was unaffiliated with Google. They assured me there was no problem, and if there was a vulnerability, it would be communicated on the Fi website (which has no service status or security pages and has never published any outages or vulnerabilities in the past).

4. The delayed March update for Pixel 6 phones doesn't even show up when you open the software update panel (which shows a checking animation that I assume does nothing). You have to manually check again. Who knows when the folks who are unaware of this vulnerability will actually be prompted to install the patch.

Google have guaranteed at least one person and their family to never purchase another Google product or service.

[JCharante]

> When contacting Google support (specifically Fi) multiple CS reps told me repeatedly this was all fake news and that Project Zero was unaffiliated with Google.

I hate CS reps. I used to work as one but I never lied. If I didn’t know something and I couldn’t find it in my knowledge base I contacted the on-site staff to relay the caller’s question/concern.

[JeremyNT]

> It seems like Project Zero mistakenly thought that Google devices were already patched when they made their announcement ("affected Pixel devices have received a fix"). Whoops! Thanks for giving attackers a heads up.

Do you have a source for the fact that Pixel devices don't yet have a fix? The post we're commenting on is actually just blogspam, with its only real source being the initial project zero disclosure [0], which still asserts this to be the case...

[0] https://googleprojectzero.blogspot.com/2023/03/multiple-inte...

[ddod]

The blog post was published on the 16th.[0] Pixel 6 and 6a started the update rollout on the 20th.[1] The March security update was scheduled for earlier but was delayed for 6/a for some reason, and it seems like the Project Zero team didn't check on the actual status of the rollout.

[0] https://googleprojectzero.blogspot.com/2023/03/multiple-inte... [1] https://9to5google.com/2023/03/20/pixel-6-march-2023-update/

[saagarjha]

> Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.

[ddod]

I read that as well, and either it's unclear or I lack the technical understandings to apply that to my question.

What does "at the baseband level" mean in terms of remote attack vector? Do they need to be physically nearby with an antenna or could they be across the world connecting through VOIP?

And why do they need to know a phone number? If it's that they need a nearby antenna + knowledge of a phone number, it sounds like this vulnerability might not be a big deal, and it would be great if they communicated that clearly. Alternatively, if the vulnerability is accessible from any remote phone connection, knowledge of a phone number wouldn't matter because attackers would spam the attack against millions of numbers.

[saagarjha]

In effect, it means if they can call you, they can exploit you. The description given was what an attacker needs to hack you in particular, which means they need your phone number to determine which device to target. If they want to spam a million users they could do that too, although these kinds of things are typically not done this way because that is very noisy and reduces the effective life of the vulnerability.

[ddod]

> If they want to spam a million users they could do that too, although these kinds of things are typically not done this way

That seems like a convenient assertion not based on evidence.

Without trying to sound confrontational, it appears as if you are a current employee of Google, which might have colored your comment and should probably have been disclosed.

[saagarjha]

No offense taken, I’ve seen confrontational and it can be far worse than this ;) I do work for Google; in fact I work on detecting malware for Android. I have no special knowledge of these bugs, in fact I would be surprised if I even have access to them by default. Project Zero typically handles discovery of zero days internally, and this kind of thing requires working with partners and whatnot, so it’s pretty out of the way. What I know for these bugs is summarized by the blog post. If the bug ends up being exploitable from an app, or it’s been a couple months, I might see what is going on with them, but we’re definitely not there right now. And information about specific bugs and how they are being exploited is generally NTK so I wouldn’t talk about that publicly anyways until they are disclosed officially or the patch is public.

With that out of the way, and the obvious “please ask before quoting me in a news article and absolutely do not treat this as any sort of official Google thing”, this bug is quite serious and of the kind you would typically see in a targeted attack. As I mentioned above, you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it. Plus, you generally want a specific thing from the person you’re targeting. Hacking into a million phones and getting value out of it is pretty hard. For targeted attacks things like personal information and specific assets are valuable. On a wide scale, what are you going to do? Steal credit card numbers and wallet keyphrases for a handful of popular clients? Why not just try to pwn the app itself, or phish people, which is a lot less effort?

I don’t want to sound like I’m making this claim because it sounds better if it’s not used for widespread attacks. It absolutely can be used for this, which is why its capabilities are very concerning. But the reasoning behind this is based on what the market for exploits looks like, not just speculation. Large-scale uses of them are typically cheap reuses of n-days by unsophisticated attackers (which is something I do actually deal with personally). In the very rare cases you see actual 0-days used (I can actually mention one now, search for “Pinduoduo”!) they are not of the baseband variety but typically sandbox escapes and abuse of APIs that allow for background execution, accessibility access, and the like.

[ddod]

Thanks for your thoughtful reply. Maybe Google could benefit from having you train customer service for a few days ;)

> you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it

My initial reaction was that the vulnerability was already published so why would they care, but I can also imagine how the actual payload could be something to hide as well. That said, couldn't an exploit simply turn off security updates? It sounds like this vuln has full access to everything on the phone.

> In the very rare cases you see actual 0-days used

But that's the issue--it's not a 0-day. It was publicized before the patch went out for millions of users. Was the patch force-updated for everyone else? If not, that number of unpatched users is probably an order of magnitude greater.

This isn't an issue of some state-level actors sitting on a secret 0-day, it's a use-it-or-lose-it moment for anyone who's heard about it straight from Google's mouth.

Full access to SMS 2fa and email accounts seems like everything. That gives you access to most people's bank accounts. You could search emails for crypto accounts and MITM non-SMS 2fa apps if you have root access to the phone. Sending money requests to contacts using real names. I could think of a million ways to use root access. I don't know the cost of exploiting this vulnerability, but I know that sort of access is valuable to a lot of people.

Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?

[behnamoh]

> Google have guaranteed at least one person and their family to never purchase another Google product or service.

They did that when they waited more than a month to patch the phone call bug in Pixel 6 series. What if someone has an emergency? Nope, Google thought that can wait.

[flangola7]

I will still purchase Pixels because they isolate the modem.

[silisili]

If that were true, how could they be affected by a bug that allows full device compromise via the baseband?

[flangola7]

They're not affected, or at least less affected. The baseband doesn't have direct memory access like on other phones.

[pa7ch]

Do you have more information on this? I was not aware pixel phones have any additional protection against modem exploits.