[ddod]

I read that as well, and either it's unclear or I lack the technical understandings to apply that to my question.

What does "at the baseband level" mean in terms of remote attack vector? Do they need to be physically nearby with an antenna or could they be across the world connecting through VOIP?

And why do they need to know a phone number? If it's that they need a nearby antenna + knowledge of a phone number, it sounds like this vulnerability might not be a big deal, and it would be great if they communicated that clearly. Alternatively, if the vulnerability is accessible from any remote phone connection, knowledge of a phone number wouldn't matter because attackers would spam the attack against millions of numbers.

[saagarjha]

In effect, it means if they can call you, they can exploit you. The description given was what an attacker needs to hack you in particular, which means they need your phone number to determine which device to target. If they want to spam a million users they could do that too, although these kinds of things are typically not done this way because that is very noisy and reduces the effective life of the vulnerability.

[ddod]

> If they want to spam a million users they could do that too, although these kinds of things are typically not done this way

That seems like a convenient assertion not based on evidence.

Without trying to sound confrontational, it appears as if you are a current employee of Google, which might have colored your comment and should probably have been disclosed.

[saagarjha]

No offense taken, I’ve seen confrontational and it can be far worse than this ;) I do work for Google; in fact I work on detecting malware for Android. I have no special knowledge of these bugs, in fact I would be surprised if I even have access to them by default. Project Zero typically handles discovery of zero days internally, and this kind of thing requires working with partners and whatnot, so it’s pretty out of the way. What I know for these bugs is summarized by the blog post. If the bug ends up being exploitable from an app, or it’s been a couple months, I might see what is going on with them, but we’re definitely not there right now. And information about specific bugs and how they are being exploited is generally NTK so I wouldn’t talk about that publicly anyways until they are disclosed officially or the patch is public.

With that out of the way, and the obvious “please ask before quoting me in a news article and absolutely do not treat this as any sort of official Google thing”, this bug is quite serious and of the kind you would typically see in a targeted attack. As I mentioned above, you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it. Plus, you generally want a specific thing from the person you’re targeting. Hacking into a million phones and getting value out of it is pretty hard. For targeted attacks things like personal information and specific assets are valuable. On a wide scale, what are you going to do? Steal credit card numbers and wallet keyphrases for a handful of popular clients? Why not just try to pwn the app itself, or phish people, which is a lot less effort?

I don’t want to sound like I’m making this claim because it sounds better if it’s not used for widespread attacks. It absolutely can be used for this, which is why its capabilities are very concerning. But the reasoning behind this is based on what the market for exploits looks like, not just speculation. Large-scale uses of them are typically cheap reuses of n-days by unsophisticated attackers (which is something I do actually deal with personally). In the very rare cases you see actual 0-days used (I can actually mention one now, search for “Pinduoduo”!) they are not of the baseband variety but typically sandbox escapes and abuse of APIs that allow for background execution, accessibility access, and the like.

[ddod]

Thanks for your thoughtful reply. Maybe Google could benefit from having you train customer service for a few days ;)

> you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it

My initial reaction was that the vulnerability was already published so why would they care, but I can also imagine how the actual payload could be something to hide as well. That said, couldn't an exploit simply turn off security updates? It sounds like this vuln has full access to everything on the phone.

> In the very rare cases you see actual 0-days used

But that's the issue--it's not a 0-day. It was publicized before the patch went out for millions of users. Was the patch force-updated for everyone else? If not, that number of unpatched users is probably an order of magnitude greater.

This isn't an issue of some state-level actors sitting on a secret 0-day, it's a use-it-or-lose-it moment for anyone who's heard about it straight from Google's mouth.

Full access to SMS 2fa and email accounts seems like everything. That gives you access to most people's bank accounts. You could search emails for crypto accounts and MITM non-SMS 2fa apps if you have root access to the phone. Sending money requests to contacts using real names. I could think of a million ways to use root access. I don't know the cost of exploiting this vulnerability, but I know that sort of access is valuable to a lot of people.

Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?

[saagarjha]

> Maybe Google could benefit from having you train customer service for a few days ;)

Customer service? What customer service? :P

> That said, couldn't an exploit simply turn off security updates?

Sure, but I was thinking more along the lines of if you have a widespread issue then people will write about it and how to restart the device to clear the infection, turn off remotely exploitable surface area, etc. For example I know a lot of people would turn off iMessage when the effective power stuff was going on since it was so easy to exploit and used widely to troll.

> Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?

Right, this isn’t an 0-day anymore, because Google knows about it. Some of the bugs also have patches available, making those effectively public. Apparently, some are not fixed yet and also easy to exploit, for which Project Zero has made a rare exception for and not disclosed.

In general, if an exploit remains unpatched for a while, it will actually start being exploited by opportunistic attackers. Some exploits are actually really easy to launch, because they are simple or someone left a PoC online. Those can and do get spammed en masse by things like ad networks and generic malware.

For more complex exploits, or partial patches, you’ll often need a sophisticated attacker to actually design the exploit once the bug is known. Those ones are not generally in the business of hacking a million people and trying to get their credit card information. Top vulnerability developers are frighteningly fast in how quickly they can make a working exploit out of a patch that they diffed to my knowledge it’s more reliably lucrative and safer for them to sell it to people who use them for targeted attacks, so that’s what they do.

Anyways, here I suspect the answer is “the ones that are public are hard to exploit” and “the ones that are not public might actually be dangerous and were withheld for exactly that reason”.