|
|
|
|
|
|
by lossolo
218 days ago
|
|
|
This shouldn't be downvoted because it's stating facts. RCEs for critical infrastructure/OSes are very rare, they don't just grow on trees. I agree that OP exaggerated by saying that any government can buy whatever RCE they want and get access to any system they want, like buying candy in a candy shop. That's not reality. |
|
|
However, safety critical is not limited to cars: it also includes the phones of activities and journalists living under authoritarian regimes.
Monolithic kernels written in portable assembly mean that such bugs DO grow on trees [1] and the lack backporting means they just drop to the ground: the poor are sold phones that may never receive a security update. So even sugar tax activists in Mexico are the target of spyware!
We have seen the sophistication of these attacks ramp up as cryptocurrency has made them profitable and the North Koreans have made a killing exploiting these bugs.
Maybe you are right and it is very difficult to find these bugs but that just means low demand is what is keeping the price down. But that's probably because there enough LPEs and known RCEs that they are not needed most of the time.
[1]: https://www.cvedetails.com/vulnerability-list/vendor_id-33/L...