notactuallyben's comments

Vulnerabilities in the Linux kernel would have a similar impact to a macOS kernel bug. It’s a myth that “more eyes means more secure” for OSS ;-) - it can be true, but often that’s not the reason

Yep, I don't think there's any disagreement with that, especially when you look at things like Tianfu cup in general. Any country that can, essentially wants to do offensive cyber.

Are you suggesting that western exploit sellers are selling bugs to western governments and also BRICS? that sounds not very likely.

All of this stuff is very complicated ethically, but I don't think you can simply say that it is always in the public good to expose bugs (stuxnet is a good example of a bug chain avoiding a far deadlier outcome)..

I've personally worked for vendors of software and done offensive research, and now I do neither.

It's not true anymore due to the new generation of hackers that came up, and it's unpolite to dox them if they don't want to be known for it, but for a period, about a third of Google Chrome/Project Zero security all came from ex Western govts (or contractors) - you can find vague mentions on dailydave mailing list about this.

also TAG and other Google security people hired from former Western sigint :)

firstly, very unlikely that zerodium are supplying bugs they use (could be internally developed, or developed by a more trusted domestic defence contractor).

What about if the targets are like Osama Bin Laden's (* INSERT MORE MODERN TERRORIST) family (I have no idea who they are targeting).

Are you meant to have some dude speak arabic and become close friends with the top terorist leaders? Like how do you propose that even work? Would HUMINT actually work in those cases?

I think it's a nice idea for everyone to work on fixing the vulnerabilities, I don't think that will scale with whatever organisations mandate to stop terrorism or whatever.

Interesting blog post that was long overdue, I think Google should probably disclose all the details (URLs/actors responsible, methodology for catching these exploits ITW and targeting) around the ITW samples when they kill the bugs, so we can have nuanced discussion with actual facts. It would also help the threat intelligence industry ;)

while beg bounty people can be annoying, you have to remember that people aren't obligated to sit down and find free bugs for any company (especially not a big one) - why would i sit down and look at some code for free for some giant corp when i could go to the beach instead?

Yup. You can just have your crafted webp (This is the patch for the ImageIO bug https://chromium.googlesource.com/webm/libwebp/+/902bc919033...) image with the .png extension (inside your passkit - https://developer.apple.com/library/archive/documentation/Us...) and you send it to your target..

So I got a little bit of time to check (https://github.com/Biktorgj/quectel_eg25_recovery/tree/EG25G... - the NON-HLOS), and it's still actually running a Qualcomm Hexagon baseband (40mb binary by Qualtec when combined using Gal's unify_trustlet script).

Load that into Hexagoon IDA plugin and you'll see it's bog standard Hexagon for all the remote GSM/LT code that actually does stuff (similar to the project zero research). I haven't verified (and don't own a Pinephone) but most Quectel boards I've seen in the past do enforce signature validation, so binary patches are not easy.

I didn’t check, and on mobile now. But I would be very surprised if that was the actual baseband (more just a wrapper around it).

Yep in most cases, but not always configured the best. Logic flaws seem the best way to go :)

None use Linux, most just use BSD licence software (or things like openssl). I haven’t seen any GPL code at all tbh.

But yep, would be nice if it was open source, although not sure how much that would help (only if sufficiently motivated auditors can be bothered to look at it). A bunch of baseband firmware is even encrypted on disk now (loaded into BB memory from the kernel)

This is not true on pretty much any phone post 2014ish. Pretty much all platforms have IOMMU's or similar separation mechanisms. source: did baseband vr commercially

Great work from P0 (and Keen lab).

but this statement about baseband mitigations is only partially true. Huawei Balong platform has ASLR and stack canaries now (and some Infineon too I believe), and all baseband platforms are improving (even Mediatek). I didn't check Qualcomm lately, but they have a lot of similar protections now.

It's not trivial to do a pivot to AP on modern iPhones or Android phones (excluding some categories) - especially with PAC (and MTE coming).

But yeah, (Samsung) Shannon are an attractive target for attackers due to easily obtainable firmware, strings, DWARF (elf) firmware that you can find and relatively good debugging platform. The bugs are generally pretty low hanging too.

This isn't the same on Qualcomm platforms (Hexagon is notoriously hard to RE and debug), or the iPhone platforms.