Thanks for your thoughtful reply. Maybe Google could benefit from having you train customer service for a few days ;)
> you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it
My initial reaction was that the vulnerability was already published so why would they care, but I can also imagine how the actual payload could be something to hide as well. That said, couldn't an exploit simply turn off security updates? It sounds like this vuln has full access to everything on the phone.
> In the very rare cases you see actual 0-days used
But that's the issue--it's not a 0-day. It was publicized before the patch went out for millions of users. Was the patch force-updated for everyone else? If not, that number of unpatched users is probably an order of magnitude greater.
This isn't an issue of some state-level actors sitting on a secret 0-day, it's a use-it-or-lose-it moment for anyone who's heard about it straight from Google's mouth.
Full access to SMS 2fa and email accounts seems like everything. That gives you access to most people's bank accounts. You could search emails for crypto accounts and MITM non-SMS 2fa apps if you have root access to the phone. Sending money requests to contacts using real names. I could think of a million ways to use root access. I don't know the cost of exploiting this vulnerability, but I know that sort of access is valuable to a lot of people.
Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?
> Maybe Google could benefit from having you train customer service for a few days ;)
Customer service? What customer service? :P
> That said, couldn't an exploit simply turn off security updates?
Sure, but I was thinking more along the lines of if you have a widespread issue then people will write about it and how to restart the device to clear the infection, turn off remotely exploitable surface area, etc. For example I know a lot of people would turn off iMessage when the effective power stuff was going on since it was so easy to exploit and used widely to troll.
> Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?
Right, this isn’t an 0-day anymore, because Google knows about it. Some of the bugs also have patches available, making those effectively public. Apparently, some are not fixed yet and also easy to exploit, for which Project Zero has made a rare exception for and not disclosed.
In general, if an exploit remains unpatched for a while, it will actually start being exploited by opportunistic attackers. Some exploits are actually really easy to launch, because they are simple or someone left a PoC online. Those can and do get spammed en masse by things like ad networks and generic malware.
For more complex exploits, or partial patches, you’ll often need a sophisticated attacker to actually design the exploit once the bug is known. Those ones are not generally in the business of hacking a million people and trying to get their credit card information. Top vulnerability developers are frighteningly fast in how quickly they can make a working exploit out of a patch that they diffed to my knowledge it’s more reliably lucrative and safer for them to sell it to people who use them for targeted attacks, so that’s what they do.
Anyways, here I suspect the answer is “the ones that are public are hard to exploit” and “the ones that are not public might actually be dangerous and were withheld for exactly that reason”.
> you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it
My initial reaction was that the vulnerability was already published so why would they care, but I can also imagine how the actual payload could be something to hide as well. That said, couldn't an exploit simply turn off security updates? It sounds like this vuln has full access to everything on the phone.
> In the very rare cases you see actual 0-days used
But that's the issue--it's not a 0-day. It was publicized before the patch went out for millions of users. Was the patch force-updated for everyone else? If not, that number of unpatched users is probably an order of magnitude greater.
This isn't an issue of some state-level actors sitting on a secret 0-day, it's a use-it-or-lose-it moment for anyone who's heard about it straight from Google's mouth.
Full access to SMS 2fa and email accounts seems like everything. That gives you access to most people's bank accounts. You could search emails for crypto accounts and MITM non-SMS 2fa apps if you have root access to the phone. Sending money requests to contacts using real names. I could think of a million ways to use root access. I don't know the cost of exploiting this vulnerability, but I know that sort of access is valuable to a lot of people.
Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?