Ask HN: Are we entering a 0-click era?
Just finished reading Project Zero's sobering blog post on the NSO 0-click iOS exploit (see googleprojectzero.blogspot.com). If an integer overflow vulnerability in iMessage's GIF codec can be turned into a pretty much full-fledged 64-bit VM, then there's simply no trusting anything more sophisticated than a tin can phone. And even if you only use a basic feature phone, you can still be targeted by 0-click (e)SIM attacks (e.g. the ones targeting S@T browser or WIB and probably many more yet-to-be-discovered flaws). Plus all the (pseudo?)-lawfully backdoored layers (pretty sure it doesn't take less-than-democratic states more than a few threatening emails to the compliance department of most banks to be get access to their banking app).
Assuming that the number of 0-click exploits will increase with the complexity of our phones, do you think we're entering a great-equalizer-era where the tech-savvy political dissident has the same chance to avoid malware/interception as the novice? Or are there best practices to manage risk (compartmentalization, makeshift hardware switches, frequently changing/resetting devices, etc.)?
10 comments
[ 3.0 ms ] story [ 36.5 ms ] thread1. hardware switches for microphones, cameras
2. restrict when and what you connect to on your devices
3. using air gapped devices when necessary
4. use different devices for different activities
the list of course goes on and on. it depends on what your security needs are. Security does not end with software and hardware mitigation, it only begins there.
The situation has dramatically improved during the past 30 years, but so has reporting. It’s the improved reporting that makes it sound like as if the world is on fire.
Note that I'm specifically referring to the mobile phone industry (people in at-risk countries rarely have computers).
Would this get caught in an open source project? Significantly more likely.
Would this get caught by a company that relies on quality over marketing? Who knows.
People are shocked a company who has been selling low to medium quality products has a security issue. I'm not shocked.
But you're right, the fruit company could have been more careful in their implementation. I also believe FOSS provides better security (in theory at least). Not sure it works in practice (expert eyes are expensive).