"Polish media reports say Poland purchased Pegasus in 2017, using money from the so-called Justice Fund, which is meant to help the victims of crimes and to rehabilitate criminals." from the older 'scandals'.
I think it is in fact reasonable. Private persons are unlikely to have means/connections to acquire Pegasus while victims are all around EU, see another link below.
There are not many examples of the government hacking opposition politicians an en leaking damaging material to friendly "news" agencies for political gain
AFAIK all uses of Pegasus were conducted after an agreement (a warrant) was issued from Polish courts - which were in opposition to the PiS government. If I'm right about this, doesn't it mean this particular affair unnecessarily demonizes PiS?
Either way, I think it's very reasonable to *do* assume the worst of governments - as in we should strive to design the system to be able to withstand as much malice from people in power as possible.
I don't think it's accurate to say the courts were in opposition to the PS government. PiS appointed lots of their own judges in their years in power who often decided along lines that PiS wanted. The biggest example of course being the Constitutional Tribunal.
Sure there were judges who opposed PiS, but there were plenty who did not. This guy, who is now in Belarus, is an example of one of PiS's pet judges
"Civil society" implies the existence of uncivil people; it's good guys vs bad guys, not civilian vs military. If Ukraine targeted civilian organizations in Russia, the headline wouldn't call it an attack on "civil society" (but Russian media might.)
> "Civil society" implies the existence of uncivil people
It does not. You are conflating:
civil 2b: adequate in courtesy and politeness : MANNERLY
with
civil 4: of, relating to, or involving the general public, their activities, needs, or ways, or civic affairs as distinguished from special (such as military or religious) affairs
You're being naive. Propaganda often employs double meanings, subtext and implications. This kind of language would not be used if the actors were reversed.
Major public organizations and interest groups (such as the EFF, ACLU or AARP) that are independent from the state:
Civil society can be understood as the "third sector" of society, distinct from government and business, and including the family and the private sphere. By other authors, civil society is used in the sense of 1) the aggregate of non-governmental organizations and institutions that advance the interests and will of citizens or 2) individuals and organizations in a society which are independent of the government.
I believe Wikipedia has a good overview, in particular "the aggregate of non-governmental organizations and institutions that advance the interests and will of citizens" is probably the definition that best matches the one used in the article.
This kind of spying seems necessary and appropriate to me, provided it is done under the appropriate legal framework. The security concern with Russia and Belarus are self evident now, and the security concerns around hosting a large dissident population must be enormous. You don't want extremists within the dissident movements (it'd bad if the Putin assassination was planned on your soil), nor penetration of the dissident movement by foreign intelligence (it'd be a bad if the opposition leader got novichoked on your soil). I'm not sure how else to address these kinds of problems in society except with some kind of well regulated security apparatus (making the big assumption that it is well regulated here).
>I'm not sure how else to address these kinds of problems in society except with some kind of well regulated security apparatus (making the big assumption that it is well regulated here).
The whole populace being under surveillance is a much worse outcome than the chance of some politician being assassinated being relatively higher. Mass surveillance to prevent the latter seem absolutely in the worst interests of the average citizen; spying on people to protect the elites is what every nasty dictatorship does.
I don't think it's either necessary or appropriate for the government to be spying on its political opponents and then leaking damaging material to friendly "news" agencies
I think a lot of people are mis-seeing these Pegasus attacks as a problem of political will ("we need sanctions on NSO/Israel!") or memory safety ("rewrite it in Rust!") when there is a deeper problem: parser complexity.
Specifically, we're using context-sensitive and Turing-complete parsers up and down the software stack, which (at the Turing-complete level of complexity, says Gödel) guarantees that determined attackers can expect to discover an exploitable "weird machine."
Folks should watch this panel and other talks by Meredith L. Patterson (co-collaborator and wife of the late Len Sassaman) and Sergey Bratus (previously at DARPA, now Dartmouth) to get a sense of the problem and the solution.
These folks are saying that, just as the industry handled over-the-wire insecurity with TLS and e2ee (and not rolling our own crypto) we can handle device exploitability with well-described data and automated parser generation from those descriptions (and not rolling our own parsers, which these folks say should be verboten for the same reason as rolling one's own crypto: parsing is too hard for non-specialists to get right).
Moreover, we don't have to redo the whole stack for it to be meaningful: big players can start using this tooling (e.g. https://github.com/UpstandingHackers/hammer) for parsers handling data from very untrustworthy inputs, such as message payloads sent to a phone number.
Apple's Lockdown mode is a step in this direction, though in such a crude, "burn the village" way that it makes the phone almost unusable. But sacrificing usability shouldn't be necessary with current methods. If these folks can make safe parsers for PDF (https://www.darpa.mil/program/safe-documents) it should be possible for anything.
You've over-egged the pudding here: neither Gödel's incompleteness theorem, nor Rice's Theorem, guarantee that an algorithm in a certain complexity class will have exploitable defect. Rice's Theorem in particular suggests that it's unlikely one will be able to statically prove that such an algorithm has the properties it's designed to have. That should be enough to make anyone nervous.
I hope readers will be able to look past this one sentence in your post and take a good hard look at the rest of it, which is quite important.
Rice's Theorem, as all Free Lunch Theorems, is too pessimistic.
In real conditions, static analysis and theorem proving can verify lots of safety properties. See e.g. Astrée & Airbus, or F* and Project Everest.
IMHO, the solution is to use static analysis in conjunction with DSLs that have restricted semantics to make static analysis and hand-written proofs easy.
You're referring to verifying 'lots' of safety properties, I referred to verifying that an algorithm does everything it's supposed to. These are not the same thing in the general case.
My actual point was that generic incompleteness and undecidability theorems do not guarantee that any given program must be defective.
The thrust of langsec is in fact to parse all inputs at the boundaries, using algorithms with known properties, that is, ones where it's feasible to prove that they'll halt, won't overrun buffers, and so on.
The Gödel and computational complexity stuff is a bit out in the horizon, but the rest ain't wrong and is something that's getting a lot of (indirect) federal funding via the Secure Enclave/Trusted Execution Environment related research - and Bratus was one of the earlier people in the Trusted Computing space.
It is, but it's very expensive. That's why a lot of this research has been getting billions in funding for 10-15 years now in order to build out the underlying ecosystem needed to harden the entire stack
> Pegasus attacks as a problem of political will ... when there is a deeper problem: parser complexity.
There is a "problem of political will" but also the problem of stupid SW which tries very high to decode everything you throw at it.
Some time ago it was "file format not recognized", nowadays it is a root exploit.
from the article
"...there is also no evidence suggesting that Russia, Belarus, or Lithuania are Pegasus customers. Latvia appears to use Pegasus, but the country is also not known for targeting victims outside of its borders. ...., Estonia does appear to use Pegasus extensively outside their borders, including within multiple European countries. "
It would be very surprising to see Russia using Western tech such as Pegasus, you can't just outsource your spy tools to your enemies. They most likely have as powerful if not more technologies.
This whole NSO spectacle is more about the subversive BDS movement than a genuine care about political suppression and spying on the citizens.
If they could get their hands on Pegasus tools, their use might be ideal for Russia if for no other reason than because it would sow uncertainty and confusion.
It's like using GPS. Russians created Glonass because GPS is under US control and can be used to subvert their operations. Pegasus is linked to a West allied country and can be used to feed them false information.
Israel is very intertwined with the typical conception of "the West" via a very cozy relationship with the USA including billions in annual funding, and a great proportion of its citizens having roots in Europe and the USA.
Koloradka originally was tsarist Russia reward. Later it was revived by soviets in WW2, but not used much after the war. Then Putin revived it as a symbol of continuous history of tsarist Russian empire, USSR and his regime. Nowadays it's a symbol of modern Russian imperialism with a historical flavor.
In those parts of europe where both tsarist Russia and Soviet union were occupiers and now Putin is a threat, koloradka is pretty much on the same rank as nazi symbols.
> And big chunk of Israeli population has Russian/USSR origins.
Most of whom probably still remeber very well the moderate
Russian racism towards jews.
Also they probably would have stayed in Russia if they were happy with their government. Luckily Israel was one of the good ways to get out of the country if you had jewish roots.
Some do remember. Some just used some obscure grandpa's paper as a getaway card into a better-off country. With many of those grandpa's papers being forged.
Side note: Just checked are non-Android Linux OSes targeted by this spyware. Apparently, there's no public info in favor of such. So probably, nope. It looks mostly targeted against Android and iOS only.
Do you have any info why this CVE is still unpatched? It seems absolutely crazy, given it is known (of course, a lot of similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them - given this was in (g)libc, even Linux namespaces would've potentially resisted most of things which can be done with it. Not to mention light hypervisors with very minimalistic codebase like Xen.
My phone doesn't run Xen yet (I've ran into some problems with kexec() support in Linux on aarch64), but it runs KVM just fine ;)
> Do you have any info why this CVE is still unpatched
I'm not sure, but it's the tip of the iceberg. There are plenty of uncaught and unpatched vulnerabilities across all environments, and plenty that have not been reported because vendors like Zerodium will pay premiums for zero-days.
> Is what you're talking about Alpine-specific?
Yep! That's the point - vulnerabilities can be caught and known, but patching might not be provided, leaving environments open to attack.
> similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them
Virtualization as it is today is fairly vulnerable to escapes, but this is why the US Govt has been funding Secure Enclave/Trusted Execution research for 10-15 years now.
Basically, complex vuln-free code is highly unlikely to ever exist. That said, these are very difficult to exploit by some random attacker as these are fairly complex.
If you are at threat of being targeted by NSO Group or Zerodium enabled attacks, you are already on the radar of a country's Law Enforcement/Interior Ministry/Dept of Homeland Security/Intelligence Community and any attacks on your phone are the least of your worries.
Exports of these products are heavily regulated and require sign off from the government (eg. Israeli offensive security products like NSO's Pegasus require sign off from the Israeli MoD and PMO)
Your best solution is to buy a phone that is very well supported and constantly patched by the vendor (Apple, Google, higher model Samsung are fairly well maintained) as they will push critical patches if and when a vulnerability is found.
Feature phones and more generic smartphones won't have that level of support due to margin constraints.
> If you are at threat of being targeted by NSO Group or Zerodium enabled attacks, you are already on the radar of a country's Law Enforcement/Interior Ministry/Dept of Homeland Security/Intelligence Community and any attacks on your phone are the least of your worries.
Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right?
In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing (messaging, web browsing, maybe DSP - not computation like neural models) have fully open-source bitstream synthesis tools.
BTW, thanks a ton for letting me know about the unpatched vulnerability in Alpine. I'll talk to the pmOS guys about patching it.
> Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right
No. I mean actual unpatched vulnerabilities and exploits that haven't been published.
NVD is just the icing on the cake. Plenty of less scrupulous vendors like Zerodium, Crowdfense, NSO, etc have collected troves of exploits and vulnerabilities that have never been published, because they can pay 2-3x what bug bounty programs pay.
For example, NSO's Pegasus toolkit which has been operational for a decade but only remediated in the past couple months.
But it doesn't matter. If you've been targeted by adversary using one of those products, you are already very high profile and security theatre around your phone's security is basically useless if you don't have a security team to back you up.
> In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing
That's what Secure Enclave/Trusted Execution is in a nutshell, but it's progressed way past FPGAs (that was a late 2000s/early 2010s research area before moving up to CPUs and GPUs)
------------
Just stick with a common popular smartphone from a brand that makes sure to consistently be on top of patching and supportability.
It's about as safe a consumer computing device can be, and even nation states recognize that. Most leaders and politicans use common smartphones as well, but they are locked down with an MDM (this is BlackBerry/RIM's bread and butter now because they've deprecated phone manufacturing)
Why resort down to ad personam (the last two paragraphs)? These are not insults, but not valid arguments, either.
I know very well about Zerodium. However, FPGAs can be way more secure than any kind of ASICs. If you don't understand why, then I don't think further discussion is warranted. I worked with Apple's implementation of security enclaves, and they don't isolate (or "outsource" to be processed there) nearly as much as should be isolated. For example, whole display and touch input needs to go through the application processor, anyway. It's not a good way to go, to say the least. You can't overlay anything on the top of the display nor isolate touch input from some area (say, virtual keyboard) to go to the enclave. The rest of what it does is pretty meaningless, given these constraints.
I wasn't referencing Apple's Secure Enclave - I'm just using the new buzzword for "trusted computing"/trusted execution. Such at this thesis from Cal a couple years ago [0]
> However, FPGAs can be way more secure than any kind of ASICs
I agree with you! The issue is usability (and I guess it depends use case to use case). We gotta navigate a happy path between security and usability. Otherwise users will try to undermine security features.
This is an interesting convo tho. I'm going to favorite this for some thinking later.
> Why resort down to ad personam (the last two paragraphs)? These are not insults, but not valid arguments, either
That wasn't meant to be an ad personam, and if it was I apologize. It's literally was advice I'd give anyone who's worried.
Sure, but it runs Android Go (embedded Android) or KaiOS (embedded Linux) out of the box.
Any vulnerabilities that arises in Linux can also be weaponized on those OSes as well depending on when the OS image was deployed and whether or not the OEM supports upgrades and patches (generally they don't)
> Just checked are non-Android Linux OSes targeted by this spyware
It's safe to assume that any mobile phone OS will inevitably be targeted. There are always going to be unpatched and uncaught vulnerabilities, and the market for finding these vulns are very hot.
The bigger question is why do you think you'd be vulnerable to attack by a nation-state? If you are that prominent, you are screwed anyhow.
How would you define a "mobile OS" then, to keep the alignment of what you said, particularly this part: "There are always going to be unpatched and uncaught vulnerabilities"?
Everything which can fit into a pocket and has a HTML5 browser?
FYI, I know about how extremely vulnerable average cellular baseband is (and that it would often use unprotected or weakly protected DMA). Let's assume the device in question doesn't have one of these.
Just about every phone (smart or feature) is running some flavor of Unix (iOS/BSD for Apple, Android/Linux for most other smartphones, and KaiOS/Linux for feature phones).
The 1998 style Nokia brick is functionally non-existent as there is no financially viable demand for a product like that anymore.
The markets that are feature phone driven (much of Africa, poorer regions of South and Southeast Asia) are also heavily WhatsApp dependent, so the mobile OS needs to be lightweight but also support modern app functionality - which lends itself to the embedded Linux use case.
Also, no matter how much you modify and QA code, inevitably some bug will arise, and will be open to exploitation.
77 comments
[ 2.9 ms ] story [ 76.1 ms ] threadhttps://www.euractiv.com/section/politics/short_news/polish-...
At that moment it's safe to assume that all EU govs use Pegasus against the public in general.
https://www.dw.com/en/spain-court-reopens-investigation-in-p...
https://notesfrompoland.com/2023/12/18/polish-state-tv-order...
Law and justice are a particularly extreme example.
Either way, I think it's very reasonable to *do* assume the worst of governments - as in we should strive to design the system to be able to withstand as much malice from people in power as possible.
Sure there were judges who opposed PiS, but there were plenty who did not. This guy, who is now in Belarus, is an example of one of PiS's pet judges
https://notesfrompoland.com/2024/05/06/polish-judge-flees-to...
It does not. You are conflating:
civil 2b: adequate in courtesy and politeness : MANNERLY
with
civil 4: of, relating to, or involving the general public, their activities, needs, or ways, or civic affairs as distinguished from special (such as military or religious) affairs
https://www.merriam-webster.com/dictionary/civil
You can see that 'uncivil' does not include in its meanings an antonym of civil 4:
https://www.merriam-webster.com/dictionary/uncivil
https://en.wikipedia.org/wiki/Civil_society
The whole populace being under surveillance is a much worse outcome than the chance of some politician being assassinated being relatively higher. Mass surveillance to prevent the latter seem absolutely in the worst interests of the average citizen; spying on people to protect the elites is what every nasty dictatorship does.
It's not all or nothing as far as the words "legal framework" goes.
The problem is, when the vulns exist due to hand-rolled parsing, you don't get to choose who the attacker is.
https://notesfrompoland.com/2023/12/18/polish-state-tv-order...
This was a pretty clear and obvious abuse of the state apparatus against political opponents.
Specifically, we're using context-sensitive and Turing-complete parsers up and down the software stack, which (at the Turing-complete level of complexity, says Gödel) guarantees that determined attackers can expect to discover an exploitable "weird machine."
Folks should watch this panel and other talks by Meredith L. Patterson (co-collaborator and wife of the late Len Sassaman) and Sergey Bratus (previously at DARPA, now Dartmouth) to get a sense of the problem and the solution.
https://youtu.be/8tAxHrntBJs?t=806
These folks are saying that, just as the industry handled over-the-wire insecurity with TLS and e2ee (and not rolling our own crypto) we can handle device exploitability with well-described data and automated parser generation from those descriptions (and not rolling our own parsers, which these folks say should be verboten for the same reason as rolling one's own crypto: parsing is too hard for non-specialists to get right).
Moreover, we don't have to redo the whole stack for it to be meaningful: big players can start using this tooling (e.g. https://github.com/UpstandingHackers/hammer) for parsers handling data from very untrustworthy inputs, such as message payloads sent to a phone number.
Apple's Lockdown mode is a step in this direction, though in such a crude, "burn the village" way that it makes the phone almost unusable. But sacrificing usability shouldn't be necessary with current methods. If these folks can make safe parsers for PDF (https://www.darpa.mil/program/safe-documents) it should be possible for anything.
Another great talk: https://www.youtube.com/watch?v=3kEfedtQVOY
I hope readers will be able to look past this one sentence in your post and take a good hard look at the rest of it, which is quite important.
In real conditions, static analysis and theorem proving can verify lots of safety properties. See e.g. Astrée & Airbus, or F* and Project Everest.
IMHO, the solution is to use static analysis in conjunction with DSLs that have restricted semantics to make static analysis and hand-written proofs easy.
You're referring to verifying 'lots' of safety properties, I referred to verifying that an algorithm does everything it's supposed to. These are not the same thing in the general case.
My actual point was that generic incompleteness and undecidability theorems do not guarantee that any given program must be defective.
The thrust of langsec is in fact to parse all inputs at the boundaries, using algorithms with known properties, that is, ones where it's feasible to prove that they'll halt, won't overrun buffers, and so on.
> If these folks can make safe parsers for PDF (https://www.darpa.mil/program/safe-documents) it should be possible for anything
It is, but it's very expensive. That's why a lot of this research has been getting billions in funding for 10-15 years now in order to build out the underlying ecosystem needed to harden the entire stack
There is a "problem of political will" but also the problem of stupid SW which tries very high to decode everything you throw at it. Some time ago it was "file format not recognized", nowadays it is a root exploit.
It would be very surprising to see Russia using Western tech such as Pegasus, you can't just outsource your spy tools to your enemies. They most likely have as powerful if not more technologies.
This whole NSO spectacle is more about the subversive BDS movement than a genuine care about political suppression and spying on the citizens.
Israel is very lenient towards Russia.
What's the significance of wearing Koloradka? It looks like something christian priests wear, I don't think I understand.
In those parts of europe where both tsarist Russia and Soviet union were occupiers and now Putin is a threat, koloradka is pretty much on the same rank as nazi symbols.
Most of whom probably still remeber very well the moderate Russian racism towards jews.
Also they probably would have stayed in Russia if they were happy with their government. Luckily Israel was one of the good ways to get out of the country if you had jewish roots.
Anyway, Alpine seem to use musl instead of glibc.
This is a classic example I use when explaining the need for SBOMs and Software Supply Chain Security to non-software C-suite.
My phone doesn't run Xen yet (I've ran into some problems with kexec() support in Linux on aarch64), but it runs KVM just fine ;)
However, it seems that in Debian it's patched https://security-tracker.debian.org/tracker/CVE-2015-0235 . Is what you're talking about Alpine-specific?
I'm not sure, but it's the tip of the iceberg. There are plenty of uncaught and unpatched vulnerabilities across all environments, and plenty that have not been reported because vendors like Zerodium will pay premiums for zero-days.
> Is what you're talking about Alpine-specific?
Yep! That's the point - vulnerabilities can be caught and known, but patching might not be provided, leaving environments open to attack.
> similar bugs may not be even known as of now). Virtualization and containerization-based approaches would be a go-to method for reducing potential surface affected by them
Virtualization as it is today is fairly vulnerable to escapes, but this is why the US Govt has been funding Secure Enclave/Trusted Execution research for 10-15 years now.
Basically, complex vuln-free code is highly unlikely to ever exist. That said, these are very difficult to exploit by some random attacker as these are fairly complex.
If you are at threat of being targeted by NSO Group or Zerodium enabled attacks, you are already on the radar of a country's Law Enforcement/Interior Ministry/Dept of Homeland Security/Intelligence Community and any attacks on your phone are the least of your worries.
Exports of these products are heavily regulated and require sign off from the government (eg. Israeli offensive security products like NSO's Pegasus require sign off from the Israeli MoD and PMO)
Your best solution is to buy a phone that is very well supported and constantly patched by the vendor (Apple, Google, higher model Samsung are fairly well maintained) as they will push critical patches if and when a vulnerability is found.
Feature phones and more generic smartphones won't have that level of support due to margin constraints.
Ah, you mean social engineering attacks and more powerful attacks relying completely outside of the cyberspace (to say more bluntly, which perfectly fits the case here, "in the meatspace"), right?
In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing (messaging, web browsing, maybe DSP - not computation like neural models) have fully open-source bitstream synthesis tools.
BTW, thanks a ton for letting me know about the unpatched vulnerability in Alpine. I'll talk to the pmOS guys about patching it.
No. I mean actual unpatched vulnerabilities and exploits that haven't been published.
NVD is just the icing on the cake. Plenty of less scrupulous vendors like Zerodium, Crowdfense, NSO, etc have collected troves of exploits and vulnerabilities that have never been published, because they can pay 2-3x what bug bounty programs pay.
For example, NSO's Pegasus toolkit which has been operational for a decade but only remediated in the past couple months.
But it doesn't matter. If you've been targeted by adversary using one of those products, you are already very high profile and security theatre around your phone's security is basically useless if you don't have a security team to back you up.
> In terms of broadly-understood virtualization, there's always FPGA with its possibility to spawn multiple number of completely independent softcores. These days some FPGAs with enough computing power for well-optimized security-critical part of general-purpose computing
That's what Secure Enclave/Trusted Execution is in a nutshell, but it's progressed way past FPGAs (that was a late 2000s/early 2010s research area before moving up to CPUs and GPUs)
------------
Just stick with a common popular smartphone from a brand that makes sure to consistently be on top of patching and supportability.
It's about as safe a consumer computing device can be, and even nation states recognize that. Most leaders and politicans use common smartphones as well, but they are locked down with an MDM (this is BlackBerry/RIM's bread and butter now because they've deprecated phone manufacturing)
I know very well about Zerodium. However, FPGAs can be way more secure than any kind of ASICs. If you don't understand why, then I don't think further discussion is warranted. I worked with Apple's implementation of security enclaves, and they don't isolate (or "outsource" to be processed there) nearly as much as should be isolated. For example, whole display and touch input needs to go through the application processor, anyway. It's not a good way to go, to say the least. You can't overlay anything on the top of the display nor isolate touch input from some area (say, virtual keyboard) to go to the enclave. The rest of what it does is pretty meaningless, given these constraints.
I wasn't referencing Apple's Secure Enclave - I'm just using the new buzzword for "trusted computing"/trusted execution. Such at this thesis from Cal a couple years ago [0]
> However, FPGAs can be way more secure than any kind of ASICs
I agree with you! The issue is usability (and I guess it depends use case to use case). We gotta navigate a happy path between security and usability. Otherwise users will try to undermine security features.
This is an interesting convo tho. I'm going to favorite this for some thinking later.
> Why resort down to ad personam (the last two paragraphs)? These are not insults, but not valid arguments, either
That wasn't meant to be an ad personam, and if it was I apologize. It's literally was advice I'd give anyone who's worried.
[0] - https://www2.eecs.berkeley.edu/Pubs/TechRpts/2021/EECS-2021-...
Sure, but it runs Android Go (embedded Android) or KaiOS (embedded Linux) out of the box.
Any vulnerabilities that arises in Linux can also be weaponized on those OSes as well depending on when the OS image was deployed and whether or not the OEM supports upgrades and patches (generally they don't)
It's safe to assume that any mobile phone OS will inevitably be targeted. There are always going to be unpatched and uncaught vulnerabilities, and the market for finding these vulns are very hot.
The bigger question is why do you think you'd be vulnerable to attack by a nation-state? If you are that prominent, you are screwed anyhow.
This article by Mickens is fairly accurate [0]
[0] - https://scholar.harvard.edu/files/mickens/files/thisworldofo...
Everything which can fit into a pocket and has a HTML5 browser?
FYI, I know about how extremely vulnerable average cellular baseband is (and that it would often use unprotected or weakly protected DMA). Let's assume the device in question doesn't have one of these.
Just about every phone (smart or feature) is running some flavor of Unix (iOS/BSD for Apple, Android/Linux for most other smartphones, and KaiOS/Linux for feature phones).
The 1998 style Nokia brick is functionally non-existent as there is no financially viable demand for a product like that anymore.
The markets that are feature phone driven (much of Africa, poorer regions of South and Southeast Asia) are also heavily WhatsApp dependent, so the mobile OS needs to be lightweight but also support modern app functionality - which lends itself to the embedded Linux use case.
Also, no matter how much you modify and QA code, inevitably some bug will arise, and will be open to exploitation.
https://www.versobooks.com/en-ca/products/2684-the-palestine...