What a weird argument. So if the law enforcement of your country uses this technique to unlock your phone without your permission(or you know, some criminal does that), that's your fault for using a Pixel phone? You should have known better than you know, buying a phone from one of the largest software houses on the planet?
So let me rephrase my question - what part of the blame should be assigned to the victim here, if their "fault" was buying a phone made and marketed by one of the largest and most well known software developers on the planet?
Also, this is an interesting discussion in general. If someone forgets to lock their door and a thief gets in and robs them, do you think it's fair to "blame" the person who forgot to lock their door? Or do you think that maybe we should recognize that 100% of the blame should be on you know, the person doing the robbing?
I agree that there's not any significantly better phone options, but no I would not place 100% of the blame on the robber. When we're talking about possessions, theft is a reasonably foreseeable consequence and not an outrageous action, so the owner can get a small slice of blame.
> If someone forgets to lock their door and a thief gets in and robs them, do you think it's fair to "blame" the person who forgot to lock their door?
No, but let's say they've bought from a manufacturer who is not most well known for their lock mechanisms, wouldn't it be the user's responsibility to find a better alternative? You're to be held accountable for your part.
You're making the assumption that the average person thinks Google employs the “most well known software developers on the planet” – that's your subjective take, not anything close to common knowledge
I disagree with this. There isn't a consumer-level alternative to the security provided by a pixel if you want to use a cell phone right now. I guess you can argue that the iphone is better, but without a specific threat model to discuss, it's like arguing mountain dew is not healthy so you should drink dr. pepper.
iOS has had many flaws this bad or worse, so what would you have people use?
I agree current gen smartphones should not trusted for high risk uses but the reality is, they are. There are staggering numbers of people using their phones for banking, crypto trading, or to transmit sensitive information that could collapse markets or start wars.
Also consider not all journalists or dissidents get a choice in what phone they can afford.
Security issues like this can be life or death, and security researchers must sometimes -force- companies to treat them as such.
There have been MANY such attacks against the iPhone (and every other device), most of them against the biometrics mechanisms, which tend to be pretty weak as a matter of first principles. Add to that the persistent hints/rumors/claims of gray market unlock/rooting kits available to large entities. Phones just aren't that secure, though they're much more so than they were a decade ago. Security vs. physical access is an extremely hard nut to crack, it's only been in the last few years that we genuinely thought it was even possible.
Fooling a biometric sensor is precisely a lock screen bypass, that's what the biometrics are for. By that logic the linked bug was "fooling the SIM security layer" and not a "lock screen bypass". Don't play that game, it's bad logic and bad security practice.
But it’s a fundamentally different type of security bug: these biometrics bypasses require knowing something about the user (lift a fingerprint, picture of a face, etc).
I see this as a different class: I can grab an unknown person’s Pixel they left in a coffee shop and get into it.
Zerodium brokers sales of iOS FCP Zero Click for $2m. I expect they sell to people like Cellebrite who can make a profit selling expensive unlocks and keeping the vuln secret.
