Debunking fake stock Pixel OS vulnerability from an EDR company

Wired was manipulated into spreading misinformation to market Palantir and iVerify by misrepresenting a vulnerability in a disabled demo app as being a serious problem which could be exploited in the real world. They should retract the article but won’t.

iVerify are scammers and anyone paying them money should rapidly stop doing it and remove their malware from their devices. The real security risk is giving remote code execution on your devices to one of these sketchy EDR companies lying about their capabilities and discoveries.

This is one of multiple carrier apps in the stock Pixel OS which we don’t include in GrapheneOS. We were aware of it already since we had to go through them and figure out why they exist. We could embrace this fearmongering and leverage it for marketing, but we aren’t dishonest.

“iVerify vice president of research […] points out that while Showcase represents a concerning exposure for Pixel devices, it is turned off by default. This means that an attacker would first need to turn the application on in a target’s device before being able to exploit it.”

“The most straightforward way to do this would involve having physical access to a victim’s phone as well as their system password or another exploitable vulnerability that would allow them to make changes to settings. Google’s Fernandez emphasized this limiting factor as well.”

Wired should retract the article and explain how they’re going to do better. They keep publishing this kind of fearmongering misinformation from information security industry charlatans. There are real remote code execution flaws being fixed in Android and iOS but they push this.

GrapheneOS has gone through each of the carrier apps included on Pixel generation to determine their purpose and consequences of including or excluding them. Here it is being excluded from the new adevtool project for ProtonAOSP and GrapheneOS in 2021:

GrapheneOS has publicly posted about the carrier apps included on Pixels and their privileged permissions on numerous occasions. We talked about the ones which get enabled automatically based on using a SIM from a carrier rather than a disabled demo without an automatic trigger.

Here’s a thread from 2017 posted from our project’s previous Twitter account which was stolen in 2018:

Incredibly important to note that this thread directly involves the CEO of Trail of Bits that’s now claiming their iVerify team discovered these apps.

Stock Pixel OS no longer gives the same level of access to the active carrier. This disabled demo app was never a real part of the problem but it was part of the apps we referring to and excluding. We didn’t claim credit for discovering this when we became aware of it in 2015.

Dan Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It’s incredibly hypocritical to use the same tactics and expect not to be held to the same standard. We’re not doing anything he hasn’t done himself many times before.

It’s ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware. An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.

Since this fits into a standard narrative pushed by mainstream news coverage, their dubious iVerify product will get a massive amount of free promotion from it. They should be criticized for claiming credit for discovering this when they didn’t and for misrepresenting it.

Someone linked this article not taking claims from the company promoting themselves at face value, which is far better than most of the news coverage which got completely duped into believing in a completely a fabricated threat:

Still not good enough.

Palantir is a mass surveillance company aiding with egregious human rights violations. CEO of Trail of Bits that’s working with them is a diehard Apple fanboy and has been dismissing GrapheneOS for years. Perhaps he works with Cellebrite and NSO too.

Calling Iverify scammers is a bit farfetched. Seeing how Graphene has haressed our project members in the past, I would keep in mind that they may have some personal vendetta.

Seems bad code management if nothing else. Verizon denies it uses the software now, it was disabled by default, why not just remove it? And “physical access needed” is a bit hypocritical, since people did criticize Signal for the vulnerability that also required special access. This is squarely on Google though, nothing on GOS front.

Apparently iOS also has these carrier apps, but no one can actualoy test their vulnerabilities, since it’s all closed source. I guess one more point in favor of android being open?

There is a very huge difference between an exploit requiring physical access to the device and any app or script being able to just steal your Signal keys.

There is also a huge difference in “this exploit can ONLY be exploited via physical access” and “one of the ways we discovered it can be exploited is physical access”. The latter means it’s still a vulnerability because not all access methods have been explored.

The GOS clarification implies the former, the actual reality is the latter. Its fine to accept software has problems, not fine to undermine those problems just because its software I like.

I can understand why they wrote that they are scammers. i also can understand that it is not so professional.
GrapheneOS uses Google Pixel in particular and takes care to maximize security.
Now an unknown company has found some kind of problem and is turning it around for advertising, probably for their product.

They specifically mention why they claim this on back of a nothing burger article pushing marketing agenda:

1. Stock Pixel OS no longer gives the same level of access to the active carrier.
2. Guido, CEO of the company behind iVerify, has repeatedly called out charlatans in the infosec industry. It’s incredibly hypocritical to use the same tactics and expect not to be held to the same standard.
   • Ridiculous to falsely claim something is a backdoor and then get upset your EDR software remotely monitoring devices and opening up new security holes is called malware.
   • An app running within an increasingly strict sandbox trying to defend devices is an unworkable approach.
3. Association with … Palantir.

I hate right-wing slogans, but: Facts don’t care about our feelings.

There’s a distinct difference between Fact and Truth. Most of the time when GrapheneOS is throwing a fit like this it come across like Truth that is being manipulated and presented as Fact to better tell THEIR narrative. If they didn’t have a history of baselessly going after people on a regular basis it would be easier to believe them on things like this, as it is this just feels like the pot calling the kettle black.

I think that is my issue with GrapheneOS. They go on strongly worded tirades about whoever they disagree with. Even if they are right, it is hard to want to side with them sometimes. I run Graphene daily, but their social presence (and what seems to be a sike from Daniel McKay stepping away from the project) make it hard for me to want to tell people they should try it

They’ve said, he didn’t step away from it. He just stepped down as the lead developer. He’s still deeply involved.

What i meant by that is that it is known the graphene has spinned their opinions as fact to discredit our project, and with that, i am inclined to no longer blindly believe their statements of writing someone off as a scammer.

I still believe in graphene os as a project and will highly recommend it to many people, but that doesn’t mean I will tolerate harrassment by certain induviduals behind it. Thats all I am going to say about it.

Then whoever is in control of their socials seems to be on the same page as Daniel was when it comes to the overall voice of the project. Which doesn’t give me high hopes

I am using GrapheneOS since sometime now. But the way they handle things throws me way off and I find myself keep looking into a possibility to go back to stock (I kind of understand Louis Rossmann stand… And by the way, he could have been a great help with the case against Google and its integrity checks).
Everyone is a “scammer” and a “charlatan”, but dare they response, then they are harassing the project. The narrative gets quickly old and I can´t take them seriously anymore.

Their new post about Phone and SMS permission telling people to basically use other Apps doesn´t help either. I get not having resources to implement a counter measure, but leave it at that. GrapheneOS users are not stupid and they would´ve used other Apps if they had a choice.

Even if they’re right? tbh, that’s a “you” problem.

I worked on AOSP and also taught graduate course on Android Security. If you’ll allow argument from authority, Graphene’s claims that I highlighted above don’t strike me as “spin”.

Glass houses and all that. But I am with you on this. Though, in this particular instance, GrapheneOS has (fortunately or unfortunately) brought up valid concerns, imo.

You would need a privilege escalation vulnerability to even enable that app on Android. FYI those types of vulnerabilities are rare and expensive.

You didn’t need any vulnerabilities to steal Signal keys, any unsandboxed app or script could just access them. This wasn’t a vulnerability, it was just incompetence.

I can agree with their points while also pointing out that the way they handle themselves publicly does not make them nor the surrounding community look good or even sane sometimes

I like how instead of discussing facts in that post, people just talk shit about GrapheneOS, and when GrapheneOS responds, they’re the bad guys, like common.

If I was a GrapheneOS project member and would read the replies in this topic then I’m sure as hell wouldn’t be happy.

Let’s poke the bear, then complain when you piss the bear off.

Their public history makes this a boy who cried wolf scenario. They’re always following the same routine so it makes it hard to know when to trust their social posts. Their normal routine when things like this happen, take the opportunity to attack people, iVerified and Palantir, claim they were slighted and found it first, their link to the 2017 copperhead x post. It’s literally a repeating pattern with them. Of course the community is going to get tired of it, they need to back off of their socials a ton. Daniel stepping back either wasn’t enough, and they have a culture of behavior and reactions like this within the organization, or it was only claimed and not actually done. Either way, while their software contribitions cannot be understated they HAVE to tone back their public image or they’re going to just keep driving people away.

There are creators in the privacy and security space who can’t even talk about them without being told to stop. These creators now can’t recommend this software to people with their platforms all because GOS is throwing tantrums when anybody says anything negative about them.

It’s doing a disservice to the whole community.

GrapheneOS has done a stellar job of making my device more secure, allowing me to use 99% of the services I used before without having to jump through any hoops. The other 1% require a little bit of work, but its doable for me. I have no other option in terms of usability that does nearly as much as they do. I love the project. I am grateful for the work the contributors put in and plan on making a donation soon.

They are allowed to speak out when others are spreading misinfo or are wrong, however the manner in which they do it can be inflammatory sometimes. For probably the best privacy and security minded project technically speaking, they are subpar in my opinion when it comes to public communications.