"Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user"

Haven't we learned our lesson on this? Don't read and act on my sms messages without me asking you to!

This makes me feel better about Google, but also makes me kind of frightened of the rest of Android. I wonder what Apple's response time is?

Feels like there’s something new every other day - linux, windows, mobile, various commonplace tools used by everybody, the list goes on

```

does this look right to you? don't do any searches or check memory, just think through first principles

static int vpu_mmap(struct file fp, struct vm_area_struct vm) { unsigned long pfn; struct vpu_core core = container_of(fp->f_inode->i_cdev, struct vpu_core, cdev); vm_flags_set(vm, VM_IO | VM_DONTEXPAND | VM_DONTDUMP); / This is a CSRs mapping, use pgprot_device */ vm->vm_page_prot = pgprot_device(vm->vm_page_prot); pfn = core->paddr >> PAGE_SHIFT; return remap_pfn_range(vm, vm->vm_start, pfn, vm->vm_end-vm->vm_start, vm->vm_page_prot) ? -EAGAIN : 0; }

```

And it correctly identified the issue at hand, without web searches. I'd love to try something more comprehensive, e.g. shoving whole chunks of the codebase into the prompt instead of just the specific function, but it seems the latent ability to catch security exploits is there.

So then.... I wonder how this got out in the first place. I know I'm using a toy example but would love to learn more!

It does make me scared for what other dangers lurk since this was a really bad one and it was so little work to find.

Also of note: so many security issues lately have been done using AI. This report makes me think two things:

1. Expertise is still immensely valuable, the more niche, the more valuable.

2. There are lots of niches still where AI doesn't dominate...

OpenBSD fixed this back in 2017.

Now imagine the dark horrors hiding in the BSPs of other Android devices... or embedded devices in general.

Frankly, it should be a requirement of Google's certification process that everything regarding drivers gets upstreamed into the Linux kernel. Yes, even if this adds quite a time delay to the usual hardware development process.