Back in January, the Google hackers known as Project Zero, detailed a zero-click exploit chain for the Pixel 9. Now the same folk, tasked by Google itself to study zero-day vulnerabilities in hardware and software, have disclosed that they were able to write a similar exploit chain for Pixel 10 using what they have labeled the Holy Grail of kernel vulnerabilities. The good news is that the Pixel 10 vulnerability was patched in the February Pixel security bulletin, some 71 days after Project Zero reported it using the Android Vulnerability Rewards Program . Now Project Zero has gone public and told the story of how they did it.

Google Hackers Use Zero-Click Exploit To Escalate Pixel 10 Privileges To Root

“Achieving arbitrary read-write on the kernel with this vulnerability required 5 lines of code, and writing a full exploit for this issue required less than a day of effort,” Project Zero’s Seth Jenkins said in a May 13 disclosure . Calling the security bug at the heart of the report “the Holy Grail of kernel vulnerabilities,” Jenkins went on to warn that it enabled an attacker to be able to “simply overwrite any kernel function to gain kernel code execution - or indeed any primitive one might desire.”

If you think of a hacker, you likely immediately jump to the wrong conclusion and conjure up an image of a cybercriminal or state-sponsored actor wreaking havoc. The truth is, however, that the vast majority of hackers are law-abiding folk, doing what they do to improve the security of your devices and software. Sure, some take the wrong approach, as with the recent angry Windows hacker reports, but most vulnerability hunters responsibly disclose what they find to the vendor involved. The Windows 11 and Microsoft Exchange zero-days that have been found during the Pwn2Own Berlin event are such an example; another is the Project Zero team at Google.

Established in 2014, the Project Zero team comprises security researchers from Google, tasked with studying zero-day vulnerabilities in hardware and software systems from their employer and others.

Jenkins admitted that there were both positives and negatives resulting from the latest research. to take from this research. On the plus side, the handling of the vulnerability demonstrated “clear progress in Android’s triage pipeline,” the Google hacker said, as the initial remediation took less time than the previously related issue did. “Android’s effort to ensure that serious vulnerabilities are patched efficiently will help protect many Android devices,” Jenkins said. On the downside, however, Jenkins admitted that there is an ongoing need for exhaustive, robust and security-aware code in Android drivers. Following the initial BigWave driver bug disclosures, Jenkins had hoped it would create an environment for its developers to evaluate their other drivers for security issues. But, as Jenkins pointed out, “5 months later we nevertheless found a serious and extremely shallow vulnerability in their VPU driver that was instantly noticeable with even a cursory audit of the codebase.” As such, Google Project Zero is strongly encouraging vendors to improve their proactive software development practices to prevent these kinds of vulnerabilities from ever reaching end users.