@MWelchUK @neil The problem is, you don't have to find an exploit on a properly updated device, you have to find an exploit on a device that you control, with an OS version that provides PCR values that the remote attestation thing trusts in building its chain of trust. That's a much easier problem, because you can usually use publicly disclosed vulnerabilities, often ones with PoCs attached to the disclosure.Linux averages one CVE per 1.5 days. How hard do you think it is to find a local privilege elevation that can compromise an Android kernel or part of the attestation infrastructure?
