23Sha-ger We are talking strictly about pixel here. Your argument overlooks several technical realities and known research, especially in the context of Pixel devices and how Wi-Fi vulnerabilities have been exploited in the field. I never claimed anything else.
You’re right that tools like WiFi Pineapple are consumer-grade and often used in red teaming. But that doesn't mean they’re irrelevant. Rogue APs, death attacks, and probe-response exploits aren’t about getting root in one click — they’re about establishing a foothold. A foothold that, when combined with other bugs (like in firmware), can and has led to complete compromise.
It’s incorrect to say you can't deliver a payload to a Pixel via Wi-Fi. You absolutely can if a vulnerable driver or firmware component is listening. Let’s not forget: Wi-Fi firmware often parses frames before the OS sees them, which makes pre-auth RCEs especially dangerous.
You dismissed Broadpwn (CVE-2017-9417) as outdated, but here's the reality: that exact bug class is still being found. Just because CVE-2019-9503 didn’t affect Android doesn’t mean others haven’t. What about:
CVE-2020-3702: Wi-Fi firmware heap overflow (affected Broadcom and Qualcomm chips, still relevant today)
CVE-2022-22038: Qualcomm WLAN host vulnerability
CVE-2023-33043: which affected Android's Wi-Fi subsystem and allowed for privilege escalation?
Even more recent patches (look at AOSP monthly security bulletins) still fix critical bugs in Wi-Fi subsystems that run before Android's SELinux sandboxing even kicks in. As for Pixels, they have great app sandboxing and hardware isolation via pKVM and IOMMU. That’s exactly why attackers look at external vectors like Wi-Fi. Firmware on Broadcom chips is opaque, proprietary, and often lacks full exploit mitigations like CFI or stack canaries. That means driver and firmware fuzzing — especially over SDIO or PCIe — remains a fruitful attack surface.
And on the topic of NSO or Paragon "never using Wi-Fi" — you’re making an assumption. Just because their flagship exploits used iMessage or WhatsApp doesn’t mean they ignore Wi-Fi. They go where the attack surface is weakest. If tomorrow Broadcom's firmware has a zero-click buffer overflow over probe requests (again), you can bet they'll jump on it, especially if it’s pre-auth, which Wi-Fi allows in ways WhatsApp does not.
So, cellular attacks are harder than you imply. And Wi-Fi attacks are easier than you think — especially when firmware lacks memory protections and runs with high privileges outside of the OS's visibility. That’s not hypothetical — it's history. But to get back to NSO with Pegasus. These are used for targeted mass attacks. They aren't trying to compromise single devices like TAO (tailored acces operations) for example.