Zero-Click Root on Pixel 10, Post-Quantum Crypto Goes Default, and YouTube Fights Deepfakes for Everyone

This week in tech felt like a pendulum swing between breakthrough and breach — and in several cases, both at once.

Google's own security elite demonstrated they could achieve root access on a Pixel 10 with zero clicks using just five lines of exploit code. Erlang shipped a major release that makes post-quantum cryptography the default for all SSL connections. YouTube opened its AI-powered deepfake detector to every adult user, weaponizing facial recognition against the very technology that created the problem. Meanwhile, an AI voice startup quietly became a $500 million company after winning a high-stakes bakeoff against 40 competitors for Amazon Ring's infrastructure, and the U.S. Senate took its most significant step yet toward regulating digital assets with bipartisan support.

Five stories. One theme: the digital world is arming itself — on every front, at every layer — and the race between offense and defense has never been more visible.

The Pixel 10 Exploit: Five Lines to Root

Google Project Zero — the company's own elite security research team — published a full exploit chain demonstrating a complete 0-click attack path to root access on the Pixel 10. The chain exploits two vulnerabilities: an updated variant of the Dolby media decoder flaw (CVE-2025-54957) and a previously unknown vulnerability in the VPU driver of the Tensor G5 chip.

The VPU driver bug is particularly alarming. Its mmap function lacked bounds checking entirely, allowing an attacker to map the device's entire physical memory — including the kernel image — into userspace. Project Zero noted the full exploit required fewer than five lines of actual code and less than a day to develop from start to finish. Google patched the issues within 71 days, an improvement over their historical 90-plus day remediation window, but Project Zero pointed out these same classes of bugs existed in the Pixel 9 driver — developed by the same team.

This disclosure arrives just weeks after Dirty Frag exposed a Linux zero-day affecting all major distributions, reinforcing a troubling pattern: the low-level drivers and firmware that form computing's foundation remain the weakest link in the security chain, regardless of how sophisticated the operating systems running above them have become.

Erlang/OTP 29: Post-Quantum by Default

On the defensive side of the ledger, Erlang/OTP 29.0 shipped on May 13 with a landmark security feature: the post-quantum hybrid key exchange algorithm x25519mlkem768 is now the most preferred key exchange group in the default SSL configuration. This means every new Erlang system — without any code changes — will negotiate post-quantum-protected connections by default.

The release also introduces Native Records (EEP-79), a long-requested language feature that gives records first-class type status in the Erlang type system, along with multi-valued comprehensions (EEP-78) and hardened SSH defaults that disable shell and exec services unless explicitly enabled. The combination of post-quantum crypto defaults and secure-by-default SSH configuration sends a clear signal: Erlang is treating the post-quantum transition not as a future concern, but as a present-day requirement.

For a language that powers telecom infrastructure, messaging systems, and financial trading platforms worldwide, this default shift matters. Organizations that might otherwise push post-quantum migration to the bottom of their backlog will inherit quantum-resistant encryption automatically the next time they upgrade. As explored in our earlier coverage of zero-trust security models in the AI era, proactive defense is rapidly becoming the only viable strategy.

YouTube Brings AI Deepfake Detection to the Masses

YouTube announced it is expanding its AI-powered likeness detection tool to all users aged 18 and older, according to The Verge. Previously, the tool — which scans uploaded content for facial matches against a user's selfie — was available only to creators, public figures, journalists, and celebrities. Now, any adult with a YouTube account can submit a facial scan and request the removal of content that uses their likeness without consent.

The expansion represents a meaningful escalation in the platform's response to the deepfake epidemic. As generative AI makes it trivially easy to create convincing synthetic video, the problem is no longer confined to public figures. Ordinary people — educators, business professionals, private individuals — increasingly find themselves targets of non-consensual AI-generated content. YouTube's move effectively democratizes a tool that was once reserved for those with influence or resources.

Of course, the approach isn't without tension. Biometric facial scanning at scale raises privacy questions of its own, and the accuracy of likeness detection systems remains an active area of research. But as a practical response to a rapidly growing threat, YouTube's decision to go broad rather than stay narrow reflects the reality that deepfake abuse has moved well beyond the celebrity sphere.

Vapi's $500 Million Valuation: The AI Voice Infrastructure Wars

In the startup world, the battle for AI voice infrastructure reached a new inflection point. San Francisco-based Vapi secured a $50 million Series B from Peak XV Partners (with participation from Microsoft M12 and Kleiner Perkins), pushing its valuation to $500 million. The catalyst: Amazon Ring evaluated more than 40 AI voice vendors before selecting Vapi as its platform of choice, now routing 100% of its inbound calls through Vapi's system.

The numbers behind the deal are striking. Vapi has processed over one billion calls, with daily volumes ranging between one and five million. Its enterprise business has grown tenfold since early 2025. The company differentiates itself through infrastructure-level control over AI agent behavior — granular voice synthesis parameters, call flow management, and real-time intervention capabilities that go beyond what competitors like Sierra or Bland offer.

Vapi's trajectory reflects a broader shift in the AI voice market: enterprise customers aren't just buying voice bots anymore. They're investing in programmable voice infrastructure that can be deeply customized for specific verticals — from customer support to sales enablement to emergency dispatch. As we've noted in our analysis of the AI agent framework wars, the companies winning in this space aren't those with the flashiest demos, but those building the deepest, most controllable infrastructure layers.

The CLARITY Act: Bipartisan Crypto Regulation Finally Advances

In regulatory news, the U.S. Senate Banking Committee advanced the Digital Asset Market Clarity Act of 2025 (H.R. 3633) in a historic bipartisan vote of 15-9, according to Chairman Tim Scott's office. The legislation aims to establish clear jurisdictional boundaries between the SEC and CFTC for regulating digital assets and commodities — a structural ambiguity that has plagued the crypto industry for years.

Chairman Scott framed the vote as evidence that Washington can still function across party lines: "We had a serious debate, worked through real differences, and came together around a shared goal: protecting consumers, supporting innovation, and keeping the future of finance in America." The bill now moves to the Senate floor for a full vote.

The advancement is significant not just for crypto markets but for the broader tech regulatory landscape. For years, the absence of clear federal digital asset rules has created a regulatory vacuum filled by aggressive enforcement actions, contradictory agency claims, and jurisdictional confusion. The CLARITY Act, if passed, would provide the first comprehensive federal framework for classifying and regulating digital assets — a development with implications far beyond cryptocurrency, touching on everything from stablecoin issuance to tokenized real-world assets.

The Takeaway

What connects these five stories isn't just their timing — it's the underlying dynamic. The attack surface of the digital world is expanding at every layer simultaneously. Hardware (Pixel 10), cryptography (post-quantum defaults), identity (deepfake detection), infrastructure (AI voice platforms), and regulation (CLARITY Act) are all being contested, hardened, or redefined in real time.

The companies and developers who will thrive in this environment are those who treat security and compliance not as afterthoughts, but as foundational design constraints. Erlang's post-quantum default is a template: bake the defense in from day one, and let the ecosystem inherit it. The alternative — patching after the breach, regulating after the crash — is a strategy whose costs are growing faster than anyone can afford.