What? Client-side and server-side has two completely different sets of hash "meant to verify that the image is an actual match or just a false positive"? Or it's more like client-side hash is being compared against server side hash to help determine whether the said image is a matched CSAM or false positive? Even so, it doesn't prevent poison attacks.
2 different sets of hashes. Even if someone were to force a collision (they will), it won't pass the second server-side check unless it's actually a real CSAM image. That's partly why this system is so secure. Also, the device itself has no idea if there's a match or not. It uploads an encrypted voucher to Apple where only then it's decoded and marked as a match or not. Even then, they need 30 of these vouchers before they can run them through the second server-side check. Then if those somehow get through, then it's up for human review to verify and notify the proper organization for further analysis.
I'd love to know how someone can trick this entire system with an image that looks nothing like a CSAM image.
Edit: From page 12 and 13:
https://www.apple.com/child-safety/...del_Review_of_Apple_Child_Safety_Features.pdf
"Match voucher decryption by iCloud Photos servers Apple’s CSAM detection is a hybrid on-device/server pipeline. While the first phase of the NeuralHash matching process runs on device, its output – a set of safety vouchers – can only be interpreted by the second phase running on Apple's iCloud Photos servers, and only if a given account exceeds the threshold of matches. The local device does not know which images, if any, positively matched the encrypted CSAM database. iCloud Photos servers periodically perform the mathematical protocol to discover whether a given account exceeded the match threshold. With the initial match threshold chosen as described above, iCloud Photos servers learn nothing about any of the user's photos unless that user's iCloud Photos account exceeded the match threshold. This meets our data access restriction requirement.
To make sure Apple's servers do not have a count of matching images for users below the match threshold, the on-device matching process will, with a certain probability, replace a real safety voucher that's being generated with a synthetic voucher that only contains noise. This probability is calibrated to ensure the total number of synthetic vouchers is proportional to the match threshold. Crucially, these synthetic vouchers are a property of each account, not of the system as a whole. For accounts below the match threshold, only the user's device knows which vouchers are synthetic; Apple's servers do not and cannot determine this number, and therefore cannot count the number of true positive matches.
The code running on the device will never let Apple servers know the number of synthetic vouchers directly; this claim is subject to code inspection by security researchers like all other iOS device-side security claims. Only once an account exceeds the match threshold of true matches against the perceptual CSAM hash database can Apple servers decrypt the contents of the corresponding safety vouchers and obtain the exact number of true matches (always in excess of the match threshold) – and the visual derivatives that correspond to those vouchers. In other words, even though the creation of synthetic vouchers is a statistical protection mechanism, it is not a traditional noisebased approach: under this protocol, it is impossible for servers to distinguish synthetic vouchers from real ones unless the number of true positive (non-synthetic) matches cryptographically exceeds the match threshold.
Once the match threshold is exceeded, Apple servers can decrypt only the voucher contents that correspond to known CSAM images. The servers learn no information about any voucher that is not a positive match to the CSAM database. For vouchers that are a positive match, the servers do not receive a decryption key for their images, nor can they ask the device for a copy of the images. Instead, they can only access the contents of the positively-matching safety vouchers, which contain a visual derivative of the image, such as a low-resolution version. The claim that the safety vouchers generated on the device contain no other information is subject to code inspection by security researchers like all other iOS device-side security claims."
Also from page 13:
"Once Apple's iCloud Photos servers decrypt a set of positive match vouchers for an account that exceeded the match threshold, the visual derivatives of the positively matching images are referred for review by Apple.
First, as an additional safeguard, the visual derivatives themselves are matched to the known CSAM database by a second, independent perceptual hash. This independent hash is chosen to reject the unlikely possibility that the match threshold was exceeded due to non-CSAM images that were adversarially perturbed to cause false NeuralHash matches against the on-device encrypted CSAM database. If the CSAM finding is confirmed by this independent hash, the visual derivatives are provided to Apple human reviewers for final confirmation."
