Zero Day: a powerful but fragile weapon
All software has bugs, and some of those bugs are security flaws that can be exploited to turn into weapons
31 July 2019 | 0
A zero day is a security flaw that has not yet been patched by the vendor and can be exploited and turned into a powerful weapon. Governments, it has been reported, discover, purchase, and use zero days for military, intelligence and law enforcement purposes — a controversial practice, as it leaves society defenceless against other attackers who discover the same vulnerability.
Zero days command high prices on the black market, but bug bounties aim to encourage discovery and reporting of security flaws to the vendor. The patching crisis means zero days are becoming less important, and so-called ‘0ld-days’ become almost as effective.
Why zero days are dangerous
A zero day gets its name from the number of days that a patch has existed for the flaw: zero. Once the vendor announces a security patch, the bug is no longer a zero-day (or “oh-day” as the cool kids are wont to say). After that the security flaw joins the ranks of endless legions of patchable but unpatched 0ld-days.
In the past, perhaps 10 years ago, a single zero day might have been enough for remote compromise. This made discovery and possession of any given zero day extremely powerful.
Today, security mitigations in consumer operating systems, such as Windows 10 or Apple’s iOS, mean that it is often necessary to chain together several, sometimes dozens, of minor zero days to gain complete control of a given target. This has driven the black market pay-out for a remote execution zero day in iOS to astronomical levels.
Not all zero days are complicated or expensive, however. The popular Zoom videoconferencing software had a nasty zero day that “allows any web site to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission,” according to the security researcher’s write-up. “On top of this, this vulnerability would have allowed any web page to DoS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.” The Zoom for Mac client also installs a web server on your laptop that can reinstall the Zoom client without your knowledge if it’s ever been installed before.
This is one nasty, nasty, nasty zero day. Worse, it is a ginormous security flaw that a ginormous company, Zoom, dragged its feet fixing, forcing the researcher to drop 0day. (“Drop 0day” is industry slang for publishing details of a security flaw to force a laggard vendor to fix their stuff.)
Security flaws this simple that enable an attacker to turn on someone’s microphone and camera has especially dangerous, as they give a criminals or corrupt cop an eye and an ear into the physical world — not just the information stored on your laptop. That makes the demand for zero days on the black and grey markets on that much stronger.
The black market for zero days
Want to make a cool $1.5 million? Find the right kind of iPhone zero day and sell it to Zerodium, one of the more prominent players that claims to pay “the highest bounties on the market,” according to its web site. Brokers such as Zerodium sell only to the military-espionage complex, but the secret police of repressive regimes around the world are also known to buy zero-day exploits to hack journalists and persecute dissidents.
Unlike the grey market that restricts sales to approved governments, the black market will sell to anyone, including organised crime, drug cartels, and countries like North Korea or Iran who are excluded from the grey market.
Regulating the black/grey market for zero-day exploits has been a struggle the Wassenaar Arrangement has failed to deal with, at least so far. Wassenaar prohibits the export of dual-use technologies, such as centrifuges, to proscribed countries. A 2013 proposal to put controls on that could be used for malicious purposes was shot down, and many believed that proposal would make things worse rather than better.
Today, any sufficiently motivated government or criminal enterprise can get its hands on hacking tools, including zero-day exploits, regardless of regulation.
Bug bounties vs coordinated vulnerability disclosure
Black hats who don’t care that their zero-days could wind up helping torture dissidents will get the most money from the black or grey markets. Security researchers with a conscience are best off reporting zero-day vulnerabilities to the vendor. Organisations of any significant size should publish a vulnerability disclosure process, which publicly promises to hold harmless good-faith reports of security issues and triages the reported issues internally. This is now a best practice standardised in ISO 29147 and ISO 30111.
To encourage reports of zero-day vulnerabilities, organisations can optionally offer a bug bounty programme, which stimulates research and disclosure by offering substantial financial pay-outs to ethical security researchers. These pay-outs do not and will never rival the black market, but instead aim to reward security researchers who do the right thing.
Should governments hoard zero days?
The NSA, CIA and FBI all discover, purchase and use zero-day exploits, a controversial practice that has drawn criticism. By using zero days to hack criminals, and not reporting those flaws to the vendor for patching, governments makes us all vulnerable to criminals and foreign spies who might find — or steal — those zero-day vulnerabilities, thus making us all less safe. If a government’s job is to protect citizens, then they should be playing defence instead of offense, critics argue.
In the US, the Vulnerabilities Equities Process (VEP) is the flawed mechanism that Washington currently uses to evaluate zero-day vulnerabilities for disclosure. Criticised as ineffective by many, the VEP attempts to balance offense and defence, and decide which security flaws should be reported to the vendor and which should be hoarded for offensive purposes.
The release of the Shadow Brokers exploits, including the ever-popular EternalBlue exploit, raised further questions about what the government should be hoarding. The Shadow Brokers, widely believed to be a cut-out for Russian intelligence, stole NSA hacking tools and dumped them online for free. Criminal elements seized these powerful NSA cyber weapons and used them for criminal purposes, and the resulting chaos is still being felt to this day.
Patching is a bigger problem than zero days
Zero days are sexy and exciting but, let us face it, not as big a deal as they used to be. Just because a vendor has announced a patch doesn’t mean vulnerable devices get patched. In many cases, such as with IoT devices, items get shipped from the factory in a vulnerable state, and then never get patched. Sometimes it is physically impossible to patch these devices. A security patch published by the vendor does little good if that patch never gets deployed in production.
As a result, 0ld-days are often more than sufficient for attackers, of both the criminal and government variety. In many cases attackers who possess zero-day exploits prefer not to use them, resorting to 0ld-days instead, because using a zero-day exploit against a savvy defender could disclose that zero day to the defender. This make zero-day exploits fragile weapons, especially when deployed in the covert wrestling match between nation-states taking place on the cyber domain today.
JM Porup is senior security reporter for CSO Magazine
IDG News Service