All software has errors, and some of those errors represent security flaws that can be exploited and levered to perform unintended actions on the target system. Below we will explore what zero day exploits are, how they are used and their value in the world to date.
Definition of a Zero-Day Exploit
A day zero is a security flaw that has not yet been repaired by the software manufacturer and can be exploited and turned into a powerful but fragile weapon. In some cases the error can even be present in the hardware itself, such a flaw can be very dangerous as it cannot be easily patched (see Meltdown and Specter).
Zero days charge high prices on the black market and on legal platform like Zerodium, but bug bounties aim to encourage the discovery and reporting of security breaches to the manufacturer.
Why ‘Zero days’ Are Dangerous
A zero-day receives its name from the number of days a patch has existed for failure or error: zero. Once the manufacturer announces a security patch, the error is no longer a zero day (or “0-day” as some like to say). After that, the security flaw joins the countless days of patches.
In the past, say ten years ago, a single day zero could have been enough for remote control of a computer. This made the discovery and possession of any zero day extremely powerful.
Today, security mitigation measures in consumer operating systems such as Windows 10 or Apple’s iOS mean that it is often necessary to chain several, sometimes dozens, smaller zero days to gain complete control of a given target. This has driven black-market payment for remote zero-day execution on iOS at astronomical levels.
Zero Day Software Vulnerability Example
In may 2017 the world was exposed to one of the largest scale cyber attacks to date in the form of WannaCry. How did this malware spread to thousands of machines in such a short time ? WannaCry main mechanism to spread was a vulnerability in the SMB protocol called EternalBlue and supposedly developed by the NSA. The attack had such a high impact that it forced Microsoft to push updates for it’s old, previously not maintained systems.
Zero Day Hardware Vulnerability Example
Less common than software flaws, hardware vulnerabilities still need to be taken into account as mitigating them even after their discovery can prove near impossible without modifying the hardware directly. We can mention the Meltdown and Specter vulnerabilities discovered in 2018 that affected almost all Intel processors and more recently the Zombie Load vulnerability. So far there are no examples of those vulnerabilities being used on a large scale but the risk remains for high profile targets.
Zero Days on the Black Market
Want to make $1.5 million? Find a remote zero day in iOS and sell it to Zerodium, one of the most prominent brokers who claims to pay “the highest rewards in the market,” according to their website. Agents like Zerodium sell only to military espionage groups, but it’s also known that undercover characters from repressive regimes around the world buy zero-day exploits to hack journalists and chase dissidents.
Unlike the grey market that restricts sales to approved governments, the black market will be sold to anyone, including organized crime, drug cartels and countries like North Korea or Iran that are excluded from the grey market.
The regulation of the black/grey market for zero-day exploitations has been a struggle that the Wassenaar Arrangement has not resolved, at least so far. Wassenaar prohibits the export of dual-use technologies, such as centrifuges, to prohibited countries. A 2013 proposal to put in place controls that could be used for malicious purposes was overturned, and many believed that the proposal would make things worse rather than better.
Today, any government or criminal enterprise sufficiently incentivized can have hacking tools in its hands, including zero-day exploits, regardless of regulation.
Error Rewards vs. Coordinated Vulnerability Disclosure
The black hats who don’t care what zero days are used for will be the ones who get the most money from the black or gray markets. Conscientious security investigators are the ones who best inform the provider about zero-day vulnerabilities.
Organizations of any significant size should publish a vulnerability disclosure process, which publicly promises to keep good faith reports of security issues harmless and to monitor them internally. This is now a standardized good practice in ISO 29147 and ISO 30111.
To encourage zero-day vulnerability reporting, organizations can optionally offer an error reward program, which encourages research and disclosure by offering significant financial payments to ethical security investigators. These payments do not and never will compete with the black market, but are intended to reward security investigators who do the right thing.
Ethics of Governments Purchasing Zero Days
The NSA, the CIA and the FBI create, buy and use zero-day exploits, a controversial practice that has generated criticism. By using zero-day to hack criminals and not informing the manufacturer of the flaws, the government makes us all vulnerable to foreign hackers and spies who might find – or steal – those zero-day vulnerabilities, which makes us all less secure. If the government’s job is to protect us, then they should be playing defensively rather than offensively, critics argue.
In the US, the Vulnerabilities Equities Process (VEP) is the flawed mechanism Washington currently uses to assess zero-day vulnerabilities for disclosure. Criticized as ineffective by many, the VEP attempts to balance offense and defense, and decide which security flaws should be reported to the manufacturer and which should be hoarded for offensive purposes.
Further Patches and the Future
The fact that a manufacturer has announced a patch does not necessarily mean that vulnerable devices have been patched. In many cases (especially with IoT devices), they are shipped from the factory in a vulnerable state and are never patched. Sometimes it is physically impossible to patch these devices. A security patch issued by the manufacturer is of little use if that patch is not implemented on the active populus of devices.
As a result, the 0 days are often more than enough for attackers of both criminal and governmental variety. In many cases, attackers who own zero-day exploits prefer not to use them, because using a zero-day exploit against an intelligent defender could reveal that zero-day to the defender. This makes zero-day exploit fragile weapons, especially when deployed in the covert nation-state combat taking place today in the cyber domain.