Zero-days: Why these security flaws are so dangerous and expensive
Hackers hunt for them and governments around the world use them to carry out spy operations. What are zero-days and why are they increasingly valuable?
The National Security Agency practice of finding and hoarding zero-days – previously undiscovered security flaws in computer products – is generating a new wave of criticism from security researchers and tech companies.
That's because an unknown group calling itself the Shadow Brokers recently dumped a cache of hacking tools that contained several zero-days. Many experts and former agency employees have said the tools originated from the NSA.
Since several of the leaked tools target software bugs in security products widely used by American businesses, forcing at least two vendors to rush out fixes for affected products. The leak is also resurfacing long-standing questions about the wisdom of the NSA – and other defense and intelligence agencies – hoarding information on zero-day flaws.
It's an ongoing tension between the government's desire to keep valuable intelligence-gathering tools a secret and disclosing security flaws to companies so their users are no longer at risk.
But it's not just the US government that relies on zero-days to carry out its digital operations. These tools are extremely valuable on the black market used by criminals or what's often known as the gray market, where those who find the flaws can sell them to governments or other national security apparatus.
Just this week, Apple patched a mobile operating system vulnerability after researchers discovered an Israel-based firm taking advantage of zero-day vulnerabilities to let its customers (in this case, likely the United Arab Emirates) spy on specific iPhone users – sophisticated spyware that many reports said could be valued as high as $1 million.
Here's some background on the issue to catch you up to speed on the zero-day controversy – and why these tools are so important when it comes to cybersecurity and hacking in general.
First, zero-day bugs are extremely valuable commodities in the security community. Some of them, in fact, can bring hundreds of thousands of dollars to the researchers who find them.
Such flaws offer an opportunity for someone – like the NSA for instance – to gain access to protected systems without being detected. Usually, only a handful of people know about the existence of a particular zero-day flaw and how to exploit it.
"A zero-day is a security hole in a piece of software such as a browser or an operating system that is as yet unknown to the software maker," says Israel Barak, chief information security officer at security firm Cybereason.
Several of the NSA hacking tools that were leaked by the Shadow Brokers, for instance, targeted previously undiscovered flaws in firewall products from companies like Cisco and Juniper.
The reason such bugs are sought after is that they allow adversaries a way to bypass traditional security controls that are designed mostly to look for and block attacks against known security holes.
"An attack that can exploit an unknown vulnerability can, in many cases, penetrate through such defenses," Mr. Barak said.
The Stuxnet attacks of 2010 that crippled hundreds of centrifuges at Iran’s uranium enforcement facility in Natanz, is a good example.
In that case, a team of cyberoperatives believed to be working for the US and Israeli governments took advantage of several previously unknown software flaws in Windows to gain access to and manipulate systems that were used to control the centrifuges.
The value of a zero-day flaw to organizations such as the NSA, which typically uses them to spy on adversaries, depends on a couple of factors, Barak said.
Any software bug that allows an attacker to gain remote control of another computer is especially valuable. So too are bugs that allow an attacker to escalate privileges on a compromised system in order to carry out functions that a normal user of the system would not be authorized to perform.
Another factor that would determine the value of a zero-day bug would be the popularity of the software in which it is found. A zero-day in a browser like Google Chrome or an updated version of the Windows operating system for example would be extremely valuable.
Though researchers can sometimes stumble upon such software bugs, in most cases finding zero-days requires methodical research and often, a lot of resources. It is a task that combines the ability to take apart huge amounts of software code piece by piece and to recognize even minute issues that could constitute a potential security weakness.
One of the missions of the NSA’s Tailored Access Operations group is to find such flaws and ways to exploit them. What's more, a growing number of security researchers have begun basing their business model on finding such flaws and selling them to the highest bidder, which can include both government entities and cybercrimnals.
"Finding exploitable vulnerabilities is no easy task and some researchers on both sides of the ethical fence spend all their time hunting for them," said Karl Sigler, threat intelligence manager at Trustwave.
"The good guys hunt for them in order to help develop a patch and prevent exploitation," said Mr. Sigler. "The bad guys are constantly on the hunt to find exploitable vulnerabilities before the good guys do."