Modern field guide to security and privacy

Zero-days: Why these security flaws are so dangerous and expensive

Hackers hunt for them and governments around the world use them to carry out spy operations. What are zero-days and why are they increasingly valuable? 

Mario Anzuoni/Reuters

The National Security Agency practice of finding and hoarding zero-days – previously undiscovered security flaws in computer products – is generating a new wave of criticism from security researchers and tech companies. 

That's because an unknown group calling itself the Shadow Brokers recently dumped a cache of hacking tools that contained several zero-days. Many experts and former agency employees have said the tools originated from the NSA.

Since several of the leaked tools target software bugs in security products widely used by American businesses, forcing at least two vendors to rush out fixes for affected products. The leak is also resurfacing long-standing questions about the wisdom of the NSA – and other defense and intelligence agencies – hoarding information on zero-day flaws. 

It's an ongoing tension between the government's desire to keep valuable intelligence-gathering tools a secret and disclosing security flaws to companies so their users are no longer at risk. 

But it's not just the US government that relies on zero-days to carry out its digital operations. These tools are extremely valuable on the black market used by criminals or what's often known as the gray market, where those who find the flaws can sell them to governments or other national security apparatus.

Just this week, Apple patched a mobile operating system vulnerability after researchers discovered an Israel-based firm taking advantage of zero-day vulnerabilities to let its customers (in this case, likely the United Arab Emirates) spy on specific iPhone users – sophisticated spyware that many reports said could be valued as high as $1 million. 

Here's some background on the issue to catch you up to speed on the zero-day controversy – and why these tools are so important when it comes to cybersecurity and hacking in general.

First, zero-day bugs are extremely valuable commodities in the security community. Some of them, in fact, can bring hundreds of thousands of dollars to the researchers who find them.

Such flaws offer an opportunity for someone – like the NSA for instance – to gain access to protected systems without being detected. Usually, only a handful of people know about the existence of a particular zero-day flaw and how to exploit it.

"A zero-day is a security hole in a piece of software such as a browser or an operating system that is as yet unknown to the software maker," says Israel Barak, chief information security officer at security firm Cybereason.

Several of the NSA hacking tools that were leaked by the Shadow Brokers, for instance, targeted previously undiscovered flaws in firewall products from companies like Cisco and Juniper.

The reason such bugs are sought after is that they allow adversaries a way to bypass traditional security controls that are designed mostly to look for and block attacks against known security holes.

"An attack that can exploit an unknown vulnerability can, in many cases, penetrate through such defenses," Mr. Barak said. 

The Stuxnet attacks of 2010 that crippled hundreds of centrifuges at Iran’s uranium enforcement facility in Natanz, is a good example.

In that case, a team of cyberoperatives believed to be working for the US and Israeli governments took advantage of several previously unknown software flaws in Windows to gain access to and manipulate systems that were used to control the centrifuges.

The value of a zero-day flaw to organizations such as the NSA, which typically uses them to spy on adversaries, depends on a couple of factors, Barak said.

Any software bug that allows an attacker to gain remote control of another computer is especially valuable. So too are bugs that allow an attacker to escalate privileges on a compromised system in order to carry out functions that a normal user of the system would not be authorized to perform. 

Another factor that would determine the value of a zero-day bug would be the popularity of the software in which it is found. A zero-day in a browser like Google Chrome or an updated version of the Windows operating system for example would be extremely valuable. 

Though researchers can sometimes stumble upon such software bugs, in most cases finding zero-days requires methodical research and often, a lot of resources. It is a task that combines the ability to take apart huge amounts of software code piece by piece and to recognize even minute issues that could constitute a potential security weakness.

One of the missions of the NSA’s Tailored Access Operations group is to find such flaws and ways to exploit them. What's more, a growing number of security researchers have begun basing their business model on finding such flaws and selling them to the highest bidder, which can include both government entities and cybercrimnals.

"Finding exploitable vulnerabilities is no easy task and some researchers on both sides of the ethical fence spend all their time hunting for them," said Karl Sigler, threat intelligence manager at Trustwave.

"The good guys hunt for them in order to help develop a patch and prevent exploitation," said Mr. Sigler. "The bad guys are constantly on the hunt to find exploitable vulnerabilities before the good guys do."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.