When the US government couldn’t force Apple to give it access to the iPhone used by the shooter during the San Bernardino massacre, it allegedly paid $1 million for a secret software vulnerability that gave it full access to the phone . These undiscovered software bugs – so-called “zero-day” vulnerabilities – are highly coveted by intelligence agencies, who view them as essential tools in the war on terror.
This month to run away top-secret CIA documents, as well as a recent leak of NSA hacking tools, show that the US government is an avid user of these undiscovered software bugs, and that the agencies are storing them as part of a growing global cyber arms race. What they don’t do is disclose those vulnerabilities to the companies that make the products they want to break into, like Apple in the San Bernardino case.
“That would mean unilaterally disarming in cyberspace,” security expert Robert Graham told VICE News. “The biggest use of zero days is hacking into phones – iPhones and Androids – because that’s what terrorists have as their primary computing platforms. Taking those zero days away from [the intelligence community] would probably have a big impact on what they do.
But many believe that this practice undermines everyone’s safety. The very idea that the government, responsible for protecting its citizens, is accumulating cyberweapons that undermine the digital security of citizens raises some eyebrows. If the government keeps these vulnerabilities a secret, what will stop criminals from also buying them on the black market and targeting them at innocent people?
“The longer you haven’t reported it, the more likely it is to end up leaking,” Jeremiah Grossman, a prolific web security researcher, said last August when a group known as of The Shadow Brokers revealed NSA hacking tools.
A new report from the RAND Corporation, however, suggests that most undiscovered software bugs remain secret. The report states that there is only a 5% chance that someone else will independently discover the same vulnerability, meaning the risk associated with not disclosing them would be limited.
The suggestion that the US government should disclose its zero-day vulnerabilities makes no sense to Graham. “The argument makes no sense,” he says, “because if you demand that they disclose all the vulnerabilities they’ve acquired, they’ll just stop acquiring vulnerabilities.”
The RAND report offers the first real glimpse into the zero-day world, after researchers there gained access to a database of more than 200 zero-days owned by a company that sells them to governments and other customers on the so-called gray market.
Research finds that up to 25% of zero-day vulnerabilities persist for more than a decade, with the average life expectancy of these flaws estimated at 6.9 years – the time between the discovery of the vulnerability and the moment where the vendor discovers it and releases a fix, or where a software upgrade inadvertently fixes the error. “I try to bring data and science to the discussion,” lead researcher Lillian Ablon told VICE News.
By their very nature, zero-day vulnerabilities are a mystery. Nobody knows how many of them are out there, nobody knows what software they target, and nobody knows how often they’re used every day or who they’re used against.
So what do we really know about Zero Days?
A zero-day vulnerability is a bug in software code that could allow access to this system and has not been disclosed to the vendor. It’s been zero days since it was made public – hence the name. This means that no patches or hotfixes are available.
Zero-day vulnerabilities can affect any software, and with estimates suggesting between 3 and 20 bugs per 1,000 lines of code, there’s a lot of potential for problems. Especially considering that Apple’s iOS, for example, is supposed to consist of more than 8 million lines of code and the US Army Future Combat Systems contains more than 60 million lines.
Most of these bugs will be relatively harmless. A vulnerability is a special type of bug that creates a security flaw in the design, implementation, or operation of software.
Finding a vulnerability is just the start. In order to take advantage of the flaw, you need to weaponize it by creating an exploit – something to infect, disrupt, or take over a computer. Not all vulnerabilities can be exploited, but when they do, the ultimate goal is remote code execution, in which the compromised system executes an attacker’s code without the knowledge of the user.
Who creates them?
Zero-day vulnerabilities are created or discovered by hackers, researchers, the government, and companies that specialize in developing cyberweapons for sale to intelligence agencies and law enforcement.
Many companies are listed on the stock exchange bug bounty programs where they challenge researchers to find flaws in their systems — including zero-day vulnerabilities — by paying them a fee to disclose them. Same the American army and the Pentagon are now adopting this approach to strengthen their systems.
But many people just want to keep zero-day vulnerabilities a secret. Companies like Hacking team and FinFisher, which create spyware for governments and intelligence agencies, covet vulnerabilities that have yet to be disclosed. Although both companies discover their own vulnerabilities, they also rely on a network of independent researchers to do the heavy lifting and find flaws in lines of code.
According to Graham, these are highly skilled engineers who reverse engineer source code to find vulnerabilities that can be exploited. These are no ordinary cybercriminals. “Criminals are the complete opposite of skilled hackers,” Graham said.
Who buys them?
Zero-day vulnerabilities don’t come cheap. According to the RAND report, most gray market or government exploits sell for between $50,000 and $100,000, and some can cost up to $300,000. The FBI is reported having spent $1 million on a zero day that allowed the agency to hack into the iPhone used by the San Bernardino shooter.
The high price makes the zero day market quite limited. Essentially, only governments and intelligence agencies can afford to pay.
Thanks to Leakage of ghost brokers, which details the NSA’s hacking arsenal, and the recent WikiLeaks dump of CIA hacking tools, we know the US government is acquiring zero-days. The government doesn’t want to get their hands dirty, so rather than going directly to engineers to find these vulnerabilities, they use small, dedicated companies trusted by the government. “The US government overwhelmingly prefers to buy vulnerabilities from the American people; they don’t like going outside their borders,” Graham said.
The government usually purchases well-developed and robust exploits that have been thoroughly tested and easily integrate with other hacking tools they use.
For everyone else, there are much easier and cheaper ways to hack targets. “Phishing attacks and exploiting the human element are much easier. Getting someone to click on a link and making it compelling is much easier than trying to find a zero-day vulnerability in a product,” Ablon said.