A zero-day vulnerability is a “known” vulnerability that doesn’t have a patch. We’re talking about serious business here. Hackers highly value such flaws.
Some say three-letters agencies and criminal organizations use them regularly.
Vulnerabilities vs. exploits
It’s essential to know the difference. When you find a weakness in a computer system, that’s a vulnerability.
Cool, but how do you exploit that?
In some cases, you cannot go for various reasons, for example:
- you need to be authenticated
- the system is too strong. You cannot test the vulnerability.
- you lack public information to exploit the flaw
In a nutshell, a computer system can be vulnerable without being at risk, at least for now.
Unfortunately for the victims, it’s not uncommon those vulnerabilities become exploits.
Cybercriminals use exploits to infiltrate their systems. They run programs that automatically scan the target for vulnerabilities to deliver the appropriate malware.
It’s called an exploit kit and it’s meant to pick the lock.
Known exploits vs. zero-day exploits
Known exploits are regularly published and documented by security researchers on exploit databases, so security professionals and software developers can keep updated.
However, some exploits remain unknown or only known by cybercriminals. It’s a particularly dangerous kind of exploit as it might remain unpatched for months and even years.
Those zero-days can do many damages in the wrong hands, like the Keymaker is in your team, and you can access the most secret backdoors in the world.
The stakes are high. Not only can hackers make lots of money with a zero-day, but the attack might scale up. At this moment, everything’s going nuts, and you don’t know who’s bad anymore.
Those backdoors are a highly strategic asset by nature. Google has a dedicated project for them. In 2020, they had found and patched 11 zero-days, but, according to the MIT, they publicly exposed a nine-month counterterrorism hacking operation! Those vulnerabilities indeed affected Google’s products, but not only, for example, iPhones have also been patched.
Indeed, any government agency would likely keep such flaws secret to use them for intelligence purposes, but it’s rather beyond my purview, and I don’t want to look too much like a spy movie here 🤭.
What do people with zero-days?
So we saw zero-days may involve states and high stakes, but let’s be a little more practical. States, agencies, or criminal organizations can use zero-days to specific spy on iPhone users in real life.
The famous Pegasus software has exploited zero-day vulnerabilities to infect iPhones and sneak into messaging platforms like WhatsApp or iMessage. It’s easy to understand why this cutting-edge spyware is not free at all. Judging from what I’ve read, the service costs around $1,000,000.
It might seem a crazy price, but considering it only needs a telephone number to succeed, it’s not that much, especially if the customer is a State. That would not be possible without zero-days.
As you might guess, secret agencies and criminal organizations are not the only ones that want to keep zero-days private ^^. You have to be Google’s elite team Zero to be allowed|able to disclose that.
Source: Google Zero - policy and disclosure
Zero-days are a common concern. Many vulnerabilities likely remain unpatched, and the phenomenon is accelerating.
Photo by Claudio Schwarz on Unsplash