While trading in zero-day vulnerabilities has been taking place for years, publications based on WikiLeaks documents among other things have also brought the subject to the attention of privacy activists, politicians and even the mainstream media. But what are zero-day vulnerabilities, what does the world of zero-day trading look like and what are the most important dilemmas?
What are zero-day vulnerabilities?
A vulnerability is an anomaly in programming code (a bug) which can be abused to influence the flow of the software containing the vulnerability. Typically, we are talking about vulnerabilities that enable remote code execution: vulnerabilities which allow an attacker to make the affected software do whatever he pleases as he exploits the vulnerability. To this end, an attacker must first acquire knowledge of the vulnerability, then develop a piece of software that actually exploits the vulnerability (the exploit) and finally deliver a payload that takes him to his actual goal (data exfiltration, spying or encrypting all the victim’s files) upon execution.
Figure 1: A bug’s life
What does a hacker do with a vulnerability?
Figure 1 shows the typical life of a vulnerability. One day, a software developer introduces an error into the code base he is working on, say Adobe Flash. The code is released as part of a new version of Flash. At some point in time, a hacker discovers this bug and determines that it is exploitable for remote code execution. He goes on to develop an exploit that makes use of this vulnerability as a proof of concept.
At this point, the hacker has a few options. He can:
– Disclose the vulnerability publically online (full disclosure)
– Disclose the vulnerability only to Adobe (responsible disclosure)
– Monetise the vulnerability by selling it to a broker
– Monetise the vulnerability by weaponising it into malware
– Keep knowledge of the vulnerability to himself
Regardless of the hacker’s choice, at some point knowledge of the vulnerability usually becomes public, or at least known to the vendor in question. At this point, the vulnerability loses its zero-day status: the counter starts.
When does a zero-day become a ‘regular’ vulnerability?
Depending on the impact of the vulnerability, the vendor will typically work to get a patch ready. In cases where the vulnerability is actively being exploited ‘in the wild’, this is usually sooner than where a vulnerability is known only to the discoverer and the vendor. Then, the patch is made available to the users of the affected software. At this point, the fact that there is a vulnerability in the current version of the software becomes public knowledge in any case (some call it a zero-day until the point of patch availability). Users are then able to defend themselves by applying the patch. Finally, when everybody has applied the patch, the vulnerability no longer poses a risk.
Who is involved in zero-day vulnerabilities?
The above example already shows that there are quite a few different actors in the vulnerability scene. There is often a distinction between those who discover vulnerabilities and those who exploit them, with the brokers who trade in vulnerabilities acting as a link between them. On the discovery side we have so-called “black hat” hackers from the criminal world, professional security researchers, employees of intelligence agencies and so on. On the application side we have intelligence agencies, cyber criminals, law enforcement agencies and vendors of spying software.
– Cyber criminals
Cybercrime takes many forms, and many of them do not require zero-days. However, forms of cybercrime that depend on taking control over your computer often do depend on vulnerabilities, and using zero-days is typically more effective than using vulnerabilities for which a patch is already available. Your ransomware will affect more people if nobody has a patch against the vulnerability it exploits than if many people have already patched.
– Intelligence agencies
Say your organisation’s mission is to protect your nation’s interests by being informed about the plans and activities of foreign governments. Or to support military missions by providing warfare capabilities in the cyber domain. In those cases, it is very convenient to have a few zero-day vulnerabilities on hand, because your targets might have already patched their systems against all known vulnerabilities. You can either employ skilled hackers to go hunt for those zero-day vulnerabilities in the software you know your adversary uses or you can buy them, or you can employ both strategies. The NSA reportedly spends $25m per year on acquiring zero-day vulnerabilities.
– Law enforcement
While the missions of law enforcement agencies typically do not require as much hacking as the missions of intelligence agencies, in some cases using zero-day vulnerabilities is extremely handy. Say you find an iPhone belonging to a terrorist and you suspect it contains clues relevant to your investigation. Or say you have intercepted communications that lead you to certain people, and you have warrants to search their houses, but their computers remain locked to you. In such cases, the use of zero-day vulnerabilities may make your investigation easier or even possible.
– Vendors of spyware
Certain software vendors produce software that is used by intelligence agencies, law enforcement and possibly others to intrude into devices of victims and remain there in a spying capacity. These software suites have a central control component, where the user of the software directs the action. Another component is the payload that is installed onto the victim’s device, which provides the required interception. The third component takes care of infection: getting the payload onto the user’s device so that it can mirror communications to the central control component. This intrusion component requires the use of zero-day vulnerabilities if the target is patched against known vulnerabilities.
– Vendors of affected software
Lastly, of course, the vendors of the affected software are interested in knowledge of zero-day vulnerabilities in their software. While some vendors have a strategy of discouraging research into their software and delaying/frustrating the disclosure process, others welcome researchers or even pay out significant sums to those reporting vulnerabilities. However, unlike the other actors discussed, knowledge of and fixing zero-day vulnerabilities does not contribute directly to the missions of these organisations, so their interest in this knowledge is significantly less than that of other actors.
The eco-system of a zero-day vulnerability shows that it is a complicated world. Furthermore, the discovery and use of zero-days also entail dilemmas, such as: should intelligence agencies use zero-day vulnerabilities? And if you discover a zero-day vulnerability, what should you do with it? I’m curious to hear your thoughts!