"I have sold a few social media exploits in the past," said the hacker known as S1ege. "But I don't sell now and haven't for a long time." Zero-day exploits—hidden vulnerabilities known to hackers but unknown to the software's creator—are "like gold," he said in a 2016 interview with TechRepublic. "Having a collection [of exploits] is like having a trophy [collection]."
Zero-day exploits—or, 0days in hacker-speak—allow attackers to quietly access a network or software. Due to their scarcity and the high stakes attached to high-value targets like Apple or banks, these bugs are often sold on the Dark Web for thousands of dollars.
This cheat sheet is a routinely updated "living" precis loaded with contemporary information about the fundamentals of how zero-day exploits work, who secret vulnerabilities affect, and how to learn more about code exploits and hacking.
- What are zero-day exploits? Zero-day exploits are code vulnerabilities and loopholes that are unknown to software vendors, security researchers, and the public. Examples of well-known zero days are Stuxnet, the recent Microsoft Word hack, and the NSA's attack on iOS and Android mobile devices.
- Why do zero-day exploits matter? Zero-day exploits frequently result in material harm, cost companies millions of dollars, and expose consumers to cyber-threats. "I work with gray and black hat hackers daily," said a spokesperson at a respected cybersecurity firm. "If the individual sells or buys zero days, they're done. Profiting from zero days is unquestionably unethical because [the exploits] always result in some type of harm."
- Who do zero-day exploits affect? The public, companies ranging from SMBs to large enterprises, activists and journalists, NGOs and nonprofits, and government organizations are all vulnerable to potential harm posed by zero days.
- When are zero-day exploits happening? Zero days are a top concern for all major enterprise companies and particularly for large software companies like Google and Apple. Zero days are a profit engine for hackers and help governments hack other governments.
- How can I learn more about zero-day exploits? The best way to learn about modern zero-day exploits is by reading contemporary news on trusted sites like TechRepublic, ZDNet, and CNET. To learn about the history of zero-day bugs, read Kim Zetter's authoritative book Countdown to Zero Day.
SEE: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)
What are zero-day exploits?
The term "zero day" originates from the time remaining for a software vendor to patch buggy code. With zero days—or 0 hours—to respond, developers are vulnerable to attack and have no time to patch the code and block the hole. One bug can give hackers enough access to explore and map internal networks, exfiltrate valuable data, and find other attack vectors.
Zero-day exploits are access points for malware and can take many forms: Stuxnet, the most well-known zero-day exploit, targeted programmable logic controllers that regulated centrifuges used by Iran's nuclear program; a Microsoft Word zero day downloaded an executable script that gave hackers a backdoor to Windows; intelligence services, including the CIA, use zero-day exploits to access iOS and Android mobile devices.
Because zero-days inherently violate user and corporate privacy, and in some cases the law, the use of the exploits is hotly debated by law enforcement, hackers, and developers. In an attempt to reduce the number of critical exploits in the market, Google and other large tech companies offer bug bounty programs that provide cash incentives to individuals who locate, document, and disclose loopholes. Gray and white hat hackers, and many tech companies, follow the Rain Forest Puppy (RFP) policy, unofficial guidance that stipulates vendors should have at least five working days to respond before a bug is disclosed to the public. To avoid association with unscrupulous hackers, many private cybersecurity firms, hacking teams, and government organizations adhere to RFP and similar policies.
- Zero Days: Why the disturbing Stuxnet documentary is a must-see (TechRepublic)
- Guess who's buying zero-day vulnerabilities? (TechRepublic)
- Zero Day security blog (ZDNet)
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
Why do zero days matter?
Where developers and vendors see risk, entrepreneurial hackers and other malefactors see opportunity. Zero days matter because they imperil the public, business, and government, and because they're worth a considerable amount of money on the Dark Web.
Identified in 2010 by security researcher Sergey Ulasen, the Stuxnet worm was allegedly developed in partnership between Israeli and American intelligence services and targeted Iran's Natanz facility. The worm exploited zero days on Siemens industrial control systems and caused centrifuges to spin at higher speeds and break down. American cyber-experts now estimate the cyberattack set Iranian nuclear ambition back by three to five years.
Stuxnet remains the best-known zero day and opened a new chapter in modern cyberwar that portends a dystopian future where cyberattacks against physical infrastructure kill and cause billions in damage. "Zero-day threats lurk and proliferate every day [on the Dark Web]," said Joe Saunders, CEO of RunSafe Security in an interview with TechRepublic. "Over time patches can be implemented, but often severe economic damage is perpetrated ... The unknown unknown is the [hardware] supply chain threat. Imagine a cheap component or chip inserted into a mobile device that creates a backdoor for a nation state to exfiltrate data from every consumer's phone. These threats are very difficult to detect as they may be embedded in standard code. Our best security experts need to assist our largest manufacturers, telecommunications, power plants, and other physical infrastructure that relies on code."
Left unsupervised, old code on infected hardware could result in a "disastrous kinetic event," Saunders said.
- Gallery: The top zero day Dark Web markets (TechRepublic)
- Inside the secret digital arms race: Facing the threat of a global cyberwar (TechRepublic)
- "Zero Days" director on new documentary and cyber warfare (CBS News)
SEE: Security awareness and training policy (Tech Pro Research)
Who do zero-day exploits affect?
All code has bugs. Zero days are exploitable in bugs and inherently coupled with software. As mobile and IoT devices proliferate so too does the exploit risk associated with software that controls important physical infrastructure, safeguards financial systems, and is used by billions of consumers daily.
"SMBs are vulnerable to [zero day] attacks because they are often seen as a conduit to a larger ecosystem," Saunders said. "SMBs may have weaker defenses than a large organization, so if their devices are connected to cloud services offered by large solution providers, their data is exposed and vulnerable. Often, SMBs don't have sophisticated security measures. They need to rely on solution providers and engage ones who help them protect their data. Startups often are targets of stolen intellectual property as they are seen as cutting edge and innovative." The more devices employed by a company, he explained, more threat vectors open up to hackers.
"I can't name the site I use, but I think that most hackers would use the same [site]," said the Russian hacker known as KapustKiy. "I hack for political reasons," he said in translated, broken English, "but I make money sometimes from selling hacks." He might use Zerodium, or one of the dozens of bug bounty and zero-day acquisition markets that sell zero-day exploits starting at $10,000 to $100,000 and up.
French hacker x0rz said it's true that "a vulnerability can be sold for $100,000," but overhead costs remains high "because it can take one or two years to reverse engineer and find an exploitable bug. It's hard work," he said. That means that small hacking teams and individual hackers are unlikely to discover a bug. "Zero days come from entities that can have the time and energy to find [the bugs]," he said. "Yes, zero days can be quite dangerous. And expensive to the companies! But they almost always come from government, not from [individual hackers]."
- Governments and nation states are now officially training for cyberwarfare: An inside look (PDF download) (TechRepublic)
- Video interview: Why your company should invest in cybersecurity infrastructure (TechRepublic)
- Video: 5 things to know about ethical hacking (TechRepublic)
- Stolen data on the dark web is cheaper than you might think (ZDNet)
SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research)
When are zero-day exploits happening?
Zero days first emerged with consumer computing, in the mid-1970s. The Morris Worm is one of the world's oldest worms. "Robert Tappan Morris, a graduate student at Cornell, wasn't trying to 'attack' other computers when he unleashed the first great incidence of malware, known thereafter as the Morris Worm, on the internet," ZDNet's Larry Seltzer said. "It changed everything. The worm had no 'payload,' as we would say today. Its point was simply to propagate."
According to security firm Semantic, in 2015 zero days were discovered at a rate of about one per week, and the discovery rate doubled each year. A white paper by FireEye Security corroborated the Semantic study and estimates zero days grow at about 115% each year. That number could spike in the near future, however, as IoT devices become more common.
Due to the high overhead cost of human discovery of zero days, expect artificial intelligence and machine learning to change the exploit landscape soon, Saunders said. "If you think about artificial intelligence and other innovations, you realize that large scale cyber warfare could be played out without human intervention. What if automated bots that take over devices globally are both offensive and defensive in nature? Imagine a self-healing army of bots employing artificial intelligence to discard code designed to stop them and then resuming their offensive attacks. If you let yourself go there, you can see that The Cyber War is the new Cold War."
- The Black Report: Attacking your system, from the hacker perspective (TechRepublic)
- The hacking toolkit: 13 essential network security utilities (TechRepublic)
- Windows 10 security: 'So good, it can block zero-days without being patched' (ZDNet)
SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)
How can I learn more about zero-day exploits?
The zero-day ecosystem is evolving quickly and touches every market. From business technology to consumer and hard news, TechRepublic, ZDNet, CNET, and CBS News (all properties of CBS Interactive) provide up-to-the-second updates on the latest exploits.
To better understand the history of zero days, and the economic forces that motivate governments and hackers, read Kim Zetter's excellent book Countdown to Zero Day. In addition, Fred Kaplan's Dark Territory explores zero-day exploits inside the cyberwar ecosystem, and Alex Gibney's documentary about Stuxnet is essential viewing for all cybersecurity professionals.
- Cyberwar: The smart person's guide (TechRepublic)
- 'Critical' Microsoft Office hack uses fake Word documents to install malware (TechRepublic)
- Why top ISPs don't think your web history or app usage is 'sensitive information' (TechRepublic)
- New zero-day vulnerabilities found in Adobe Flash Player (CNET)
More security news
- Insider's guide to managing Microsoft Patch Tuesday (Tech Pro Research)
- Interview with a hacker: Kapustkiy from New World Hackers (TechRepublic)
- Get ready for the rise of spymail, the hottest trend in email hacking (TechRepublic)
- How to become a master cyber-sleuth (TechRepublic)
- From Russia with Tech: The top 5 most interesting Russian startups (TechRepublic)
- Video: Top 5 ways to track data breaches (TechRepublic)
- Get an inside look at the exploit infrastructure (TechRepublic)
- US government pushed tech firms to hand over source code (ZDNet)
- Microsoft's new Middle East chief: Why cloud and security are our big focus (ZDNet)
- Meet the shadowy tech brokers that deliver your data to the NSA (ZDNet)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.