No more hoarding zero days

Imagine how angry you would be if you found out that the last time someone stole your banking information something could have been done to stop that from happening. Or, better yet, how violated you would feel if some creepy digital predator was able to take over your family’s home surveillance system only because someone failed to update the system’s security settings?

Both of those situations might seem like exaggeration but they’re exactly the type of risky situations that are created when the U.S. and other governments stockpile so-called “zero day” software vulnerabilities. A zero day is any security flaw in a piece of software, whether that be a popular Internet browser, operating system, or mobile app, that hasn’t been disclosed to the software developer, and thus has had “zero days” to patch the flaw. The U.S. National Security Agency, FBI and other agencies around the world reportedly hoard zero days in the event those vulnerabilities can be exploited in the event of a kind of international cyberwar.

That needs to change.

Sure, security holes in a popular web browser used by millions of, say, Chinese Internet users would provide the NSA with incredible intelligence about the country’s online banking tendencies. But if the NSA can find a zero day, then independent attackers can probably find the same surveillance window and take advantage of it for their own malicious purposes. Failing to disclose that hypothetical browser vulnerability might enable attackers to make off with millions in Chinese Yuan so the NSA can spy on just a few individuals.

These conflicting views are at the heart of the battle between Apple and the FBI, which said last month it will not submit a tool used to crack an iPhone passcode for an official review. The absence of that review, which could result in Apple improving security for millions of iPhone users, automatically turns the FBI’s office into a prime target for hackers trying to infiltrate bureau networks in search of a way to break into the iPhone.

The shadowy market for zero day sales has made it nearly impossible to gauge how much money various flaws are sold for. But development is so widespread, and profitable, that major U.S. defense contractors “like Endgame Systems, Harris, Raytheon, Northrup Grumman, SAIC, Booz Allen Hamilton, and Lockheed Martin have all been in the exploit game to varying degrees,” according to Kim Zetter’s book Countdown to Zero Day.

Firefox users could be at risk now, too. Various reports suggest the Internet browser used by hundreds of millions of people around the world may have been victimized by an FBI zero day as part of a child pornography investigation. Obviously the FBI should use all available means to apprehend suspected child pornographers, but it’s ethically dubious to fight to keep that tactic secret when the investigation is complete.

Shevirah Founder and CTO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She is the author of “Penetration Testing: A Hands-On Introduction to Hacking”. She has provided technical training such as exploit development and penetration testing at conferences such as Blackhat USA, Brucon, and CanSecWest.