0days – Monetizing Mistakes

In computing industries, especially software design. A 0day (pronounced “zero day”) is a flaw in the design of the code that can be exploited in a malicious manner. The name 0day comes from the amount of days a developer has to fix the error in their code. 0days, although not always, are often unknown to the developers, hence, they have zero days to develop and apply a fix. This is the equivalent of a surprise attack in software development. 0days vary in the scope of the vulnerabilities they allow an attacker to exploit.

0days, have monetary value associated with them. Both the black and traditional markets have a niche carved out for 0day exploits. Exploits can range from $10,000 to over a million depending on how many people are aware of the exploit, how hard it is to mitigate, and the nature of the program in which it was found. Typically, these transactions occur on the black market and this black market is typically behind anonymization software like Tor to protect the identity of buyers and sellers. These marketplaces broker the exchanges of 0day exploits, typically using anonymous currency systems like bitcoin, to anonymize transactions. Some markets even offer escrow to protect buyers from receiving faulty services. 14% of all Microsoft, Apple, and Adobe 0day exploits came from white markets like Italy’s Hacking Team, and Israel’s NSO group. These transactions often come with hefty regulations, allowing the sale of prepackaged exploits to government and law enforcement entities only. The remainder of the exploits come from black or gray markets sources.

You may have heard of “bug bounty” programs offered by software companies. These efforts are an attempt to secure 0day exploits by offering penetration testers to opportunity to “sell” the exploit to developers before it can be maliciously applied. Companies like Google and Facebook offer bug bounty programs. In 2014, Facebook paid out more than $1.3 million to bug bounty hunters and in 2016, Google offered $100,000 to anyone that could hack one of its Chromebook laptops. These are just a few examples of companies buying 0day exploits for their own code. Typically, these are lowballed payments compared to what buyers would offer for the same exploits on dark web black market. It remains an important part of the software development ecosystem because it allows white hat hackers to monetize the exploits they find and keeps them off the of the black markets.

Having a robust stash of 0day exploits at hand is important for any group of hackers. The less people that know about a particular exploit, the more dangerous it becomes. A well maintained 0day can allow access to systems for years at a time and sometimes transcends product updates, essentially allowing an attacker to have a personal backdoor to systems with programs exhibiting a specific 0day weakness. According to a study by the Hawaii International Conference of System Studies in 2009, there were 2500 0day exploits active (“in the wild”) at any given time. A particularly elusive exploit called “Dirty Cow” which affected the Linux kernel went 9 years before being patched. The nature of information goods, particularly in the case of 0day exploits, viability and demand decreases exponentially as the number of people who know about and put an exploit to use increases. According to the control in the 2009 study mentioned above, a typical 0day remains undetected for between 112 and 160 days.

The real fun begins when you combine or “chain” 0days together. These attacks are typically so powerful that mitigation becomes a serious problem. Threats like these often go relatively undetected compared to other exploits because of the amount of resources necessary to acquire and utilize them. A famous example would be NSO group’s Pegasus spyware package which took advantage of 3 0days in Apple’s iOS 9 iPhone software. The exploit chain consisted of a bug in the Safari web browser’s webkit which allowed malicious links to call certain memory locations responsible for storing the kernel of the OS. The random location of the kernel would then be located in the memory of the device using a second exploit. Lastly a third exploit allowed the phone to be jailbroken silently and remotely. This exploit chain was particularly devastating because it allowed an attacker to jailbreak an iPhone with just a simple phishing link. Eventually these exploits were patched but not before many instances of the spyware were found on iPhones all over the world. Apple offers a bug bounty program but the payments max out at $200,000, forcing these particular exploits to make their way to the black markets where the chain was developed and sold for millions.

The most deadly exploit chain in history came from the dreaded Stuxnet malware attack against Iran’s nuclear centrifuges in 2010. The malware used an unprecedented 4 0day exploits to remotely disable the nuclear centrifuges which operated on an airgapped network. This effort was allegedly a joint American-Israeli operation, allowing for speculation that governments were actively involved in the procurement of 0days for offensive capability. Stuxnet is still not fully understood. It was written in a previously unknown programming language, had a time based kill switch that self-destructed the virus in 2012, and utilized resources that many believe are beyond the scope of private companies. The operational security employed by the authors suggests that a nation-state may indeed be involved.

The market places for 0day exploits are alive and well and every seems to want to get their hands on these exploits for both offensive and defensive capability. The elimination of the threat 0day exploits produce requires software developers to be diligent in making sure the software the write doesn’t include vulnerabilities that might have been taken advantage of in the past and to be proactive about possible vulnerabilities in the future. Increasing the prices paid out to hackers who discover 0days to be competitive with the black markets may curb the use of the marketplaces and bring some portion of the market share back into traditional, regulated mediums.

Despite what the future may hold, 0days have carved out their place in computer science and represent another round of the cat and mouse game between developers and hackers.