As technology becomes progressively quotidian, seamlessly merging with everyday life, a coinciding rise can be seen in concerns surrounding privacy on the internet. These arise majorly in lieu of increasing cyber attacks and privacy breaches, which look to exploit cyber vulnerabilities – known as ‘Zero Day’. The term refers to a vulnerability in the system that can be exploited for hacking which only the attacker is aware of. It is referred to as Zero Day till the vendor is made aware of it, thus ‘zero’ connoting to the number of days of this awareness. The day it is discovered and the vendor begins fixing it, is called day zero. Till the vulnerability is patched, it is continued to be referred to as a Zero Day Vulnerability.
However, it can also refer to the number of days between the discovery of the vulnerability by exploiters and a cyber attack in case the vendor never gets to know about it. Such an attack is then called a “Zero Day Exploit”. These attacks can be conducted by criminals, militaries or governments for a variety of purposes. The concept of Zero Day Exploit is important to understand in the context of the debate surrounding encryption and creation of backdoor in commercial software i.e. a built-in way for circumventing encryption
The 2013 Snowden Conspiracy, followed by the Apple vs. FBI legal battles over the San Bernardino shooting case are the highpoints in the debate, and have established a global precedent regarding the same. The former made the case for encryption stronger, as it revealed the US Government’s stockpiling of Zero Day Exploits, deepening concerns over mass surveillance resulting in tech giants like Apple taking the decision to tighten encryption in their systems. In 2014, this led Apple to introduce the default encryption for iOS 8 (and onwards) and claim that in the interest of consumer privacy, they will not be possessing decryption keys any longer – putting an end to backdoor access.
However, Apple’s move was met with hostility by government officials, who time and again had encounters with the latter pressuring the former to provide encryption backdoor to assist law enforcement. These clashes culminated in the 2016 Federal case where the FBI called upon Apple to create and write software that would disarm the security feature on a cellphone. The cell phone owner was one of the shooters involved in the 2015 San Bernardino Mass Shooting, who were killed in a police encounter, but their phones were recovered and could have helped in tracing other shooters. Apple’s refusal on the grounds of prioritising their privacy policy attracted a federal judge to order Apple to comply. This was the highest point of the privacy against national security fight following encryption. In March of the same year, the Department of Justice dropped their case on the grounds that an unmanned third party had helped them unlock the phone and retrieve data. Later in April, the FBI confirmed that the hack would not work on newer iPhones and works only on iPhone 5C and older versions – without fingerprint sensors.
A Research Report published by the RAND cooperation in 2017, attempted to answer whether government officials should stockpile zero-day vulnerabilities or expose them to be patched by the vendor in question.
Their key findings include:
- Labelling of Vulnerabilities
- Alive i.e. Publicly Unknown
- Immortal i.e. will remain perpetually in the product as the vendor no longer carries its codes/ does not issue upgrades
- Dead i.e. Publicly known – either by issuing a security patch or publicly disclosed by researchers
- Quasi – alive i.e. these can be exploited in older versions of the product but no the new ones due to code revisions
- After initial discovery of a vulnerability, most exploits have an average life expectancy of 6.9 years which indicates that zero-day vulnerabilities are quite old. Further, the report claims that for a given stockpile of exploits, 5.7 percent have been discovered by others. The Collision Rate [1] is affected by the timing of flushing a stockpile of dead vulnerabilities and the time interval – longer the time interval, more is the collision rate. This is attributed to the purpose of the vulnerability researcher ( private use or for releasing as public information) as well as the tools being used such as automatic software testing, fuzzing or manual analysis.
- Development of an exploit is relatively short (ranging from a week to a month) and takes between 6 to 37 days to become fully functional. The cost of developing these exploits depends on the time taken to discover, develop, equipment and tools used and other infrastructural costs such as supply and demand of a codebase.
These findings imply that not zero-day exploits can enjoy a long life span and can be put to work very quickly. Further, categorizing vulnerabilities exclusively may be misleading and unintentionally creates a barrier for detection efforts. For defenders[2], this implies that their security strategies should focus on all types of vulnerabilities and the focus should be on preventative measures rather than redressal.
The report also takes a deep dive into the policy debate around stockpiling and whether the government should stockpile zero-day exploits. The report further highlights how stockpiling is beneficial for offenders as it is most economical – the collision rate is relatively low and the development period is relatively small. However an antithetical is the larger cost of leaving a population vulnerable (as, albeit small, there is a chance that these might be discovered by third parties) is greater. Thus stockpiling may actually be harmful. On the other hand, premature disclosure might circumscribe the government’s period for development of patches and defensive (e.g. penetration testing) or offensive testing. They concluded by saying that the government should take into account all variables and the best decision is to stockpile only when there is certainty that it cannot be discovered by others – it should be disclosed otherwise.
Additionally, there have been other reports such as the 2013 Report on “Liberty and Security in a Changing World” which put forward 46 recommendations on how to achieve a legitimate balance between National Security and Civilian Liberties. Juxtaposing a continued commitment to “enduring American values” to “new threats to common defense” stated that it is in larger national interest to disclose to eliminate software vulnerabilities than to stockpile them for intelligence collection.
In the backdrop of this debate, in 2017 the Obama Administration instated the Vulnerabilities Equities Process which outlines the procedure through which the government can calculate, on a case by case basis, when to stockpile a particular vulnerability and when to disclose it.
Their effects have trickled down into the national security vs. right to privacy debate and can also be echoed in the privacy policies of tech giants. And today it finds room again against the backdrop of the on-going debate around weakening encryption. Whatsapp has filed a complaint against the Indian government over the IT Rules 2021 which require social media to enable tracing of all messages, as such a provision would require weakening encryption services offered by the messaging service which in turn creates zero-day vulnerabilities. As discussed above, these vulnerabilities can be exploited not only by the government but by cyberattackers as well. Such exploits have been occurring even with present-day security standards as, earlier in 2019, whatsapp had discovered a vulnerability in its software. Not only does breaking of encryption threaten civilian privacy, it also exposes critical government data to international cyberattacks. As WhatsApp has also claimed, the window of vulnerability may be exploited by ill-intentioned attackers before a patch can be created for the same. In lieu of this, it only seems fair that the case should be for tightening encryption rather than weakening it.
[1] The Rate at which two or more researchers independently discover the same vulnerability
[2] Vendors who seek to protect their vulnerabilities
Author – Mr. Shrey Madaan, Research Associate, CyberPeace Foundation
