Background:
I’m reading This is How They Tell Me the World Will End by Nicole Perlroth. She tells the story of the international “Zero day market,” how it evolved, who the players are, and where it stands. It’s a fascinating read that connects the dots on the cybersecurity incidents that have happened over the past 10, maybe 20 years.
A “Zero day” is a significant bug in software that has yet to be found — and fixed — by it’s software developers, but has been found by someone else. “Zero day” means it’s been zero days since the bug has been known. From the time a bug has been known the developer to the time it’s been fixed is an important time period for hackers because once the developers know about it, the fuse is lit. There’s only so much time a hacker has left to use the bug to exploit victims. Once the developer’s fix the bug…and the users apply the “patch”…that door is closed to hackers.
Last night, I was reading Perlroth’s book when I got a notice from iPhone that there was an update. I had always wondered why there so many updates to IOS and now I knew. Whenever there’s a “security” update from Apple, it’s a good chance it was to fix a zero day bug. What I was reading was happening in real time!
Was it Really an Zero Day that Prompted the IOS Update?
Apple does not readily advertise its exploits. It’s security alerts send folks to a page like this, which does not have details about the exploits they fixed. They have a bug bounty program and a list of all the people that have submitted bugs, kind of a public thank you that gives white hat hackers some street cred.
They do have mailing list that gives more details on the security bugs they’ve fixed. Here’s a link to that list’s archives. It’s interesting to note that many bugs are submitted by the University of Toronto’s Citizen Lab, which Perloth discusses on her book. In their mailing list, Apple discusses the bugs that prompted the update I saw.
This article from Help Net Security has a dramatic headline:
Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061)
Apple has patched two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) exploited to deliver NSO Group’s Pegasus spyware.
The drama comes from the mention of NSO Group’s Pegasus Spyware. Google “Pegasus Spyware” to learn details of this spyware produced by an Israeli company that makes a victim’s phone into a surveillance system.
The main issue is that NSO doesn’t appear to have any scruples when it comes to customers, so dictators are using this software to spy on its citizens.
As a minor aside, the product manager in me finds it fascinating that NSO Group provides customers with an Account Manager to help customers implement and use their software, just like any other SaaS company on the planet.
So yes, it was a zero day that prompted the IOS update…which happened as I was reading a great book on the worldwide Zero Day market.
Why Zero Days Are So Important to Hackers
Prior to the developers knowing about a bug, the hacker has free reign to use the bug to exploit victims. He or she is working under to cover of darkness, as it were.
Zero days are typically more serious bugs. When you can trigger them, you generally get the computer to do something useful to hacker, like potentially dump out passwords; or inadvertently change permissions so that the hacker as admin rights to the user’s system; or maybe provide admin access to a database.
What’s happened is that knowledge of these unknown flaws is money. Big money. Hackers are now selling this knowledge to nations. In the US, the NSA is buying Zero Days. Russia, China, and Iran may be buying Zero Days, but more likely, they’re conscripting hackers to work for them. Smaller nations are buying Zero Days. Nations are collecting zero days to be used against their adversaries, perceived or real.
It’s an arms race that’s relatively cheap.
How Does This Affect You?
In general, if you’re living in a Western Democracy and no one at a state level has a reason to pay attention to you, this probably won’t affect you much on a personal level. If you’re an activist, active in opposition politics, or just plain ornery and noisy in a non-Western Democracy, consider yourself to be a target.
However, everyone can better protect themselves with some simple actions:
- Always keep your software up date on every device you use.
- Use good password “hygiene”:
- Never reuse passwords
- Use long, random passwords. 15 characters minimum.
- Use a password manager like NordPass, 1Pass, BitWarden, etc. to keep track of your password so you won’t be tempted to use one password in more than one site.
- Use a software firewall.
- Consider using a Virtual Private Network (VPN) whenever you’re connected to the Internet.
- If you’re really concerned about state actors or very motivated and technically oriented people coming after you, use Tails on a usb stick, or Qubes OS. Tails may be better.