The story inside your software updates

David Huerta 2019

Digital Security Trainer

Pwn2Own 2019

Software updates seem like a chore, but they often contain important fixes for bugs that could otherwise compromise your security and privacy. When hackers and security researchers find these bugs, their findings are shared with affected companies, then shared publicly for the other developers to learn what not to do with their code. Sometimes, the timing of these software releases coincide with conferences and events in the cybersecurity industry.

One example of this is Pwn2Own, a hacking contest where web browser security is put to the test against hackers from all over the world. This year I caught a rare glimpse of these hacker teams in action and, with a careful look at the descriptions in software updates, you can see the aftermath of their work.

Every year in Vancouver, in one of the many glass-and-steel towers that make up the city’s skyline, teams of hackers from around the world convene in what has become the Olympics of web browser hacking. Google’s Chrome, Mozilla’s Firefox, Apple’s Safari and Microsoft’s Edge browsers are put under siege by teams hoping to breach their code's security mechanisms to win cash, glory and a safer internet for all.

Sponsored by a varied mix of cybersecurity companies as well as some of the very companies whose browsers are being hacked, participating teams can win anywhere from $30,000 to $250,000 per exploit, depending on its severity.

In a past event, Google Chrome was hacked—“pwned” by an elaborate sequence of different, previously undiscovered exploits by a hacker only known as “Pinkie Pie” (presumably named after the character from the animated series My Little Pony: Friendship is Magic). This year, Chrome escaped a successful attack, but Safari, then Edge, Firefox, and even the Tesla entertainment console were proven vulnerable by team Fluoroacetate—the name of a pesticide used to kill invasive species.

The way most people experience the internet is through the web, and the way most people experience the web is through web browsers. Modern web browsers are made of code, and lots of it. Within these massive and complex sets of code, there's ample room for developers to make a mistake that negatively affects a browser’s security. This can lead to vulnerabilities that would allow malicious code on the web to potentially infect the rest of the device to spy on us.

Hackers have a long history of making a show of the exploits they discover. In earlier days, when Las Vegas was still wild, hackers would demonstrate how to launch an exploit live on stage, marking the first day in which that previously undiscovered “zero-day” exploit is known to the rest of the world. This process sometimes led to a few arrests and subsequent “CiscoGate” t-shirt sales.

Mike Flynn at Black Hat USA 2005

Since those days, companies have developed formal, coordinated disclosure processes which give hackers a media embargo on their findings until they can “patch” the vulnerability in their code with a software update that includes the fix. In some cases, companies also have “bug bounties,” cash rewards paid to hackers who present companies with a proof-of-concept (PoC) for a zero-day exploit. Bounties can even feature limited edition couture, like a t-shirt reading “I hacked the Dutch government”—if you find a way to hack the Dutch government and tell them first.

More recently however, zero-day exploits have become commoditized and weaponized—not disclosed to the affected company to make their software safer for users, but kept secret and sold to governments to spy on those users.

In addition to the growing list of governments investing in the ability to hack people, companies like Hacking Team or NSO Group hoard exploits to build tools for infecting devices with spyware, charging top dollar for access. The result of which we know has led to abuse of the technology by the Mexican and UAE governments to spy on journalists.

In addition to companies that discover and weaponize exploits in-house, brokers like Zerodium offer market prices for zero-day exploits designed to break into applications and devices that customers—mostly governments—can purchase for targeted surveillance. Compared to bug bounties and Pwn20wn prizes, gray markets like Zerodium’s have a clear economic edge in rewarding researchers with more cash for the vulnerabilities they discover.

Zerodium Price Sheet

Image by Zerodium.

At the top shelf is the holy grail of exploits, a “zero-click” exploit that doesn’t require any action by the target in order to infect their device. Although this sounds super spooky, and it is, the average person is more likely to witness this kind of Hollywood hacking in a movie than in real life. As the one to two million dollar price tag on them suggests, they’re rare. In addition to their scarcity, zero-day exploits lose the “zero” when someone discovers and reports the exploit to the company that makes the affected software.

Once an exploit reaches a company’s security team (e.g., at Microsoft), that exploit is typically patched and then publicly disclosed. This is a point of contention between exploit platform companies like Hacking Team and their clients; when a client fumbles an attack and the zero-day ends up being discovered by the affected software companies, that exploit is no longer a zero-day once that vulnerability is fixed and and a software update is released to include that fix.

In a leaked exchange between Hacking Team and the Azerbaijan Ministry of Security, we can see that Hacking Team was less than excited at the possibility of a ham-fisted cyber attack leading to the target “make discover the exploit”—finding the exploit and reporting it to the company behind the software that it attacks, making it useless for Hacking Team’s other clients.

Once a zero-day exploit goes stale and becomes a known, patched vulnerability, it loses its economic value tremendously. So much so, that former marketplaces hawking $15 exploits for unpatched Wordpress plugins have shuttered their doors.

One reason for this is that any customer interested in buying zero-days already has the ability to read a vulnerability disclosure and build an exploit in a few hours with the publicly-disclosed research someone else did when they discovered it—anyone who would use a zero-day exploit already has the ability to weaponize a known exploit.

The other reason is that if a target’s device is patched with the latest software updates, it’s immunized from the exploit, and any attacks that leverage it. This is why applying any and all software updates on your devices is important—security-related software updates are vaccines for your browsers, smartphones, Tesla Roadster and everything else that can be updated.

There’s little that can be done in the extremely rare chance you’re being targeted with a million-dollar zero-day exploit. However, you can remain vigilant against more common exploits sent through suspicious text messages and phishing emails. As always, inoculate your devices, browsers and other apps against known exploits by running your software updates, and don't delay restarting when prompted to.

Security researchers who neutralize zero-day exploits as their jobs at software companies, through bug bounties, or hacking contests are turning down top-dollar gray market prices to give everyone a means of being better protected against the spectre of cyberwarfare. Run your software updates if you want to make their hard work count.

Read more about Security

First major study looks at how SecureDrop is used in newsrooms in North America

Today the Tow Center for Digital Journalism at Columbia Journalism School has published a first-of-its-kind study on how newsrooms are using SecureDrop, our open-source whistleblower submission system that is now ...

Publishing the unredacted SecureDrop 0.3.4 audit report

In July, we announced the release of SecureDrop 0.3.4 and published the accompanying security audit by iSEC partners (now NCC Group). The audit found 10 issues, one of ...

US officials have no problem leaking classified information about surveillance—as long as it fits their narrative

In the past few days there have been a flurry of stories about the Russian plane that crashed in the Sinai peninsula, which investigators reportedly think may have been caused ...