Zero-day exploits have made hacking easier than ever

The internet can give and take away privacy on a whim

Completely eradicating one’s privacy online may suddenly take zero days. 

Zero-day software exploits take advantage of imperfect coding to achieve any number of ends from surveillance to theft. The companies selling these exploits can make millions of dollars per year, according to researchers at Rand Corp. 

The U.S. government, research shows, is a large customer.

Ziming Zhao, a professor at the ASU School of Computing, Informatics and Decisions Systems Engineering, works with the University’s Laboratory of Security Engineering for Future Computing, which researches cybersecurity and system defense. 

“In reality, in all of our systems, there are a lot of vulnerabilities,” Zhao said. 

He defined these vulnerabilities as any piece of coding in a software that could be abused or attacked in a way to make the program perform an unintended action. These actions vary from "keyloggers" that record every input into a computer to malware that damages one’s device, Zhao said. 

The programs that attacks these vulnerabilities are called 'exploits,' and once developed, they can infiltrate any software that uses the same code, Zhao said. Because so many pieces of software use the same programming, one exploit can affect many people, he said. As of yet, this is not the easiest way to infiltrate a cybersystem, but it is the most guaranteed, Zhao said. 

“Eventually, security is not really about machines, systems or algorithms,” Zhao said. “Security is about people, and people are the weakest link.” 

Because cybersecurity and privacy are very related, many methods of defense can achieve both. Still, privacy and security are sometimes mutually exclusive. 

“In order maintain national security, sometimes we have to violate individuals’ privacy,” Zhao said. 

Lillian Ablon, a research scientist at Rand Corp., recently published “Zero Days, Thousands of Nights,” which describes how long zero-day exploits last and who is buying them. Exploits and vulnerabilities are deemed "zero-day" when they are no known fixes or patches available to the public, Ablon said. While they do have beneficial uses, such as researching how to develop more secure programming, she said zero-day exploits have other uses, too.

“There are uses in offensive operations,” Ablon said. “If there is a very hardened target … then using a zero-day exploit in order to get on the system, or in order to enable another attack through another means may be the only way to get on.”  

Ablon said the prevalence of vulnerabilities is caused by a complicated interaction between business and technology. 

“In general, security is looked at as a cost, something that is really saving money rather than making money,” Ablon said. 

Rewriting all the code in entire systems would be too costly, Ablon said, especially when releasing software quickly can mean higher profits. 

“Functionality trumps security and will continue to trump security,” Ablon said. 

Because software that shares code also shares the vulnerabilities within that code, software is becoming easily exploitable, Ablon said. 

Ablon said discovering exploits does not mean they are quickly fixed. The average life expectancy for an exploit after it is initially discovered is 6.9 years, the research shows.

Bill Richards, cofounder of the law firm Baskin Richards, said many loopholes exist to gain access to citizens’ privacy. 

“The general consensus is that the Fourth Amendment is going to protect your privacy interests in your online data and information,” Richards said. 

Still, when sending information to a third party, such as Google or cloud storage, the law no longer considers that information private, even though its creators may not be aware of that, Richards said. 

While federal statutes exist to protect service providers from citizen or criminal requests for information, Richards said the government and law enforcement have ways around this. 

“Law enforcement, however — if you properly go through the criminal investigatory process — can go through those things,” Richards said. 

When it comes to why selling exploits and vulnerabilities to governments is legal, Richards said laws concerning the electronic world are vastly different than those concerning the physical.  

“If anyone thinks for a moment that the laws are always based upon a critical assessment, an in depth understanding of how everything operates, you’re fooling yourself,” Richards said. 

As technology progresses, its legal issues can only become more complicated, Richards said. 

“Technology is evolving, and it will never stop evolving,” Richards said. “So, the policies will always be a step behind, if not 10 steps behind.” 


Reach the reporter at chawk3@asu.edu.

Like State Press on Facebook and follow @statepress on Twitter.


Get the best of State Press delivered straight to your inbox.