Most software has had a bug at some point. But what if that bug has the potential to open backdoors for hackers to exploit? Worse still, what if the developers of the software have no idea it exists? Criminals can abuse these so-called zero day vulnerabilities for months or even years before anyone patches them. So what are these vulnerabilities? And how much damage can they cause?
Apr 02, 2021 · 7 min read
The phrase “zero day” can refer to two different concepts — zero day vulnerabilities and zero day exploits. So, let's start with the first one.
A zero day vulnerability is a flaw in software or hardware which is yet to be discovered by its developers. This means that there's currently no way to plug the hole in security. It can be any vulnerability — a bug, lack of encryption, missing authorizations, to name a few examples.
The term zero day alludes to the amount of time — zero days — that the software vendor has been aware of the problem. The name goes back to online bulletin boards, when zero day meant the number of days a new software has been released publicly.
In the best case scenarios, when someone discovers a zero day vulnerability, they report it to the software developers, so they can patch it before it can be exploited. There are actually databases where the cybersecurity community pools their knowledge to help combat these threats together. But unfortunately, sometimes the hackers get there first.
This brings us to a zero day exploit. A zero day exploit is the code criminals use to abuse the zero day vulnerability for their own means. Vulnerabilities allow them to carry out a zero day attack — installing backdoors, injecting malware, or stealing sensitive information.
Since zero day attacks can potentially be carried out undetected, these vulnerabilities are incredibly valuable. It's not only hackers looking to profit from the weak cybersecurity of a large organization. Intelligence agencies around the world can also initiate zero day exploits.
Discovering, buying, and selling zero day vulnerabilities is emerging as a whole industry.
So, what happens when hackers find the vulnerabilities before the vendors do?
There are many infamous zero day attack examples throughout modern history. Let's take a look at some of the most notorious incidents.
Stuxnet was a computer worm that used different Windows zero day vulnerabilities to target supervisory control and data acquisition (SCADA) systems.
The worm caused enormous damage to the nuclear program of Iran. It destroyed nearly a fifth of Iran's nuclear centrifuges and infected a staggering 200,000 computers. It's often described as one of the first cyber weapons since the perpetrators behind the worm are thought to be the United States and Israel.
The Sony hack in 2014 also tops the list as one of the most famous zero day exploits. During the Sony Pictures hack, criminals utilized a zero day vulnerability to break into the company's network and steal data.
Hackers later released the incredibly sensitive information, including the copies of upcoming movies, the company's plans for the future, business deals, and Sony's top management emails. What specific exploit the hackers used remains a mystery to this day.
Back in 2017, hackers found a vulnerability in Microsoft Word and developed Dridex malware which they then hid in MS Word attachments. Those who downloaded the file would activate the Dridex Trojan. The dangerous bank fraud malware spread to millions of users worldwide.
It's not just the apps you're using that can get targeted. The browser you're reading this blog post on could also be exploited.
In 2020 Firefox had a vulnerability that allowed hackers to place and execute code inside Firefox's memory. This enabled criminals to run malicious code on any of their victims' devices. The developers released an emergency patch, but not before some hackers managed to exploit it.
2021 hasn't been great for Chrome zero day exploits. The browser had to issue three emergency patches for zero day vulnerabilities this year. The latest flaw could enable remote code execution and DDoS attacks on the systems affected.
Since any software you're using can fall victim to a zero day threat, what does that mean for businesses? A faulty line of code can create a backdoor in your organization’s systems, so the first thing to do is reorient your thinking about cybersecurity.
Most organizations' responses to cybersecurity incidents tend to be reactionary — responding to previously known threats. However, the problem with zero days is that, by the time you know what happened, it's already too late.
The key to zero day protection is a proactive approach. Detection, data, and activity monitoring are some of the first steps in avoiding zero day attacks.
So, how do you protect yourself from a threat you don't know about? Sometimes, hackers use zero day vulnerabilities together with other attack methods. Here's how to lower your risk of falling victim to an attack:
Amazon is expanding its employee tracking capacity with advanced AI cameras. These devices will monitor delivery drivers, who are being asked to sign biometric consent forms. The move, which would allow Amazon to institute new levels of bio-surveillance, raises some serious questions about employee privacy.
Amazon is installing AI-powered cameras in the vehicles of their delivery drivers. The camera system (sourced from Netradyne, an Indian company) can run continuously, tracking a driver's location, movements, and even facial expressions. This last point is particularly worrying, as it necessitates the collection of biometric data.
Amazon’s drivers are being offered a simple choice: consent to have their biometric data collected, or lose their jobs.
Biometric data, or biometrics, are unique and measurable physical attributes that identify a person. There are over 20 biometric identifiers including fingerprints, facial recognition, DNA, and hand geometry.
Unlike passwords and usernames, biometric data is permanent — if it leaks, it can't just be changed at source. That’s why many believe the collection and storage of biometric data is a risk, even if the company claims to use it ethically. One data breach could permanently compromise a person's biometric identifiers.
Amazon says the new cameras will help its drivers stay safe on the road. An AI system like Netradyne's can analyze the driver’s face and identify their level of fatigue, preventing accidents. Alternatively, it could track eye movement and notice if drivers were looking at their phones.
It's worth remembering, however, that many Amazon delivery drivers claim to have been pressured into speeding or driving while fatigued by their superiors within the company. Some drivers claim that they are expected to keep up with the delivery rates regardless of weather conditions or any other variables. Failing to do so can result in drivers being ‘written up’ or even fired.
If that's true, the justification for installing a bio-surveillance system is much more tedious.
Employee monitoring certainly didn’t start with Amazon. From pre-digital punch-cards to key-logging software for modern remote workers , there's a long history of companies trying to track employee activity. These practices are intensifying, however, now that many people are working from home instead of the office. surveillance.
In most countries, monitoring employees is legal — to an extent. In the European Union, for example, employers have to maintain some basic standards:
For Amazon, operating around the world, these rules often don't apply. Combined with a track record on disregarding employee health and safety, this move to increase driver surveillance doesn't bode well.
While AI cameras are a particularly drastic example of monitoring, companies have been tracking employees for years, using a variety of methods.
There are many good reasons to monitor employee activity, from data security to productivity. However, collecting too much data can directly impact on the individual freedoms and privacy of employees. Furthermore, gathering employee data creates a tempting treasure-trove for hackers and cybercriminals.
Amazon will claim that they're trying to improve road safety with their new cameras, but it's essential that these developments are scrutinized and criticized appropriately. No one should be pressured into signing away their biometric data.
Want to read more like this?
Get the latest news and tips from NordVPN