Are governments using zero-day exploits?

What is a zero-day attack?

A zero-day attack takes place when someone exploits a zero-day vulnerability. In such cases, perpetrators outrun the developers in finding loopholes in their products and exploit them for their own needs. Developers have zero days to patch it; hence the name.

Basically, the severity of such an attack depends on how fast developers manage to fix the loophole. However, things can get more complex when powerful external parties such as government agencies get involved.

Zero-day exploits in China

China’s recent exploitation of the iPhone’s vulnerability is an example of how governments can use zero-day hacks to further agendas of oppression and surveillance. An iPhone loophole discovered in the country’s hacking competition was used to spy on Uyghur Muslims, a minority experiencing severe oppression by Chinese government.

The exploit (nicknamed Chaos) targeted the iPhone’s kernel, the core of its operating system. Using this backdoor as a starting point, a remote attacker could take over even the newest iPhones. Apple has patched the vulnerability since it was found, but it’s alleged that the Chinese government was able to use it in surveillance operations for at least some time.

Then, months later, Google researchers announced that iPhones were also being massively compromised by five different exploits, which were very similar to Chaos. It was later revealed that the Chinese government used them to target Uyghur Muslims, an ethnic minority that has faced extreme oppression in China.

Zero-day as a government tool

While the Chinese government’s use of zero-day vulnerabilities seems to be one of the most extreme examples, they may not be the only administration employing these methods. Other governments also tend to exploit zero-day breaches for data hoarding, national cybersecurity, and surveillance. Worse still, they’ll often avoid informing developers about these loopholes.

Finding potential exploits but not reporting them is called vulnerability stockpiling. Stockpiling takes place when a government starts collecting vulnerabilities for future use instead of encouraging developers to patch them. Officials can inject their own encryption backdoors or hire independent contractors, who actively look for these vulnerabilities and sell them to a government.

Here are a few examples of governmental exploitation of zero-day loopholes:

• Stuxnet is one of the most famous examples of the exploitation of zero-day attacks on the geopolitical level. Equation Group, the hacker organization suspected for its links with NSA, used four zero-day vulnerabilities to initiate attacks against Iran’s nuclear program.
• In 2016 a group called Shadow Brokers publicized a set of vulnerabilities allegedly stockpiled by the NSA and affecting security products such as Cisco, Juniper and Fortinet, which protect US infrastructure.
• In 2014 Bloomberg news reported on Heartbleed, a vulnerability the NSA allegedly knew about for two years and used for intelligence gathering.

Stockpiling may give governments a chance to monitor certain targets, detect potential threats, and even sabotage their opponents’ infrastructure. However, it also poses a huge threat to their own citizens. Other parties can discover such vulnerabilities and use them against the state, its businesses, and its people.

The Solarwinds attack is a prime example of such a case. While we still don’t know for sure how hackers acquired the code, some claim that the attack was caused by an encryption backdoor installed by the NSA.

How to protect yourself

While no one can guarantee a full protection against the state-level threat factors and encryption backdoors, there are some steps you can take to reduce the risk.

Firstly, always update your software, so your device has the latest security patches. Developers usually fix the vulnerabilities once we discover it, so make sure to have the newest patches available.

Secondly, use a VPN. While a VPN won’t protect you from backdoors lurking in your software, it will encrypt your traffic and nobody will be able to stalk you. Snoopers won’t be able to see what you do online, and your location information will be hidden.