Cyber Security

‘Zero-Day’ Hacking Vulnerabilities Can Last For Years

Despite bug bounty programs seeking to find these flaws, it can take 7 years for exploits to be found

Cyber Security
Illustration: R. A. Di Ieso
Mar 13, 2017 at 8:19 AM ET

When an elite group of hackers — those within the CIA, for example — acquire a secret way to break into your phone, your phone’s manufacturer might not know for years, a new study shows.

The study, the first major one of its kind, looks at 200 so-called “zero-day” exploits, a reference to how much time a developers have to fix a vulnerability in their product’s code before hackers find it too and potentially hurt users. A zero-day for the latest version of iOS could enable hackers to break into an iPhone, for instance, though Apple aggressively pursues such problems to fix them as quickly as possible.

Conducted by the RAND Corporation, a think tank that often focuses on national security issues, the study found that zero-days are both rarer than one might think and that they often go undiscovered.

The study found two particularly remarkable findings. First, a given zero-day exploit, once discovered but “hoarded” by whoever knows about it, has only about a 5.7% chance of being discovered by someone else in a year. This is despite the rising prevalence of “bug bounty” programs, in which a company pays independent researchers if they can find and quietly tell them about a zero-day vulnerability. That’s become a burgeoning business for some cybersecurity experts, as companies like Microsoft can pay up to $100,000 for a serious exploit.

In fact, the average life of a zero-day exploit is a whopping 6.9 years, indicating that there are simply enough possible vulnerabilities in software code that a dedicated and talented enough group, like elite government-sponsored hackers, will be able to continually use their best discoveries.

On Wednesday, WikiLeaks released the first of what it says is a number of caches of documents from Central Intelligence Agency hackers. While no documents so far actually include zero-day exploits, they do make reference to some of them, especially for the operating systems of Android and iPhones, leaving the possibility that a further release could give hackers a temporary advantage over victims.

Apple and Google, for their part, have both said they’re already aware of most of the vulnerabilities referenced and that users who have downloaded the latest versions of their respective operating systems should be safe.

That said, it’s as urgent now as ever: If your phone needs to update its operating system, do so as soon as you can. Chances are, doing so will protect you from yet another exploit.