ZD Tech: Zero-day rifts, so special and valuable
Hello everyone and welcome to ZD Tech, ZDnet's editorial podcast. My name is Louis Adam and today I will explain to you why zero-day vulnerabilities are so special, and valuable, in terms of computer security.
These somewhat special vulnerabilities are the nightmare of publishers and manufacturers like Apple, but also of their users. And they are sometimes sold for millions of euros, for the benefit of intelligence services and cybercriminals who wish to use them.
But to understand what a zero-day flaw is, you must already understand what a flaw is. It is a bug in a computer program, an error that will cause the computer or device to behave in unexpected ways. These flaws can be used to take control of the device, steal secret information like passwords and other such things.
When these vulnerabilities are discovered, the publisher publishes an update to its software.
These updates aim to fix the error and make the flaw unusable. The user must therefore download and apply the latest updates provided by the publishers of his software to protect himself. This is easier said than done: attackers often take advantage of known and corrected flaws, but which users have not had time to patch.
advertisementSo what is a zero-day breach more than a normal breach?
A zero-day flaw, it is precisely a flaw unknown to the software publisher. Since the creator of the program is not aware of its existence, there are no updates to fix the problem. And the end user can therefore do nothing to protect themselves.
To hack your phone or your computer, zero-day vulnerabilities are therefore the ideal method. This is the reason why information on these vulnerabilities is sold at sometimes delirious prices: up to 2 million dollars for a zero-day flaw on an iPhone, for example.
Faced with this, the publishers themselves offer to pay security researchers who report vulnerabilities to them, in order to be able to fix them. Unfortunately, the amounts offered by these reward programs often struggle to match the prices charged by zero-day flaw brokers. For a researcher who has discovered a vulnerability of this type, the temptation is therefore great to sell it to a broker who will use it to circumvent the protections of a system.
These kinds of awards reserve the use of these vulnerabilities to government-backed organizations, such as intelligence or law enforcement agencies. They officially use it to hack suspects' devices as part of their investigations. But sometimes cybercriminals can also get their hands on it, and take advantage of it to do a lot of damage.
Related Articles