The Cost of Using Zero-Days

I'm quite proud of my officemate, Bill Marczak, who with along with John Scott-Railton discovered an iOS zero-day apparently used by the United Arab Emirates to attack human-rights activist Ahmed Mansoor. The analysis happened quickly. Bill captured the zero-day on August 11th, it was reported to Apple on August 15th, and patched by Apple on August 24th. Personally and professionally, it was incredibly exciting to watch Bill take my girlfriend’s iPhone, click on the malicious link, and see it taken over in real time by a state actor using a zero-day.

Lawfare’s readership includes many individuals who are at high risk of being targeted by state actors with access to these now rapidly-expiring exploits. Some of you are well-aware of that. But for those who think no one would be interested in compromising your phone or emails use this rule: Do the topics discussed on Lawfare relate, at all, to your professional life? Great, you qualify. It is time to update your iPhone software. Today. (And if you have a non-Nexus Android phone then you need to “upgrade” by throwing that directly into a trash can).

Beyond the immediate need to patch the flaws, there are a number of important technical and policy lessons to be learned from this event—including the complexity of targeting modern hardened systems, the significant capabilities of "lawful" malcode vendors, and the real world cost of misusing zero-days.

To exploit an iPhone you need more than a single vulnerability, functional exploits are chains of two or three. In this case the "Trident" attack required exploiting a chain of vulnerabilities: a corruption in WebKit to take over Safari, a kernel memory disclosure vulnerability necessary to bypass the kernel's defenses, and a kernel memory corruption used to take over the phone.

It is this extreme hardening that makes iOS generally such a hard target because it means that a single weakness is insufficient to take over the phone. Thus, the open-market price for fully-weaponized iOS exploits can reach a million dollars. Compare that to Cisco's ASA firewalls which can be compromised with just a single EXTRABACON packet. The difference here is not just a matter of code quality, but a question of defense-in-depth. The defensive design of Apple iOS is just not found in many other systems.

The revelation of these zero-days also demonstrates the significant capabilities of the "lawful" intercept commercial market. This particular implant turns the target's phone into a sophisticated spy post, including controlling the microphone, extracting contents, and intercepting otherwise "secure" calls. The command and control is both highly stealthy and effective, using HTTPS to seemingly innocuous looking servers with a recovery mechanism through SMS. It also included code to monitor both battery and data usage to maintain stealth. This is as capable and stealthy as what we’d expect to see the NSA deploying—and it’s no coincidence many businesses in this market employ individuals trained by intelligence services around the world.

Recognizing the capacities, there is real concern about the companies that define “lawful” as a government willing to pay the bill, the "Werner von Braun school of rocketry" attitude. Remarkable capacity and insufficient regulation of these tools poses a direct threat to US interests. Already, direct evidence has emerged that this software was used to target a Mexican journalist and it is easy to image it also being used to target US companies and government officials.

The episode also shows the limitation of using zero days. Every time a zero-day is used—especially against hardened targets like iPhones—there is the risk of disclosure, and that risk scales with the support infrastructure. Criminals and terrorists are unlikely to have the necessary infrastructure to detect these kinds of attacks but government employees and many activists do.

If NSO Group's customers had only used their software to target actual criminals, then it is highly unlikely the exploit would ever have been discovered. Because the company—expressly or negligently—permitted a customer to use their product to target a peaceful activist (with good support infrastructure), the NSO Group is now looking at million-dollar bill to replace the now non-functional chain of zero-day exploits. Maybe their contract allows them to directly charge the UAE. But if not, it’s hard to feel all that sorry for them.