The race for N-days: Why millions of us are still vulnerable to known exploits
Nicolas Trippar, security researcher at Zimperium.
When disaster strikes the enterprise, zero-day vulnerabilities are sometimes at the heart of cyberattacks.
In other scenarios, so-called N-days, or known bugs, are used as a way to tunnel into defenses if proper patch management has not been applied.
Vendors use different tactics to find zero-days before they reach the hands of cyberattackers, including internal bug hunting for their products, testing, and bug bounties to offer financial rewards for external researchers who find and submit legitimate vulnerability reports.
Once bugs have been found, security patches are developed which smooth over these problems in publicly-released software. Microsoft, Adobe, and Google are only a handful of many vendors which implement monthly to quarterly security updates, which then are automatically pushed to the public, or in the case of mobility vendors, made available for companies down the supply chain to release to their customers.
Zimperium security researcher Nicolas Trippar told ZDNet that N-day vulnerabilities can be "just as dangerous as zero-days," and as such, vendors and companies alike should take note not just of new security flaws for the latest handsets, but all those which are resolvable through security updates and patches.
No security system is 100 percent foolproof, and the mobility sector -- while not at the same risk levels of desktop systems -- has fragmented patch deployment due to delays, vendor customization of official operating systems which can undermine security protocols, and the sheer number of handsets which run on various software versions.
While fresh exploits such as Heartbleed, Dirty Cow, WannaCry and the NSA vulnerability cache hit the spotlight and captured the attention of companies that immediately began updating and making sure these bugs could not be weaponized to harm users, there is a risk of forgetting already known bugs which are not being fixed on older devices.
Some mobile device users will keep their smartphone for years and few upgrade every time a new flagship device comes out, and as such, vendors have a responsibility to make sure patch deployment is enforced.
"Most bug bounty programs purchase zero-days and then develop a patch for the vulnerability, but the problem is that millions of users never receive these patches and are left at risk," Trippar says. "By focusing on N-days, or patched vulnerabilities instead, Zimperium is doing everything it can to influence the mobile ecosystem to increase the speed that users receive security updates."
See also: Cash isn't everything when bug bounties compete with the black market
Unknown exploit bug bounties are well-known, but Zimperium is one of the few companies that focus on the details of already acknowledged security flaws. Back in February, the company announced a bug bounty scheme and budget of $1.5 million for N-day bugs, in which there is a time of one or more days in which systems can be exploited and attacked before systems receive updates for known vulnerabilities.
The company says that by snapping up N-days and releasing these exploits to the Zimperium's Handset Alliance (ZHA) and then later to the public, they are able to support carriers facing this barrier to protection by pushing players to patch more quickly.
The ZHA, made up of enterprise players including Samsung, SoftBank, Telstra, and Blackberry, are given the details and proof-of-concept code before it is released publicly, which in turn pushes them to patch before attackers can take advantage of unresolved N-days.
The security researcher says it is a "race between hackers and the patching process" once vulnerabilities are released to the public, and so unless vendors jump on patches and deploy them in good time, users can be left without protection -- even though it may available in the supply chain, somewhere.
In addition, an interesting factor is the "proof of exploitability" sometimes demanded by handset vendors. If such vendors are reluctant because the patch process costs time and money, they may demand such proof before pushing security updates down the chain. Therefore, if the technical details behind a security flaw have not been released to the public, convincing these vendors can be even more difficult to accomplish.
Problems surrounding mobile security continue to place users at risk. The issue is serious enough that in May, the FCC and FTC announced a joint investigation into why it takes so long for handsets in the US to receive security updates, and in some cases, why some models are never issued any fixes at all.
Google, BlackBerry, HTC, LG, Motorola, Samsung, Microsoft, and Apple have been ordered to provide information to regulators as part of the investigation.
"For Android in particular, the ecosystem is extremely fragmented, making it challenging for Google and smartphone manufacturers to update software and patch security issues in a timely manner," Trippar says. "While these logistics are difficult to manage, we feel it is unacceptable to leave millions of Android users susceptible to known security issues. Suppliers in the Android ecosystem must prioritize the safety of all users, not just those who are buying the latest device."