On the heels of WikiLeaks’s CIA hacking kit dump, RAND Corporation has released a study that looked at 200 zero-day exploits, some of which have remained un-patched and under wraps since 2002.
The study, which offers a rare look into the life of zero-day exploits, found the average life expectancy of an exploit was 6.9 years after initial discovery. The exploit’s life ends when it is patched by the vendor, either because it was publicly disclosed or a second person finds the flaw and reports it to the vendor.
”The relatively long life expectancy of 6.9 years means that zero-day vulnerabilities—in particular the ones that exploits are created for gray, or government, market use—are likely old,” the report notes.
The report is relevant to discussions about WikiLeaks’ Tuesday release of more than 8,000 documents sketching out dozens of hacking tools the CIA had allegedly acquired for use in surveillance operations between 2013 and 2016. WikiLeaks hasn't released the source code.
The exploits detailed are for flaws in major operating systems, including iOS, Android, Windows, and macOS, as well as browsers. Google and Apple have said that their respective mobile users are shielded from most of the flaws in the WikiLeaks dump.
The leak has raised questions whether spy agencies are stockpiling the exploits. Firefox maker Mozilla called on the CIA and WikiLeaks to disclose these bugs to vendors in order to protect users.
The Electronic Frontier Foundation said that documents suggested the CIA hadn't followed the US Government's Vulnerabilities Equities Process, which guides whether agencies like the NSA and CIA withhold the flaw for its own use, or disclose it for the vendor to fix. The CIA has said that it does not use these exploits to target US citizens.
The 200 zero-day exploits RAND acquired for its analysis are un-patched flaws affecting software from 64 vendors, including Apple, Microsoft, Oracle, Adobe, Google, Citrix, LinkSys, and CryptoCat. The oldest date back to 2002 and the newest were found in 2016. RAND said it was supplied the zero days from a vulnerability research organization it calls BUSBY, which consists of 18 hackers.
RAND’s statistical analysis found that within one year 5.7 percent of a given stockpile of zero-day vulnerabilities will have been discovered by an outsider, resulting in a “collision” or two researchers finding the same bug. The data suggests that most zero days held by agencies like the CIA are exclusive to them for several years.
The report’s authors argue that the low collision rate (5.7 percent a year) and the long average lifespan (6.9 years) of zero days lends support to the argument that holders not disclose the bug.
That’s because disclosing a vulnerability may only offer modest protection for users, and therefore keeping quiet about it —or “stockpiling” the vulnerabilities — may be reasonable for entities like governments looking defend their own systems and potentially exploit flaws in others', the firm writes.
“Typical ‘white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it,” said RAND information scientist, Lillian Ablon, who led the study.
“Others, like system-security-penetration testing firms and ‘grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability—or its corresponding exploit—is a game of tradeoffs, particularly for governments.”
The study also looked at number of other features of the zero day market, including the price of buying bugs, the cost of finding and developing an exploit, and hacker wages. It also compares career span of exploit developers compared with white hat bug hunters, for example those who earn rewards from Google and Microsoft bounties.
Excluding researchers who found just one bug, the study found 284 white hat hackers career spanned 2.49 years compared with 18 BUSBY exploit developers’ 4.49 year average.