Matt Tait Warns of Stolen Zero Days at Black Hat USA 2021
Matt Tait opened Day 1 of Black Hat USA 2021 with a remote keynote presentation on supply chain compromises entitled “Supply Chain Infections and the Future of Contactless Deliveries.” Tait is Chief Operating Officer, Corellium which produces emulation software for Android and iOS. Previously he’s worked for UK's GCHQ and Google's Project Zero team.
“The number of Zero Days being exploited in the wild is completely off the charts,” Tait said, starting his presentation. Specifically, he cited the Colonial pipeline attack, Kaseya hack, the Nobellium Exchange Incidents, the Solar Winds Breach,
NSO/Pegasus, the DPRK Targeting researchers, the CodeCov compromise, and Uighur iOS Hacks (Insomnia) as recent examples. Three of these events, he said, involved stolen Zero Days.
Zero Days are vulnerabilities that have not yet been reported to the vendor.
Tait defined “stolen Zero Days” as “... things like the North Korean targeting of security researchers. Why were they doing that? They were doing it in order to gain access to this security research, In both the Kaseya hack and the Microsoft Exchange hacks, there's credible evidence that security researchers found these vulnerabilities -- these exact vulnerabilities -- and written exploits for them. And at some point between them and the patch being released or shortly afterwards, somehow these proofs of concepts, these working exploits, managed to get into the hands of these offensive actors who used them, enabling some of these massive attacks.”
“Why?” Tait asked the audience. “Well, offense seems to be taking the gloves off. And this is both in the government sector, you know, doing espionage, and in the financially motivated crime where industry ransomware is getting to the point now where it's beginning to overwhelm our ability to respond in the defensive sector.”
Zero Day Exploitation Still Rare
“Weirdly, mass exploitation, with zero days is pretty rare. I want to go into why that's the case. First of all, Zero Day vulnerabilities have become much harder against hardened platform security systems. Platform Security has made it necessary, but if you want to attack a system to gain entry, you're probably not just going to need to have one vulnerability in that system, but a chain of vulnerabilities.”
“These things are very expensive thanks to platform security investments. Every time an actor that has one of these zero day chain wants to use it on an observable platform, there’s a risk for that threat actor, and that the possibility that zero day chain or some aspects of that intrusion gets detected”
So there’s a heavy cost to the attacker, beit a government or a criminal enterprise. First is the cost of discovering or stealing the Zero Day. Then there’s the cost associated with the risk of it being exposed. If it is exposed, the vendor will then mitigate it, usually with a patch. Now that Zero Day is worthless, or relatively worthless, for future attacks.
A disturbing trend that Tait noted is that while we have viability into desktop application platforms, we don’t necessarily have visibility into mobile device platforms.
“On mobile devices,” Tait said, “there's been some really high volume exploitation. The amount of in the wild, zero day exploitation against mobile phone devices is up dramatically. But here's a weird observation. The reason we know these are being exploited in the wild is overwhelmingly not from on device telemetry. This is an important observation because it means that we're not getting this from the devices, we're only really getting a tiny glimpse of what actually might be happening out there in the world. A lot of these zero days that are being discovered are being left on targeted by governments on watering hole sites”
Tait said that today there’s a huge industry scanning windows binaries. Not so much with mobile apps. “You can't scan the Appstore,” he said. The mobile platform vendors have engineered against it.
Possible Zero Day Solutions
Tait outlined a few known solutions -- such as testing your software, of course -- then talked about how entitlements on mobile apps might work. These are granular permissions. “In the mobile space,” he said, “your app does not have any components running as root or running a system. There's no system permission for a custom installer. there's no system permission background updater. Any … compromise is only going to compromise the app. It's not going to compromise the entire phone.”
Tait did add that, “entitlements can have weird and bespoke preconditions. The COVID entitlement in iOS is an entitlement that allows you to access the iOS COVID Test and Trace Bluetooth system that they've created, but not every app can just ask for this. If you want to have this permission, there are additional requirements and there are some other entitlements that you can't have at the same time.” Still, greater use of entitlements seems like a workable framework against future mass exploitation on our mobile devices.