Anyone with knowledge of otherwise unknown software vulnerabilities can harness that info to hack the computers of targets, be it for reasons for espionage or income enhancement. Now Google says it has new plans to put that practice on ice.
On Tuesday, the Silicon Valley giant announced that it was bringing onboard several security researchers to join its newly unveiled “Project Zero,” where together they’ll aim “to significantly reduce the number of people harmed by targeted attacks” by searching for critical internet vulnerabilities and bringing them to light before they risk being taken advantage of someone with ill intent.
According to a statement from Google, Project Zero is hiring “the best practically-minded security researchers and contributing 100 percent of their time toward improving security across the internet.”
“You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Project Zero researcher Chris Evan pleads in Tuesday’s press release. “Yet in sophisticated attacks, we see the use of‘zero-day’ vulnerabilities to target, for example, human rights activists or to conduct industrial espionage. This needs to stop. We think more can be done to tackle this problem.”
A thriving, underground market currently exists for so-called “zero-day” exploits — exploits that take advantage of unpatched glitches, bugs and otherwise outright flaws that the developers responsible for those applications have had no time, or zero days, to issue a repair. Basement hackers and government-paid agencies alike rely on zero days to attack targets, and the right exploits reportedly fetch upwards of six-figures when sellers can prove that the that the vulnerabilities they’ve discovered can do a lot of damage.
So significant are certain zero days, in fact, that a group of cyber experts assembled by United States President Barack Obama last year warned that the US intelligence community should avoid stockpiling exploits; earlier this month, the National Security Agency was sued for failing to adequately explain how it hoards these exploits. Recently, the NSA was accused of keeping details about the colossal Heartbleed bug hidden before it was eventually caught in part by Google’s researchers and patched.
Speaking to Wired journalist Andy Greenberg for an article published this week, Evans added zero-days, no matter who is made aware of them, need to be expunged from the internet.
“People deserve to use the internet without fear that vulnerabilities out there can ruin their privacy with a single website visit,” he told Greenberg. “We’re going to try to focus on the supply of these high value vulnerabilities and eliminate them.”
According to Greenberg, the “hacker-hunters” who are being brought onboard Project Zero will scour various products in search of bugs, then alert the company responsible for the application and ask them to provide a patch. Developers will then have between 60 and 90 days to issue a fix, at which point Project Zero will publically disclose the vulnerability on an official Google blog. If zero-days are being actively exploited, Greenberg added, then Google’s hackers will aim to find a fix of their own as soon as possible.
“It’s not acceptable to put people at risk by taking too long or not fixing bugs indefinitely,” explained Evans.