'Zero-day' hacks, like the one that forced Apple’s emergency update, are on the rise

It’s not just you. Emergency software patches, in which users are pushed to immediately update phones and computers because hackers have figured out some novel way to break in, are becoming more common.

Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s emergency software update.

Such emergency vulnerabilities are called “zero days” — a reference to the fact that they’re such an urgent vulnerability in a program that software engineers have zero days to write a patch for it. Against a hacker with the right zero day, there is nothing consumers can do other than wait for software updates or ditch devices altogether.

Once considered highly valuable cyberweapons held mostly by elite government hackers, publicly disclosed zero-day exploits are on a sharp rise. Project Zero, a Google team devoted to identifying and cataloging zero days, has tallied 44 this year alone where hackers had likely discovered them before researchers did. That’s already a sharp rise from last year, which saw 25. The number has increased every year since 2018.

Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and companies with vulnerabilities, said that the rise in zero days is thanks to the ad hoc way that software is usually programmed, which often treats security as an afterthought.

“It was absolutely inevitable,” she said. “We’ve never addressed the root cause of all of these vulnerabilities, which is not building security in from the ground up.”

But almost paradoxically, the rise in zero days reflects an online world in which certain individuals are more vulnerable, but most are actually safer from hackers.

The Citizen Lab, the University of Toronto’s cybersecurity research hub that discovered Monday’s vulnerability, only saw it because it was examining a Saudi Arabian dissident’s iPhone. And the lab was inclined to look for it because it has repeatedly found Saudi Arabia using NSO’s spyware to target the kingdom’s dissidents, including associates of the slain Washington Post columnist Jamal Khashoggi.

But while people targeted by the Saudi Arabian government would need to be on extremely high alert, most individuals might actually be safer. Because major operating software tends to have better security stopgaps in place, it means hackers often have to acquire and use one or more zero-day exploits to fully gain control of people’s smartphone, Maddie Stone, a Project Zero security researcher, said.

Most people have more to be concerned about by the sizable data leaks from private companies.

“A big range of people don’t have to worry about [zero days] on a day to day basis,” Stone said in a phone call. “This would feel counterintuitive to most, but seeing the number of zero days rise is actually in response to increased security defenses being deployed at a much larger scale.”

Of course, users still need to update their phones to have that safety, especially because news of a new zero day might inspire more hackers to reverse engineer how to get into any phone that’s running an older version of their operating system.

“I do believe more of us in the public need to be worried,” Stone said. Because while fewer people may be hacked, “those instances of zero day attacks tend to have a much larger impact.”