Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/16/2019
02:00 PM
James Plouffe
James Plouffe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Schadenfreude Is a Bad Look & Other Observations About Recent Disclosures

The debate about whether Android or iOS is the more inherently secure platform misses the larger issues that both platforms are valuable targets and security today is no guarantee of security tomorrow.

It always feels a little unsavory when tech giants make public spectacles of security issues affecting competitors, especially against the backdrop of their pitched battle for primacy in the sphere of modern computing and the Internet. But it is hardly uncommon, whether it's Apple revoking Facebook and Google developer certificates due to perceived abuse or, more recently, when Google Project Zero published an extensive write-up detailing a series of Apple iOS vulnerabilities and their exploitation "in the wild."

The revelation of these exploits is significant primarily because it contradicts the prevailing wisdom that mobile OS zero days are narrowly targeted at individuals. In what appears to have been a long-running watering hole attack and unlike previous zero days, these exploits appear to have targeted ethnic groups rather than specific individuals, though the delivery mechanism meant that anyone visiting the compromised websites would be the object of attack.

The vulnerability disclosures — coupled with the subsequent increase in payouts for Android exploit chains — reinvigorated the discussion about the relative security of Android versus iOS and open versus closed source software more generally. Some researchers credit the open source roots of Android for increased security, and the reasoning is clear: Linus' Law famously says "given enough eyeballs, all bugs are shallow," a statement that should be equally true regardless of whether the bugs in question affect the function or the security of software.

Unsurprisingly, the reality is more nuanced. A claim on one side of the debate is that the closed source nature of iOS makes it harder for white-hat researchers to identify vulnerabilities, which implies that intent is a necessary factor in vulnerability discovery and exploitation, while ignoring the fact that vulnerabilities are discovered and exploited with some regularity (even if those exploits exist only to demonstrate severity and never progress past the proof-of-concept stage). Indeed, the work of the Project Zero researchers itself contradicts that notion insofar as they have been reporting iOS vulnerabilities since 2014.

They also separately discovered one of the same vulnerabilities in use by the attackers, though the intersection of those independent discoveries may be the exception rather than the rule. According to a Rand Corporation report, only 5.7% of vulnerabilities discovered by one party were independently discovered by another party within 12 months (the report does not, unfortunately, compare and contrast open and closed source software). If such statistics don't cast doubt on the idea of enough eyeballs making bugs shallow, then they at least raise questions about whether we've reached the critical mass of eyeballs and whether or not those eyeballs interpret what they're seeing the same way.

Though this set of exploits is alarming due to its capabilities, scale, and longevity, it is by no means the first instance of an extremely powerful and long-lived iOS exploit. In August 2016, Citizen Lab and Lookout uncovered the use of the so-called Trident vulnerabilities and Pegasus malware. Then, as now, there were proclamations about the relative security of Android and iOS. In the early days, many "high-value" targets were iOS users. Unsurprisingly, many exploit developers focused their efforts on iOS with varying degrees of success. It is important to remember, however, that absence of proof is not proof of absence, and a little less than a year after Pegasus, Chrysaor — the Android equivalent of Pegasus — was uncovered.

This parallel highlights an important fact: While threat actors might initially focus on a particular platform, it is unlikely that their objectives can be met by focusing exclusively on that platform. Increasing the number of targets is, by definition, a change in requirements. And it should go without saying — even if one accepts the premise that one platform is more difficult to exploit than another — difficult does not mean impossible. Like any "software" project, combining a change in requirements with a more difficult technical implementation typically increases costs. Rather than viewing the higher Android exploit prices as an indirect endorsement of platform security (though they are), it may be more useful to take them at face value: a bigger incentive to find exploitable vulnerabilities that will drive focus accordingly. As security researcher The Grugq recently reminded the Twitter-verse, "The people that buy those exploits? A million dollars isn't even a rounding error. ... Money is not a scarce resource for a serious threat actor."

Lastly, there is the issue of the long tail. The difference between Android and iOS exploit acquisition costs may reflect something unexpected: a potentially longer shelf life. While current versions of Android may be more difficult to exploit, nearly 54% of Android devices are running a version that is not guaranteed to receive security updates (that is, Android 7.0/ Nougat and older; only Android 7.1 and newer receive security updates) compared with 12% of iOS devices. A typical iOS device will receive major OS and security updates for one to two years more than the best-case equivalent for Android.

Ultimately, though, the issue isn't which platform is more secure. As Project Zero researcher Ian Beer said in his preface describing these vulnerabilities and exploits, "Real users make risk decisions based on the public perception of the security of these devices," which are a critical part of the lives of nearly one-third of the world population. Hopefully, platform developers, enterprises, and end users alike are heeding the advice Alex Stamos offers in his reworked version of the Apple response to the Project Zero blog posts by "staying vigilant in looking for attacks" because if there is a silver lining to more widespread use of exploits, it is that it should attract more eyeballs and, though those additional eyeballs may not necessarily make the bugs shallow, it will hopefully make them obvious.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot. In his role as a member of the MobileIron Product and Ecosystem team, he is responsible for driving integrations with new technology partners, enhancing existing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.