Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/16/2019
02:00 PM
James Plouffe
James Plouffe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Schadenfreude Is a Bad Look & Other Observations About Recent Disclosures

The debate about whether Android or iOS is the more inherently secure platform misses the larger issues that both platforms are valuable targets and security today is no guarantee of security tomorrow.

It always feels a little unsavory when tech giants make public spectacles of security issues affecting competitors, especially against the backdrop of their pitched battle for primacy in the sphere of modern computing and the Internet. But it is hardly uncommon, whether it's Apple revoking Facebook and Google developer certificates due to perceived abuse or, more recently, when Google Project Zero published an extensive write-up detailing a series of Apple iOS vulnerabilities and their exploitation "in the wild."

The revelation of these exploits is significant primarily because it contradicts the prevailing wisdom that mobile OS zero days are narrowly targeted at individuals. In what appears to have been a long-running watering hole attack and unlike previous zero days, these exploits appear to have targeted ethnic groups rather than specific individuals, though the delivery mechanism meant that anyone visiting the compromised websites would be the object of attack.

The vulnerability disclosures — coupled with the subsequent increase in payouts for Android exploit chains — reinvigorated the discussion about the relative security of Android versus iOS and open versus closed source software more generally. Some researchers credit the open source roots of Android for increased security, and the reasoning is clear: Linus' Law famously says "given enough eyeballs, all bugs are shallow," a statement that should be equally true regardless of whether the bugs in question affect the function or the security of software.

Unsurprisingly, the reality is more nuanced. A claim on one side of the debate is that the closed source nature of iOS makes it harder for white-hat researchers to identify vulnerabilities, which implies that intent is a necessary factor in vulnerability discovery and exploitation, while ignoring the fact that vulnerabilities are discovered and exploited with some regularity (even if those exploits exist only to demonstrate severity and never progress past the proof-of-concept stage). Indeed, the work of the Project Zero researchers itself contradicts that notion insofar as they have been reporting iOS vulnerabilities since 2014.

They also separately discovered one of the same vulnerabilities in use by the attackers, though the intersection of those independent discoveries may be the exception rather than the rule. According to a Rand Corporation report, only 5.7% of vulnerabilities discovered by one party were independently discovered by another party within 12 months (the report does not, unfortunately, compare and contrast open and closed source software). If such statistics don't cast doubt on the idea of enough eyeballs making bugs shallow, then they at least raise questions about whether we've reached the critical mass of eyeballs and whether or not those eyeballs interpret what they're seeing the same way.

Though this set of exploits is alarming due to its capabilities, scale, and longevity, it is by no means the first instance of an extremely powerful and long-lived iOS exploit. In August 2016, Citizen Lab and Lookout uncovered the use of the so-called Trident vulnerabilities and Pegasus malware. Then, as now, there were proclamations about the relative security of Android and iOS. In the early days, many "high-value" targets were iOS users. Unsurprisingly, many exploit developers focused their efforts on iOS with varying degrees of success. It is important to remember, however, that absence of proof is not proof of absence, and a little less than a year after Pegasus, Chrysaor — the Android equivalent of Pegasus — was uncovered.

This parallel highlights an important fact: While threat actors might initially focus on a particular platform, it is unlikely that their objectives can be met by focusing exclusively on that platform. Increasing the number of targets is, by definition, a change in requirements. And it should go without saying — even if one accepts the premise that one platform is more difficult to exploit than another — difficult does not mean impossible. Like any "software" project, combining a change in requirements with a more difficult technical implementation typically increases costs. Rather than viewing the higher Android exploit prices as an indirect endorsement of platform security (though they are), it may be more useful to take them at face value: a bigger incentive to find exploitable vulnerabilities that will drive focus accordingly. As security researcher The Grugq recently reminded the Twitter-verse, "The people that buy those exploits? A million dollars isn't even a rounding error. ... Money is not a scarce resource for a serious threat actor."

Lastly, there is the issue of the long tail. The difference between Android and iOS exploit acquisition costs may reflect something unexpected: a potentially longer shelf life. While current versions of Android may be more difficult to exploit, nearly 54% of Android devices are running a version that is not guaranteed to receive security updates (that is, Android 7.0/ Nougat and older; only Android 7.1 and newer receive security updates) compared with 12% of iOS devices. A typical iOS device will receive major OS and security updates for one to two years more than the best-case equivalent for Android.

Ultimately, though, the issue isn't which platform is more secure. As Project Zero researcher Ian Beer said in his preface describing these vulnerabilities and exploits, "Real users make risk decisions based on the public perception of the security of these devices," which are a critical part of the lives of nearly one-third of the world population. Hopefully, platform developers, enterprises, and end users alike are heeding the advice Alex Stamos offers in his reworked version of the Apple response to the Project Zero blog posts by "staying vigilant in looking for attacks" because if there is a silver lining to more widespread use of exploits, it is that it should attract more eyeballs and, though those additional eyeballs may not necessarily make the bugs shallow, it will hopefully make them obvious.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot. In his role as a member of the MobileIron Product and Ecosystem team, he is responsible for driving integrations with new technology partners, enhancing existing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.