Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/16/2019
02:00 PM
James Plouffe
James Plouffe
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Schadenfreude Is a Bad Look & Other Observations About Recent Disclosures

The debate about whether Android or iOS is the more inherently secure platform misses the larger issues that both platforms are valuable targets and security today is no guarantee of security tomorrow.

It always feels a little unsavory when tech giants make public spectacles of security issues affecting competitors, especially against the backdrop of their pitched battle for primacy in the sphere of modern computing and the Internet. But it is hardly uncommon, whether it's Apple revoking Facebook and Google developer certificates due to perceived abuse or, more recently, when Google Project Zero published an extensive write-up detailing a series of Apple iOS vulnerabilities and their exploitation "in the wild."

The revelation of these exploits is significant primarily because it contradicts the prevailing wisdom that mobile OS zero days are narrowly targeted at individuals. In what appears to have been a long-running watering hole attack and unlike previous zero days, these exploits appear to have targeted ethnic groups rather than specific individuals, though the delivery mechanism meant that anyone visiting the compromised websites would be the object of attack.

The vulnerability disclosures — coupled with the subsequent increase in payouts for Android exploit chains — reinvigorated the discussion about the relative security of Android versus iOS and open versus closed source software more generally. Some researchers credit the open source roots of Android for increased security, and the reasoning is clear: Linus' Law famously says "given enough eyeballs, all bugs are shallow," a statement that should be equally true regardless of whether the bugs in question affect the function or the security of software.

Unsurprisingly, the reality is more nuanced. A claim on one side of the debate is that the closed source nature of iOS makes it harder for white-hat researchers to identify vulnerabilities, which implies that intent is a necessary factor in vulnerability discovery and exploitation, while ignoring the fact that vulnerabilities are discovered and exploited with some regularity (even if those exploits exist only to demonstrate severity and never progress past the proof-of-concept stage). Indeed, the work of the Project Zero researchers itself contradicts that notion insofar as they have been reporting iOS vulnerabilities since 2014.

They also separately discovered one of the same vulnerabilities in use by the attackers, though the intersection of those independent discoveries may be the exception rather than the rule. According to a Rand Corporation report, only 5.7% of vulnerabilities discovered by one party were independently discovered by another party within 12 months (the report does not, unfortunately, compare and contrast open and closed source software). If such statistics don't cast doubt on the idea of enough eyeballs making bugs shallow, then they at least raise questions about whether we've reached the critical mass of eyeballs and whether or not those eyeballs interpret what they're seeing the same way.

Though this set of exploits is alarming due to its capabilities, scale, and longevity, it is by no means the first instance of an extremely powerful and long-lived iOS exploit. In August 2016, Citizen Lab and Lookout uncovered the use of the so-called Trident vulnerabilities and Pegasus malware. Then, as now, there were proclamations about the relative security of Android and iOS. In the early days, many "high-value" targets were iOS users. Unsurprisingly, many exploit developers focused their efforts on iOS with varying degrees of success. It is important to remember, however, that absence of proof is not proof of absence, and a little less than a year after Pegasus, Chrysaor — the Android equivalent of Pegasus — was uncovered.

This parallel highlights an important fact: While threat actors might initially focus on a particular platform, it is unlikely that their objectives can be met by focusing exclusively on that platform. Increasing the number of targets is, by definition, a change in requirements. And it should go without saying — even if one accepts the premise that one platform is more difficult to exploit than another — difficult does not mean impossible. Like any "software" project, combining a change in requirements with a more difficult technical implementation typically increases costs. Rather than viewing the higher Android exploit prices as an indirect endorsement of platform security (though they are), it may be more useful to take them at face value: a bigger incentive to find exploitable vulnerabilities that will drive focus accordingly. As security researcher The Grugq recently reminded the Twitter-verse, "The people that buy those exploits? A million dollars isn't even a rounding error. ... Money is not a scarce resource for a serious threat actor."

Lastly, there is the issue of the long tail. The difference between Android and iOS exploit acquisition costs may reflect something unexpected: a potentially longer shelf life. While current versions of Android may be more difficult to exploit, nearly 54% of Android devices are running a version that is not guaranteed to receive security updates (that is, Android 7.0/ Nougat and older; only Android 7.1 and newer receive security updates) compared with 12% of iOS devices. A typical iOS device will receive major OS and security updates for one to two years more than the best-case equivalent for Android.

Ultimately, though, the issue isn't which platform is more secure. As Project Zero researcher Ian Beer said in his preface describing these vulnerabilities and exploits, "Real users make risk decisions based on the public perception of the security of these devices," which are a critical part of the lives of nearly one-third of the world population. Hopefully, platform developers, enterprises, and end users alike are heeding the advice Alex Stamos offers in his reworked version of the Apple response to the Project Zero blog posts by "staying vigilant in looking for attacks" because if there is a silver lining to more widespread use of exploits, it is that it should attract more eyeballs and, though those additional eyeballs may not necessarily make the bugs shallow, it will hopefully make them obvious.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

James Plouffe is a Lead Architect with MobileIron and a Technical Consultant for the hit series Mr. Robot. In his role as a member of the MobileIron Product and Ecosystem team, he is responsible for driving integrations with new technology partners, enhancing existing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.