Project Zero Targets Who? What? Why?

October 18, 2019

Google is not one to keep its eyes on its own work, as the effective Project Zero demonstrates. That initiative’s researchers (a.k.a. hackers) seek out zero-day vulnerabilities in software created by Google and many other companies. Vice examines Project Zero in its article, “How Google Changed the Secretive Market for the Most Dangerous Hacks in the World.”

Since its launch in 2014, Project Zero reports it has found and helped fix more than 1,500 vulnerabilities. More than 300 of these were in Apple products, over 500 in Microsoft’s, and more than 200 in Adobe Flash, to give just a few examples. One of these researchers was part of the team that found the Intel chips’ Spectre and Meltdown vulnerabilities. The project has also influenced the cybersecurity industry in more general ways. Reporter Lorenzo Franceschi-Bicchierai writes:

“For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. Microsoft, in particular, was not a fan of this policy at the beginning. Today, most companies that interact with Project Zero respect that 90-day deadline as an industry standard, a tidal change in the always controversial debate on the so-called ‘responsible disclosure’—the idea that security researchers who find vulnerabilities should first disclose them to the affected company, so that it can fix them before the bugs are exploited by hackers. According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.”

Then there is the effect on what the article calls the “insecurity industry,” companies like Azimuth Security and NSO Group that also seek out zero-day vulnerabilities, but for a different reason. We’re told:

“Instead of reporting the vulnerabilities to the companies who own the software, these companies sell them to governments who turn them into tools to hack and surveil targets. ‘F— those guys,’ said a researcher who works for a company that does offensive security, referring to Project Zero. ‘They don’t make the world safer.’ The researcher … said that zero-day vulnerabilities are sometimes used to go after terrorists or dangerous criminals. So when Project Zero kills those bugs, it may be killing tools used by intelligence agencies to go after the bad guys, according to the researcher.”

That is one perspective, but one with which many security experts disagree. See the article for more on that dispute. There is no doubt companies the world over have benefited from Project Zero’s work, but what does Google get out of the effort? Good press is one thing, of course, but Franceschi-Bicchierai suggests another motive—the excuse to poke around in its competitors’ software and reveal their weaknesses. Whatever the motivations, Project Zero now seems entrenched in the cybersecurity landscape.

Now what about the timing of the announcement about Apple iPhone vulnerability and downplaying Android phone issues?

Minor issue, right?

Cynthia Murrell, October 18, 2019

Comments

Got something to say?





  • Archives

  • Recent Posts

  • Meta