Recently, citizens around the world were alerted to an alleged vulnerability in WhatsApp that allowed something to be installed on the device without the user realising it. The vulnerability is a perfect example of what is known as a zero day, i.e. a bug in the code known to the software developers for zero days.
The term is said to have originated to refer to software that has not been publicly released: "zero day software" was highly prized by hackers who wanted to be the first to get it. Zero-day attacks, carried out through common and easy-to-find bugs in small or little-known systems, architectures or applications, are usually reported to the owners of the system as soon as they are found.
Where once one or two zero days were exploited out of more than a million pieces of malware discovered and processed each month by security firms, today the number is on the rise due to the development of a multi-million dollar market for buying and selling zero day vulnerabilities.
The zero-day market has three parts. The black market, where criminals exchange information to access systems and steal passwords and credit card numbers; the white market, where researchers and white hat hackers share information about vulnerabilities with developers in exchange for money to fix them; and the grey market, where researchers and companies, some of them military contractors, sell information to intelligence, military or law enforcement agencies for offensive or surveillance operations.
When it comes to an application like WhatsApp, with a good security structure behind it, it is no longer something trivial found by chance. At this level, they are discovered by companies that spend an enormous amount of time and resources on it, usually because someone hires them to do the job.
It is important to emphasise that these types of attacks do not represent a threat to the general population, as such large amounts of money are used to reach very specific individuals, in certain circles of power, through "patient zero" chosen for this purpose. Therefore, in these situations, it is important to do a personal risk analysis and ask oneself, can I be a target of such attacks? Unless we are activists or politicians, for example, the answer is no, and all we should be concerned about as ordinary users is updating the system.
Connect