What is a zero-day cyber attack?

The name sounds sinister because it’s a hacker’s dream, a secret vulnerability that has no specific defense.

By Peter Welander April 11, 2014

One of the terms you will hear with regularity if you follow cyber security issues is a zero-day attack or a zero-day vulnerability. The name sounds scary and it should. It designates a vulnerability that a hacker has found in a network or product that can be exploited that nobody else responsible for defending the system knows about.

If Microsoft learns of a vulnerability related to Windows, the company will begin finding ways that the program code can be changed or patched to eliminate the problem. In the meantime, it may publicize the vulnerability so users can determine if they are at risk and take other appropriate actions to set up other defenses until the problem is patched. Until the problem is recognized and users are informed, hackers can make use of the vulnerability. The specific term in this case means that the defenders have had zero days to develop a solution.

Here’s a nontechnical example: Let’s say many of the electrical cabinets and strategic pieces of equipment in your plant are secured with combination padlocks from Whizzo Lock Company. That company has a good reputation, or at least that’s what you believe, so you trust that those locks are effective protection.

But let’s say some clever individual with criminal leanings begins to study those locks, going so far as to buy the same model and dissecting it. For the sake of the illustration, he discovers to his amazement that all those locks have a built-in master combination in addition to the normal combination. Whizzo designed them such that company service people can open any lock by using this secret combination. Users aren’t aware of this capability and therefore do not try to defend against it, as the company only lets a very select group of people know about it. This is analogous to a PLC with a hard-coded user name and password that have been built into a device but not included in the documentation, effectively a special "back door" for servicing.

Or, as a second possibility, let’s say the criminal analyst looks at a group of locks and discovers that the serial number actually gives the combination if you know how to decode it. So if someone trying to break it can get to the lock and read the number, he can put it in a calculator and multiply it by the secret factor and get the combination. Again, this is something that the company doesn’t tell the general public for obvious reasons. This is analogous to a server with a hard-coded password that can be derived from the MAC address.

As a third possibility, maybe there is a mechanical weakness that he discovers. After looking at the insides, he finds that the lock can be pried open with a crowbar without too much trouble when the dial is set at 39. This was not intentional; it’s just a small design flaw that the manufacturer didn’t realize. This is analogous to a programming flaw or hardware peculiarity that allows a hacker to break in or otherwise cause mischief.

There are other attack vectors that aren’t strictly zero-day but can get the job done. As a fourth possibility, perhaps the user company buys the locks with all the combinations the same so workers don’t have to remember more than one. The criminal watches eBay and buys a piece of equipment sold by the company as surplus with the lock still in place and gets the combination that way. This is analogous to facilities selling used PLCs or other equipment with programming, data, and passwords still intact. This is a very common practice, unfortunately.

All of these represent specific weaknesses that have been found in various types of industrial networking hardware and devices, or user practices. If the criminal is aware of them but the users are not, that is effectively a zero-day situation.

This brings up a larger issue related to security that we have discussed in other contexts. As Matt Luallen discussed in July’s cover story on problems related to mobile computing, all defensive measures require some measure of trust. If that trust fails, that defensive measure does not give the protection it is supposed to give. If enough of the defensive measures fail, the bad guy gets the run of the network. When the measure fails because of a zero-day vulnerability, you won’t know how he got through your defenses. You can take some comfort in that once those problems are identified after somebody else gets hacked, users can take appropriate measures, or at least they should, before they suffer the same fate. Unfortunately, vulnerabilities that are uncovered but not fixed continue to provide attack vectors.

Peter Welander is a content manager for Control Engineering. Reach him at pwelander@cfemedia.com 

This article originally appeared in the August 2012 Control Engineering issue.

ONLINE

Read more about cyber security below.