It’s not just you. Emergency software patches, which force users to update phones and computers immediately because hackers find a novel break-in, are becoming more common.
Such emergency vulnerabilities are called “zero days”; – an indication that the vulnerability in a program is so urgent that software engineers have zero days to write a patch for it. Against a hacker with the right zero day, the consumer has no choice but to wait for software updates or discard devices altogether.
Once considered highly valuable cyber weapons held primarily by elite government hackers, publicly disclosed zero-day exploits are on the rise. Project Zero, a Google team dedicated to identifying and cataloging zero days, has counted 44 in this year alone where hackers likely discovered them before researchers did. That is already a strong increase compared to the previous year with 25. Since 2018 the number has increased every year.
Researchers raised the alarm on Monday over a major problem: Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had found a new way into virtually every Apple device by adding it sent a fake GIF via iMessage. The only way to protect yourself against this is to install the emergency software update from Apple.
Katie Moussouris, founder and CEO of Luta Security, a company that connects cybersecurity researchers and vulnerable companies, said the zero-day increase was due to ad hoc programming of software that often only treats security as an afterthought.
But almost paradoxically, the rise in zero days reflects an online world where certain people are more vulnerable, but most are actually more secure from hackers.
“That was absolutely inevitable,” she said. “We’ve never addressed the root cause of any of these vulnerabilities that didn’t build security from the ground up.”
The Citizen Lab, the University of Toronto’s cybersecurity research center, which discovered Monday’s vulnerability, only saw it while examining a Saudi dissident’s iPhone. And the lab was inclined to look for it because it has repeatedly found that Saudi Arabia is using the NSO’s spyware to target the kingdom’s dissidents, including staff from killed Washington Post columnist Jamal Khashoggi.
But while the people targeted by the Saudi Arabian government would have to be on extreme alert, most people could actually be safer. Since large operating software tends to have better security flaws, it means hackers often need to acquire and use one or more zero-day exploits in order to take complete control of people’s smartphones, said Maddie Stone, a security researcher with Project Zero.
Most people should be more concerned about the significant data leaks from private companies. “A wide range of people don’t have to worry day by day, ”Stone said on a phone call. “This wouldn’t feel intuitive to most, but the rise in the number of zero days is actually a response to increased security measures being deployed on a much larger scale.”
Of course, users still need to update their phones to keep this security, especially since the news of a new zero day could inspire more hackers to reverse engineer how they get into any phone running an older version of their operating system. “I think more of us should be concerned in public,” said Stone. Because although fewer people could be hacked, “these zero-day attack cases tend to have a much greater impact.”
Kevin Collier is a cybersecurity, privacy, and technology policy reporter for NBC News.
- Apple’s iPhone Security Update Hints at Growing “Zero Day” Problem
- Check all news and articles from the latest Security news updates.