When 17-year-old George Hotz became the worldâ€™s first hacker to crack AT&Tâ€™s lock on the iPhone in 2007, the companies officially ignored him while scrambling to fix the bugs his work exposed. When he later reverse engineered the Playstation 3, Sony sued him and settled only after he agreed to never hack another Sony product.
When Hotz dismantled the defenses of Googleâ€™s Chrome operating system earlier this year, by contrast, the company paid him a $150,000 reward for helping fix the flaws heâ€™d uncovered. Two months later Chris Evans, a Google security engineer, followed up by email with an offer: How would Hotz like to join an elite team of full-time hackers paid to hunt security vulnerabilities in every popular piece of software that touches the internet?
Today Google plans to publicly reveal that team, known as Project Zero, a group of top Google security researchers with the sole mission of tracking down and neutering the most insidious security flaws in the worldâ€™s software. Those secret hackable bugs, known in the security industry as â€œzero-dayâ€ vulnerabilities, are exploited by criminals, state-sponsored hackers and intelligence agencies in their spying operations. By tasking its researchers to drag them into the light, Google hopes to get those spy-friendly flaws fixed. And Project Zeroâ€™s hackers wonâ€™t be exposing bugs only in Googleâ€™s products. Theyâ€™ll be given free rein to attack any software whose zero-days can be dug up and demonstrated with the aim of pressuring other companies to better protect Googleâ€™s users.
â€œPeople deserve to use the internet without fear that vulnerabilities out there can ruin their privacy with a single website visit,â€ says Evans, a British-born researcher who formerly led Googleâ€™s Chrome security team and will now helm Project Zero. (His business cards read â€œTroublemaker.â€) â€œWeâ€™re going to try to focus on the supply of these high value vulnerabilities and eliminate them.â€
Project Zero has already recruited the seeds of a hacker dream team from within Google: New Zealander Ben Hawkes has been credited with discovering dozens of bugs in software like Adobe Flash and Microsoft Office apps in 2013 alone. Tavis Ormandy, an English researcher who has a reputation as one of the industryâ€™s most prolific bug hunters most recently focused on showing how antivirus software can include zero-day flaws that actually make users less secure. American hacker prodigy George Hotz, who hacked Googleâ€™s Chrome OS defenses to win its Pwnium hacking competition last March, will be the teamâ€™s intern. And Switzerland-based Brit Ian Beer created an air of mystery around Googleâ€™s secret security group in recent months when he was credited under the â€œProject Zeroâ€ name for six bug finds in Appleâ€™s iOS, OSX and Safari.
Evans says the team is still hiring. It will soon have more than ten full-time researchers under his management; Most will be based out of an office in its Mountain View headquarters, using flaw-hunting tools that range from pure hacker intuition to automated software that throws random data at target software for hours on end to find which files cause potentially dangerous crashes.
Google Vs. The Spooks
And what does Google get out of paying top-notch salaries to fix flaws in other companiesâ€™ code? Evans insists Project Zero is â€œprimarily altruistic.â€ But the initiativeâ€“which offers an enticing level of freedom to work on hard security problems with few restrictionsâ€“may also serve as a recruiting tool that brings top talent into Googleâ€™s fold, where they may later move on to other teams. And as with other Google projects, the company also argues that what benefits the internet benefits Google: Safe, happy users click on more ads. â€œIf we increase user confidence in the internet in general, then in a hard-to-measure and indirect way, that helps Google too,â€ Evans says.
This fits with a larger trend in Mountain View; Googleâ€™s counter-surveillance measures have intensified in the wake of Edward Snowdenâ€™s spying revelations. When the leaks revealed thatÂ the NSA was spying on Google user information as it moved between the companyâ€™s data centers, Google rushed to encrypt those links. More recently, itÂ revealed its work on a Chrome plug-in that would encrypt usersâ€™ email, and launched a campaign toÂ name which email providers do and donâ€™t allow for default encryption when receiving messages from Gmail users.
When a zero-day vulnerability gives spies the power to completely control target usersâ€™ computers, however, no encryption can protect them. Intelligence agency customersÂ pay private zero-day brokers hundreds of thousands of dollars for certain exploitsÂ with that sort of stealthy intrusion in mind. And the White House, even as it has called for NSA reform, hasÂ sanctioned the agencyâ€™s use of zero-day exploits for some surveillance applications.
All of that makes Project Zero the logical next step in Googleâ€™s anti-spying efforts, says Chris Soghoian, a privacy-focused technologist at the ACLU who has closely followed the zero-day vulnerability issue. He points to the now-famousÂ â€œfuck these guysâ€Â blog post by a Google security engineer addressing the NSAâ€™s spying practices. Â â€Googleâ€™s security team is angry about surveillance,â€ Soghoian says, â€œand theyâ€™re trying to do something about it.â€
Like other companies, Google has for years paid â€œbug bountiesâ€â€“rewards for friendly hackers who tell the company about flaws in its code. But hunting vulnerabilities in its own software hasnâ€™t been enough: The security of Google programs like its Chrome browser often depend on third-party code like Adobeâ€™s Flash or elements of the underlying Windows, Mac, or Linux operating systems. In March, EvansÂ compiled and tweetedÂ a spreadsheet, for instance, of all eighteen Flash bugs that have been exploited by hackers over the last four years. Their targetsÂ included Syrian citizens, human rights activists, and the defense and aerospace industry.
The idea behind Project Zero, according toÂ former Google security researcher Morgan Marquis-Boire, can be traced back to a late-night meeting he had with Evans in a bar in Zurichâ€™s Niederdorf neighborhood in 2010. Around 4am, the conversation turned to the problem of software outside of Googleâ€™s control whose bugs endanger Googleâ€™s users. â€œItâ€™s a major source of frustration for people writing a secure product to depend on third party code,â€ says Marquis-Boire. â€œMotivated attackers go for the weakest spot. Itâ€™s all well and good to ride a motorcycle in a helmet, but it wonâ€™t protect you if youâ€™re wearing a kimono.â€
Hence Project Zeroâ€™s ambition to apply Googleâ€™s brains to scour other companiesâ€™ products. When Project Zeroâ€™s hacker-hunters find a bug, they say theyâ€™ll alert the company responsible for a fix and give it between 60 and 90 days to issue a patch before publicly revealing the flaw on theÂ Google Project Zero blog. In cases where the bug is being actively exploited by hackers, Google says it will move much faster, pressuring the vulnerable softwareâ€™s creator to fix the problem or find a workaroundÂ in as little as seven days. â€œItâ€™s not acceptable to put people at risk by taking too long or not fixing bugs indefinitely,â€ says Evans.
Whether Project Zero can actually eradicate bugs in such a wide collection of programs remains an open question. But to make a serious impact, the group doesnâ€™t need to find and squash all zero-days, says Project Zero hacker Ben Hawkes. Instead, it only needs to kill bugs faster than theyâ€™re created in new code. And Project Zero will choose its targets strategically to maximize so-called â€œbug collisions,â€ the cases in which a bug it finds is the same as one being secretly exploited by spies.
In fact, modern hacker exploits often chain together a series of hackable flaws to defeat a computerâ€™s defenses. Kill one of those bugs and the entire exploit fails. That means Project Zero may be able to nix entire collections of exploits by finding and patching flaws in a small part of an operating system, like the â€œsandboxâ€ thatâ€™s meant to limit an applicationâ€™s access to the rest of the computer. Â â€On certain attack surfaces, weâ€™re optimistic we can fix the bugs faster than theyâ€™re being introduced,â€ Hawkes says. â€œIf you funnel your research into these limited areas, you increase the chances of bug collisions.â€
More than ever, in other words, every bug discovery could deny attackers an intrusion tool. â€œIâ€™m confident we can step on some toes,â€ Hawkes says.
Case in point: When George Hotz revealed his Chrome OS exploit in Googleâ€™s hacking competition last March to win the contestâ€™s six-figure prize, another competitionâ€™s contestants had simultaneously come up with the same hack. Evans says he also learned of two other private research efforts that had independently found the same flawâ€”a four-way bug collision. Instances like that are a hopeful sign that the number of undiscovered zero-day vulnerabilities may be shrinking, and that a team like Project Zero can starve spies of the bugs their intrusions require.
â€œWeâ€™re really going to make a dent in this problem,â€ Evans says. â€œNow is a very good time to make a bet on putting a stop to zero-days.â€