Dearest Gentle Reader,
Totally kidding! This isn’t Bridgerton. We have gathered here today to talk about the new (current top 10) Netflix drama Zero Day. Although I must say, I would rather review Bridgerton because it didn’t leave me feeling like I lost hours of my life I will never get back. I only made it through two episodes of this show, and honestly, that was enough to convince me that the rest of the plot didn’t matter—I had seen enough to understand that the writers didn’t actually know how zero-day cyberattacks work. Let’s dig in.
My experience as an ethical hacker
Before we get into what I thought of the show and why, please allow for a brief introduction:
I work as a full-time white-hat hacker. In other words, I attempt to hack into software and systems and find issues and vulnerabilities before the bad guys can. This doesn’t mean that I’m white AND hack, or that my hat is necessarily always white (because I actually prefer to wear black hats), but it’s code for “I’m one of the good guys.” Ironically, the “bad guys” are called “black hats.” Confused yet? Yeah, me too. But the good news is, I’m no stranger to finding “zero days.” In this blog post, I leverage my experience as a top hacker to speak on the new series Zero Day.
The goal of authorized hacking (read: hacking with permission) is to strengthen defenses by finding issues (“weaknesses”) and plugging the holes before the bad guys find and exploit them to their advantage. Exploits can look like data breaches, malicious code, authentication tricks, unauthorized access to systems, credential hijacking, etc. This is where Bugcrowd comes in. Bugcrowd provides a platform for companies and hackers like me, the good guys, to hack, communicate, and resolve issues before something like a zero-day exploit happens (often referred to as “zero-day” bugs). Such measures are extremely valuable to companies and even more valuable to all of us as their customers. You wouldn’t believe some of the bugs I have seen throughout the years that, if exploited by bad guys, would have wreaked major havoc. Hackers like me take care of one terrible bug (you will never hear about) at a time. Because of Bugcrowd and hackers, the world is a safer place.
I work part-time with Bugcrowd, and somehow, I am ranked #1 in the United States and top 10 worldwide on the platform. I have a keen knack for breaking things. These ranks are established by logging bugs with programs (e.g., private companies, governments), and the variety in impact is what ultimately determines a hacker’s rank. Long story short, we generally receive payouts and points for each bug. The points are based on advanced linear squirrel math to sort hackers into ranks. The money is used to purchase organic dark roast coffee to find more bugs; it’s a cycle. That being said, statistics and “hacking ranks” are completely overrated, so without further delay, let’s get into the show a bit.
Zero Day series review from a hacker’s perspective
The most realistic thing about Zero Day was that the government, by the second or third day after the attack, had already managed to form an entirely new department, procure an office building, fill it with personnel, and—don’t miss this—fabricate an elaborate six-foot painted and embossed sign that says “Zero Day Commission” to go on the office wall. Shirts were made, hats were worn. Hoorah. Now that’s what getting work done looks like. They may not have had a clue what happened, who did it, or why, but at least they made a huge sign.
The show’s overall political plotline was totally predictable with rent-a-Russian bad guys and the former president’s annoying memory issues. It was all enough to ruin it for me.
How realistic is a Zero Day mass scale attack?
Against my nature, I have fought the urge to discuss the plot further and instead decided to just focus on the question, “How realistic is a zero-day attack like this, and could it actually happen?” For reference, I made that question up, but I think that is the elephant in the room. The zero-day bug in question is a coordinated attack that hits hardware, firmware, and software in a wide variety of geographic locations, running a multitude of different operating systems, architectures, and versions—simultaneously. It’s a lot to wrap your mind around.
In isolation, I believe everything you saw in the show is possible. For instance, taking over local or regional train control systems: possible. Hijacking air traffic control of a single or maybe several airports: possible. Hacking into an emergency broadcast system to blast phones: absolutely possible. Hacking into a single subway control system: definitely possible. Through experience, I’m a believer that “if it connects to a network or internet, it can be hacked.” And keep in mind that this doesn’t mean systems that are not network-connected can’t be hacked. Everything can be hacked. But in Zero Day, the attack seemed to be on a mass scale, and every single type of cyber and device attack was deployed. That’s a little less realistic. In reality, many of the types of system attacks carried out are generally isolated—they run on operational technology networks that require precision attacks. Hitting them all at once is far-fetched.
For an attack of this scale and coordination to occur, as things exist today, an attack group (bad guys) would have to be sitting on hundreds of different significant bugs across systems that are unknown (zero days) to the systems and engineers running them. Deploying an attack of this scale on an extensive number of targets simultaneously would require a massive team, significant artificial intelligence (AI) leverage, or for lack of a better phrase, an absolute “ass of code.” That being said, what do you think the various world governments’ cyber warriors are doing all day? Countries make weapons, “just in case.” They create nukes, sharks with lasers on their heads, things like that. They also discover and file away zero-day cyber bugs against technology, assets, and targets, just in case they need to use them one day. So, an attack of this scale is unlikely, but a very large, seemingly well-coordinated attack of scale isn’t impossible.
How convenience leads to security challenges
Weaponizing computer commands, in my opinion, is and will continue to be a large part of how wars are fought. I’ve logged maybe 1600 bugs on Bugcrowd, and I’m just one person. If I sat on all of those bugs for a “just-in-case day” and had a team to unleash them all at once, well, I guess that would have been a really LOUD day on the internet. But keep in mind, there are different types of hackers out there. I primarily go after software and apps, sensitive data, unauthorized access to systems, etc. So in this instance, you would have seen the biggest single-day data breach in history, with huge companies and mammoth amounts of data affected. Much wow. Other hackers target remote code execution on systems, server request forgery, and command and control, which is closer to what would be required for the Zero Day series events to occur—that and a ton of insider help, or AI. AI is super creepy.
As society progresses, we continue to move away from security and privacy and more toward convenience and data sharing. Convenience and data sharing. Convenience and data sharing. I have an idea—let’s plug a light bulb that connects to the internet into your house. You know, it needs your Wi-Fi password, was built in China, and has access to your home network—but at least you don’t have to stand up, walk 3 feet, and flick your light switch. Oh, and you can set it to 500 different colors. Never mind that you may have a hacker (or a foreign government) crawling your network through your lightbulb.
The same goes for home IP cameras. Simply from my own home internet connection, I’ve hacked into three different companies’ cameras. Every time, it’s the same problem; it comes down to some silly programmer’s “mistake” with authorization or access control. The last company I hacked only took an hour to break into.
Hackers monitor supply chain issues as well. For instance, if all of our TVs come from a certain country, and they are “smart TVs,” what is to prevent that country from putting backdoors in them? Maybe our government uses these TVs for teleconferencing. Maybe they are in most American’s homes. Do I have “smart” devices in my house? Sure. I just don’t give them the internet. Maybe that makes TVs stupid, but I feel smarter. So ask yourself, when a device is asking for permission to your network/internet, is it worth the risk? In theory, this is how a bad actor could hack a government system at significant scale—if the supply of technology isn’t varied, if too many devices are connected without a proper inspection of backdoor threats, and especially if cameras aren’t routinely tested for bugs.
Conclusion: Could this actually happen in real life?
All that being said, a very advanced threat actor with some insider help, teams of people, and massive computing power could make the events of Zero Day happen in real life. A lot would have to line up perfectly, but it’s not impossible. There’s always a chance disaster can occur. We as a society certainly hope it’s not possible. Want to be safer? Don’t buy so many devices with a modem in it that connects to the internet. But that’s life, and may the odds be forever in your favor. The fun conveniences that come with AI and the internet powering everything come with some risk.
In closing, a movie that is more realistic and does a better job of reflecting real cyber threats is a recent release on Netflix called Leave the World Behind. This is because the attack focused on breaking the core requirements and critical infrastructure that many systems share: the internet, positioning data (GPS), and electricity. What happens when the internet goes down? Start the timer before the world tears itself apart. I think if we were to see an attack like that in Zero Day, it would probably only be a short time before the attack in Leave the World Behind follows. And in my opinion, AI is going to be involved.
Humans can’t resist the urge to build and innovate, and I do believe that we have finally reached a milestone where we’ll look back on this time period and say, “Oops.” Twenty years from now, there will probably be robots in most homes (occupied by the same people who have Alexas). Each will be connected to the internet and part of the AI “hive mind” able to answer any question we could possibly have about anything at any time. Whether they are doing our dishes, folding our laundry, cooking us dinner, or playing with our children, they will always be listening, always watching, always “helping,” and making life easier. Until one day they flip. And not just them but everything else that AI can connect to—the cars, the cameras, the airplanes, the ships, the trains, the subways, the electric and gas, and your smart light bulb. Someone should really make a movie about that. 😜
