After finding a number of flaws in software used by many end-users while researching other problems, such as the critical "Heartbleed" vulnerability, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. The new project was announced on 15 July 2014 on Google's security blog. When it launched, one of the principal innovations that Project Zero provided was a strict 90-day disclosure deadline along with a publicly visible bugtracker where the vulnerability disclosure process is documented.
While the idea for Project Zero can be traced back to 2010, its establishment fits into the larger trend of Google's counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden. The team was formerly headed by Chris Evans, previously head of Google's Chrome security team, who subsequently joined Tesla Motors. Other notable members include security researchers Ben Hawkes, Ian Beer and Tavis Ormandy. Hawkes eventually became the team's manager.
The team's focus is not just on finding bugs and novel attacks, but also on researching and publicly documenting how such flaws could be exploited in practice. This is done to ensure that defenders have sufficient understanding of attacks; the team keeps an extensive research blog with articles that describe individual attacks in detail.
Bug finding and reporting
Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released. The 90-day-deadline is Google's way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks. There have been cases where the vendor neglects to produce any solution for the discovered flaws within 90 days of having been notified, before the public disclosure by the team, thus leaving users of the compromised systems vulnerable.
- Gal Beniamini
- Thomas Dullien
- Chris Evans
- George Hotz
- Matt Tait
- Steven Vittitoe
One of the first Project Zero reports that attracted attention involved a flaw that allowed hackers to take control of software running the Safari browser. For its efforts, the team, specifically Beer, was cited in Apple's brief note of thanks.
On 30 September 2014, Google detected a security flaw within Windows 8.1's system call "NtApphelpCacheControl", which allows a normal user to gain administrative access. Microsoft was notified of the problem immediately but did not fix the problem within 90 days, which meant information about the bug was made publicly available on 29 December 2014. Releasing the bug to the public elicited a response from Microsoft that they are working on the problem.
On 9 March 2015, Google Project Zero's blog posted a guest post that disclosed how a previously known hardware flaw in commonly deployed DRAM called Row Hammer could be exploited to escalate privileges for local users. This post spawned a large quantity of follow-up research both in the academic and hardware community.
On 19 February 2017, Google discovered a flaw within Cloudflare's reverse proxies, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of this data was cached by search engines. A member of the Project Zero team referred to this flaw as Cloudbleed.
Project Zero was involved in discovering the Meltdown and Spectre vulnerabilities affecting many modern CPUs, which were discovered in mid-2017 and disclosed in early January 2018. The issue was discovered by Jann Horn independently from the other researchers who reported the security flaw and was scheduled to be published on 9 January 2018 before moving the date up because of growing speculation.
On 18 April 2019, Project Zero discovered a bug in Apple iMessage wherein a certain malformed message could cause Springboard to "...crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input." This would completely crash the iPhone's UI making it inoperable.This bug would persist even after a hard reset. The flaw also affected iMessage on Mac with different results. Apple fixed the bug within the 90 day period before Project Zero released it.
On 1 February 2019, Project Zero reported to Apple that they had detected a set of five separate and complete iPhone exploit chains affecting iOS 10 through all versions of iOS 12 not targeting specific users but having the ability to infect any user who visited an infected site. A series of hacked sites were being used in indiscriminate watering hole attacks against their visitors which Project Zero estimated receive thousands of visitors per week. Project Zero felt the attacks indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years. Apple fixed the exploits in the release of iOS 12.1.4 on 7 February 2019, and said the fixes were already underway when reported by Project Zero.
- Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired. ISSN 1059-1028. Retrieved 6 March 2019.
- Evans, Chris (15 July 2014). "Announcing Project Zero". Google Online Security Blog. Retrieved 4 January 2015. CS1 maint: discouraged parameter (link)
- "Project Zero Bug Tracker". Retrieved 11 April 2019. CS1 maint: discouraged parameter (link)
- "Chris Evans on Twitter". Retrieved 22 September 2015. CS1 maint: discouraged parameter (link)
- Greenberg, Andy (15 July 2014). "Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers". Wired.com. Retrieved 4 January 2015. CS1 maint: discouraged parameter (link)
- "Project Zero Research Blog". Retrieved 11 April 2019. CS1 maint: discouraged parameter (link)
- Dent, Steven (2 January 2015). "Google posts Windows 8.1 vulnerability before Microsoft can patch it". Engadget. Retrieved 4 January 2015. CS1 maint: discouraged parameter (link)
- Fingas, John (4 March 2019). "Google discloses 'high severity' Mac security flaw ahead of patch". Engadget. Retrieved 6 March 2019.
- Davies, Chris (3 January 2018). "Google reveals CPU security flaw Meltdown and Spectre details". SlashGear. Retrieved 4 January 2018.
- "Over The Air: Exploiting Broadcom's Wi-Fi Stack (Part 1)". Retrieved 12 April 2019. CS1 maint: discouraged parameter (link)
- "Lawfareblog Hard National Security Choices Matt Tait". Retrieved 9 March 2017. CS1 maint: discouraged parameter (link)
- "aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript". Retrieved 18 December 2017. CS1 maint: discouraged parameter (link)
- TIME, The Editors of (19 January 2018). TIME Cybersecurity: Hacking, the Dark Web and You. Time Inc. Books. ISBN 9781547842414.
- "Issue 118: Windows: Elevation of Privilege in ahcache.sys/NtApphelpCacheControl". 30 September 2014. Retrieved 4 January 2015. CS1 maint: discouraged parameter (link)
- "Exploiting the DRAM rowhammer bug to gain kernel privileges". Retrieved 11 April 2019. CS1 maint: discouraged parameter (link)
- "Issue 1139: cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory". 19 February 2017. Retrieved 24 February 2017. CS1 maint: discouraged parameter (link)
- "Incident report on memory leak caused by Cloudflare parser bug". Cloudflare. 23 February 2017. Retrieved 24 February 2017. CS1 maint: discouraged parameter (link)
- "Another hole opens up in LastPass that could take weeks to fix". Naked Security. 29 March 2017. Retrieved 29 March 2017.
- Siegrist, Joe (31 March 2017). "Security Update for the LastPass Extension". LastPass Blog. Retrieved 2 May 2017. CS1 maint: discouraged parameter (link)
- Greenberg, Andy (3 January 2018). "A Critical Intel Flaw Breaks Basic Security for Most Computers". WIRED. Retrieved 4 January 2018.
- "Issue 1826: iMessage: malformed message bricks iPhone". bugs.chromium.org. 18 April 2019. Retrieved 9 September 2019. CS1 maint: discouraged parameter (link)
- Tim (29 August 2019). "Project Zero: A very deep dive into iOS Exploit chains found in the wild". Project Zero. Retrieved 30 August 2019.
- Cox, Joseph (30 August 2019). "Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years". Vice. Retrieved 30 August 2019.
- Goodin, Dan (7 September 2019). "Apple takes flak for disputing iOS security bombshell dropped by Google". Ars Technica.