Google’s new Project Zero is more than just the latest addition to the Internet giant’s smartphone line; it’s a declaration of war. Well, that may be putting it a little strong. But make no mistake; Google’s Project Zero goes beyond merely creating product for the marketplace. With Project Zero, Google is attempting to shore up internet security at all levels, starting with those software apps that make our tablets and smartphones so indispensable.
Surely, improving internet security for all is a good thing, and Google should be applauded for their efforts? Well, therein lies the rub. While we all want better security for our smartphones and tablets, software developers aren’t particularly thrilled to have Google dictating terms. This, as it happens, is exactly what Google intends to do.
The Project Zero Brief
Google has long been concerned with internet security, and with Project Zero they are tackling the problem head on. Project Zero’s brief, in short, is to check other developer’s software for bugs and vulnerabilities that can be exploited by hackers and cyber-criminals. When a bug or vulnerability is found, Google notifies the software developer and gives them ninety days to fix the flaw. If the software developer in question fails to fix the bug by the ninety day deadline, they face Zero Day. Come Zero Day, if the vendor has failed to satisfactorily address the issue, Google will make the security flaw known to the public. Google expects this kind of pressure to force software developers to address security problems in a timely manner, and to provide better and safer apps for the public. Considering the uptick in hacking and cyber-crimes over the last few years, you would think this kind of service would be welcomed with open arms. But you’d be wrong.
Major software developers, and some independent security research teams, have taken issue with Google’s perceived high handedness. Even TSI Director Tony Dyhouse has weighed in on the issue. They all argue that Google is playing into the hands of cyber-criminals by making these security flaws public. It’s one thing to notify vendors about possible security flaws, but quite another to announce those flaws to the public at large. They claim that Google’s actions are little more than blackmail, and ultimately puts the public at risk. But it’s clear that internet security is a growing problem, and something needs to be done. Independent security teams know that software vendors are slow to address vulnerabilities in their products, even after those flaws have been brought to their attention. Clearly, some incentive is needed to motivate developers, and to pressure them into providing timely fixes for existing flaws in their software. Google intends Project Zero, with its impending threat of Zero Day, to be that incentive.
Project Zero in Action
Project Zero has only been in operation since July of 2014, but it is already ruffling feathers among software developers and vendors. So far, Microsoft has been hardest hit by Project Zero, and has missed several Zero Day deadlines. Just last week Google revealed a security vulnerability in Windows 8.1, much to Microsoft’s dismay. Apparently, Microsoft had asked for a deadline extension to address the programming flaw, but true to their word Google published the bug at the close of Zero Day. Microsoft has issued a statement confirming that they are working on a patch for the bug, but the fact remains that the vulnerability is now a matter of public knowledge.
Of course, Google has come under immediate fire for their disclosure. But Google security researcher Ben Hawkes defends the announcement, saying Project Zero’s auto-disclosure policy “allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face”. Clearly, Google has no intention of backing down from their Zero Day imperative.
Internet security is a growing problem, and several high profile hacks have brought software vulnerabilities to the forefront of the public’s consciousness. With Project Zero, Google hopes to effectively combat the problem by acting as a kind of unofficial internet security police force. Google has already exposed several security vulnerabilities in commonly used software apps, and despite push back from software vendors they show no sign of backing off from their initial brief. Project Zero is here to stay, and Google hopes that it will to keep users safer on the internet.