00:00:00
[army shouting]
00:00:02
[Narrator] Normandy.
00:00:03
1204 A.D.
00:00:05
For two years,
00:00:05
the English-occupied fortress
known as the Chateau Gaillard
00:00:08
has withstood the
trebuchets,
00:00:10
battering rams
00:00:11
and tunneling efforts of
an attacking French army.
00:00:14
It was a stalemate,
00:00:16
one that might have
continued indefinitely
00:00:18
were it not for an otherwise
unremarkable
00:00:19
French foot soldier
00:00:20
[Bogis] Bonjour!
00:00:21
[Narrator] named
Peter Bogis.
00:00:23
One bloody day as the
battle raged around him,
00:00:26
Bogis scanned the
exterior of the fortress
00:00:28
and saw what no one else did.
00:00:30
A weak point ready
to be exploited.
00:00:32
By some accounts, it was
the exit chute of a latrine
00:00:35
located inside the
fortress's chapel,
00:00:38
added at the specific request
of England's King John.
00:00:42
Regardless of origin,
it was a flaw.
00:00:44
The only one Bogis needed
to enter undetected.
00:00:47
Once in, he hauled up dozens
of his waiting French comrades.
00:00:50
Chaos ensued.
00:00:52
English defenders scattered.
00:00:53
The siege was over.
00:00:55
[crowd cheering]
00:00:58
Thousands of tons of stone,
00:01:00
the latest in
defensive architecture,
00:01:02
and yet no one had thought
to secure the toilet.
00:01:06
And so the vulnerability
sat unnoticed for years
00:01:09
until the moment when
Peter Bogis spotted it
00:01:12
and crawled his
way into history.
00:01:16
Today's fortresses are
made of code, not stone.
00:01:19
They guard information,
not territory or treasure.
00:01:22
But they still
contain vulnerabilities—
00:01:25
architectural flaws
overlooked by their creators.
00:01:28
And just like in 1204, the
Peter Bogis of today—
00:01:32
hackers,
00:01:32
spies,
00:01:33
cyber criminals,
00:01:34
are searching for undiscovered
ways to gain access.
00:01:38
So what do you do if
you are responsible
00:01:40
for protecting
the accounts,
00:01:41
data centers
00:01:42
and cloud systems relied on
by people around the world?
00:01:46
You do everything you can to
find the vulnerabilities first,
00:01:50
wherever they may be.
00:01:54
[♪ anthemic music ♪]
00:01:55
When it's your job to keep
billions of people safe online,
00:02:00
you have to live and
breathe and see the internet
00:02:02
just like the attackers do,
00:02:05
because the only way
to stop a hacker
00:02:08
is to think like one.
00:02:27
Remember Royal?
00:02:29
He's in charge of Privacy,
Safety and Security at Google.
00:02:32
[Royal] How are you?
00:02:34
[Director] Hey, Royal.
Good to see you again.
00:02:35
[Royal] Good to see you.
00:02:36
You're coming out of
that little box there.
00:02:39
We are the central team
that looks out across all
00:02:42
of the Google products
00:02:44
for the privacy of users,
00:02:47
the security of Google
and much of the internet.
00:02:50
[Narrator] Wait,
much of the internet?
00:02:51
That seems like a
lot of extra work.
00:02:53
[Royal] Right. [laughs]
00:02:55
[Narrator] But to make sure
Google's users are safe,
00:02:57
it's necessary.
00:02:58
After all, people don't
just use Google's apps
00:03:01
and cloud services.
00:03:02
They use hundreds of
devices, tools, websites
00:03:05
and operating systems, all
different, all connected,
00:03:08
just as the internet's
founders intended.
00:03:10
[Royal] They made a
decision very early on
00:03:13
to open-source the
standards by which computers
00:03:18
and then ultimately
webpages would communicate
00:03:20
with one another.
00:03:21
That was a conscious decision
to have an open internet.
00:03:26
You can place the improvements
in the lives of the billions
00:03:30
of people on this planet at
the feet of that decision
00:03:33
to allow everyone to
participate and innovate.
00:03:38
[Narrator] But this
interconnected world
00:03:40
comes at a price.
00:03:41
Today, a vulnerability in
any part of the system
00:03:44
threatens every part
of the system.
00:03:46
[Alex] Let's say
I'm a normal user.
00:03:48
I wake up, I get my coffee.
00:03:50
I open up my phone.
00:03:51
This phone is made
by one company.
00:03:53
I click on a button
to check my email.
00:03:55
The app is written
by another company.
00:03:57
I see a link, I click that link.
00:03:59
It opens up my
social media site.
00:04:01
Something that to a normal
user is a 90 second experience
00:04:05
that seems like it's nice
and smooth and integrated,
00:04:07
there's actually a lot of
complexity on the back end.
00:04:11
[Royal] The safety of
that individual depends
00:04:13
on finding a vulnerability
and getting it fixed faster
00:04:17
in one of those
dependent platforms,
00:04:19
computers,
00:04:20
software packages,
00:04:22
before they're abused.
00:04:23
The open internet
is harder to defend.
00:04:26
Google said "We're
gonna dedicate a team
00:04:29
to finding
00:04:30
the hardest-to-find
vulnerabilities."
00:04:33
[♪ upbeat music ♪]
00:04:36
[Narrator] Who’s responsible
for this team of elite hackers?
00:04:38
Meet Parisa Tabriz.
00:04:40
She oversees
Google's Project Zero
00:04:42
and in a former life,
was a bit of a hacker herself.
00:04:45
[Parisa] I think I identified
at some point as a hacker.
00:04:48
I still am in spirit,
00:04:50
but I also think of myself
as more a hacker manager
00:04:53
than a hacker.
00:04:54
[♪ video game music ♪]
00:04:55
[Narrator] Years of dealing
with the world's nastiest
00:04:57
exploits and vulnerabilities
has made her the perfect person
00:05:00
to guide a team
00:05:01
that's always on the
hunt for new ones.
00:05:04
[♪ upbeat music ♪]
00:05:05
[Parisa] Project Zero
makes the internet safer
00:05:07
by looking at it
through a hacker lens
00:05:12
and trying to rigorously,
00:05:14
ruthlessly break it
00:05:16
and then fix it
00:05:17
and prevent problems from
happening in the first place.
00:05:21
[Narrator] That's right.
00:05:22
Project Zero is a team
00:05:23
of hackers that makes
the internet safer
00:05:25
by trying to hack it.
00:05:27
Each success
eliminates a weak point
00:05:28
that would have threatened
the people and businesses
00:05:30
that rely on Google
and the internet at large.
00:05:34
But to understand
this team's name,
00:05:35
you have to understand the
vulnerabilities they hunt.
00:05:39
A zero-day vulnerability
00:05:40
is a weak point
in a program's code
00:05:42
that’s been discovered
by an attacker
00:05:44
but not by the people
responsible for fixing it.
00:05:48
That means when the
vulnerability is exploited,
00:05:50
defenders will have
had zero days notice.
00:05:53
They'll be surprised,
00:05:54
exposed,
00:05:55
scrambling,
00:05:55
just like the English defenders
inside Chateau Gaillard.
00:05:58
[Tim] Zero-day vulnerabilities
are too powerful,
00:06:01
too cheap and too numerous.
00:06:03
[Commander] There is
nothing you can do now.
00:06:05
[Tim] And we think someone
has to do something
00:06:07
about making them
harder to use,
00:06:09
making them more expensive,
00:06:11
making them less frequent.
00:06:13
[Narrator] Zero-days have
been used in cyber attacks
00:06:15
of all kinds,
00:06:16
from surveilling
human rights activists
00:06:18
to damaging physical
infrastructure,
00:06:20
to well, you remember Aurora.
00:06:24
[Tim] The vulnerability
that was exploited there
00:06:26
was a bug in
Internet Explorer,
00:06:28
a Microsoft product.
00:06:30
That is the kind of case
00:06:31
in point that sometimes
the weakest point
00:06:33
for Google might be
a non-Google product.
00:06:37
[Narrator] This is Tim.
00:06:38
[Director] Smiling
is encouraged.
00:06:40
[Tim] Ha!
00:06:40
[laughs]
00:06:42
Alright. Hi.
00:06:44
[Narrator] Tim is the
ringleader of Project Zero.
00:06:46
And at the age of
15, he was hacked.
00:06:48
[Tim] I was chatting
to random people
00:06:50
and they're like "Do you
want a cup holder?"
00:06:52
And I'm like, “What?”
00:06:53
"Do you want a cup holder?"
00:06:54
I'm like, "Uh...
00:06:55
okay."
00:06:56
And then they
opened my CD drive,
00:06:59
and I was like,
00:07:01
“Oh, that's really cool.
00:07:04
How did you do that?"
00:07:05
And then they wouldn't tell me.
00:07:07
[Narrator] Each
member of the team
00:07:08
has their own origin story,
00:07:09
but they all have a
few things in common.
00:07:11
[Parisa] So a great Project
Zero member is somebody
00:07:15
who loves security research
00:07:17
and finding bugs
00:07:20
and wanting to
find problems
00:07:22
that nobody else knows exists.
00:07:25
Sometimes people
will ask me,
00:07:27
“How do you find a bug?”
00:07:28
Or, “How do you do
vulnerability research?"
00:07:30
And at the end of the day,
00:07:33
it's almost like
asking someone,
00:07:34
“How do you make art?”
00:07:36
[Narrator] To find
vulnerabilities hidden
00:07:37
inside connected
fortresses of all kinds,
00:07:40
you need the best— a hacker
who can hack anything.
00:07:45
[Natalie] My motto is
00:07:46
"Hack Everything."
00:07:48
[Narrator] Meet Natalie.
00:07:49
[Natalie] Hey.
00:07:50
[Narrator] True to her motto,
00:07:51
Natalie has hacked phones,
00:07:52
webcams,
00:07:53
arcade games,
00:07:54
microwaves,
00:07:54
selfie sticks—
00:07:55
[Natalie] I do have a crate
00:07:57
of 50 dismantled selfie sticks.
00:07:59
[Narrator] Keyboards,
00:08:00
USB sticks,
00:08:01
battery packs,
00:08:02
fans,
00:08:03
and Tamagotchis.
00:08:04
[Natalie] I won't lie.
00:08:05
I am an extremely big
fan of Tamagotchis.
00:08:08
If you wanna hack
strange things,
00:08:09
there's a lot of
stuff out there.
00:08:11
[Narrator] And that's just
what she does on the weekends.
00:08:13
At work, she looks for
dangerous vulnerabilities
00:08:16
in the apps used by
billions of people.
00:08:18
[Natalie] I've been
looking for vulnerabilities
00:08:19
in software for more
than 10 years now.
00:08:22
And you start to get a feel
00:08:23
for where
vulnerabilities will be.
00:08:26
What sort of stuff do
developers make mistakes
00:08:29
while writing?
00:08:31
And video processing is
actually a big one.
00:08:35
[Narrator] That's right.
00:08:36
The apps we use
every day to talk to
00:08:38
family,
00:08:38
friends,
00:08:39
school
00:08:39
and work
00:08:40
were potentially home
to a zero-day vulnerability.
00:08:44
With little more than a hunch,
00:08:45
Natalie went to work testing
the defensive architecture
00:08:48
of various video chat apps
by calling herself...
00:08:51
[phone ringing]
00:08:51
a lot.
00:08:53
[Natalie] I would say one
in a thousand things
00:08:56
I tried or less worked.
00:08:57
That's the nature of hacking
and finding vulnerabilities.
00:09:00
Almost everything
you try doesn't work.
00:09:02
But the odd thing does.
00:09:04
[Narrator] In this case,
00:09:05
the odd thing led to
an important discovery,
00:09:07
a way to force someone's phone
00:09:09
to start transmitting
video and audio
00:09:11
without them even knowing.
00:09:13
Here's how the hack
actually works:
00:09:15
Natalie sends
a chunk of data
00:09:16
known as a packet
00:09:17
to a target phone.
00:09:19
A perfectly normal step
in making a video call.
00:09:21
But hidden in this packet
00:09:23
along with the typical
call commands is extra data
00:09:25
that the target software
isn't expecting.
00:09:28
Most random extra data
would simply cause an error,
00:09:31
but this extra data,
00:09:33
one of the thousands of
combinations Natalie tried,
00:09:35
acts like a key,
00:09:36
tricking the target phone
00:09:38
into answering the call without
anyone even touching it.
00:09:41
Vulnerability confirmed.
00:09:43
Exploit executed.
00:09:44
Hack completed.
00:09:47
Five different video
chat applications
00:09:49
all had the vulnerability.
00:09:51
Meaning if you're one
00:09:52
of the billions of people
that use these services,
00:09:54
it would've been possible
for someone to watch
00:09:56
and listen to you
without your knowledge.
00:09:59
Fortunately, there was
no evidence the flaw
00:10:01
had ever been
used for harm,
00:10:03
but just like with all of
Project Zero's biggest finds,
00:10:06
the implications for the safety
00:10:08
of our connected world were
more than a little ominous.
00:10:11
[Natalie] There always is
this caution where
00:10:13
what might be a good
day of work for you
00:10:16
is actually a bad day
00:10:18
for users and might
reveal something
00:10:21
about security that shows things
00:10:23
are less secure than we thought.
00:10:24
[Narrator] As soon
as Natalie notified
00:10:26
the various companies of
their apps' vulnerabilities,
00:10:29
changes got made,
00:10:30
patches went out.
00:10:31
The online world got
a little more secure.
00:10:34
[♪ ambient music ♪]
00:10:37
But getting zero-days
fixed quickly
00:10:39
hasn't always been so easy.
00:10:40
[dial up modem beeps]
00:10:41
Back in the 90s,
00:10:42
members of the hacker
collective The L0pht
00:10:44
would look for vulnerabilities
in the early internet,
00:10:47
then do whatever it took
to get people to listen,
00:10:50
even talk to Congress.
00:10:52
[Sen. Fred Thompson] The
Washington Post describe you
00:10:53
as rock stars of the
computer hacking elite.
00:10:56
We appreciate your being
with us here today.
00:11:00
Within 30 minutes,
00:11:00
the seven of you could
make the internet unusable
00:11:03
for the entire nation.
00:11:05
Is that correct?
00:11:06
[Mudge] That's correct.
00:11:07
And until the
problem mushrooms up
00:11:10
and enough people
complain about it,
00:11:13
then they'll come out
with a public fix.
00:11:16
[Tim] It was fairly common
for particular companies
00:11:19
if you report a bug to them,
00:11:20
some of them took more than
six months to get fixed.
00:11:24
Some of them were just,
they just were never fixed.
00:11:26
They just went
into a black hole.
00:11:27
[♪ ambient music ♪]
00:11:31
So when Project Zero
finds a vulnerability
00:11:33
from our own research,
[♪ upbeat music ♪]
00:11:34
we report it to the company.
00:11:36
"That's day zero.
00:11:37
This is the vulnerability.
00:11:37
This is where we think it is."
00:11:39
Sometimes even ,"This is how
we think you should fix it."
00:11:42
And that's when we'll
start the timer.
00:11:45
If the company doesn't
fix the bug in 90 days,
00:11:47
then on day 90, we
put it all online.
00:11:51
[Narrator] By online,
00:11:52
he means on the
Project Zero blog.
00:11:54
And while this kind of
reveal doesn't happen often,
00:11:57
the prospect of having an
unpatched vulnerability exposed
00:12:00
to the whole world is
a powerful motivator.
00:12:02
[Tim] Companies would
disagree with us by the way.
00:12:05
They would prefer that we
stay silent a lot of the time
00:12:07
and not talk about
this type of stuff.
00:12:10
The real core
of all of this
00:12:11
is that
00:12:13
users lose when things
don't get fixed quickly.
00:12:16
[♪ ominous music ♪]
00:12:18
In December 2018,
00:12:19
Google's Threat Analysis
Group, or T.A.G.
00:12:22
had discovered a
cache of exploits
00:12:25
that were being used
00:12:26
against a popular mobile device.
00:12:29
They came over to Project
Zero for analysis.
00:12:31
We were able to
reverse the exploits,
00:12:33
reverse out the vulnerabilities.
00:12:36
The implant in there allowed
them to pull chat history,
00:12:39
photos,
00:12:40
GPS locations,
00:12:41
you name it—
00:12:43
it was capable of doing it.
00:12:45
We reported those issues to
the company and the company
00:12:48
that makes that device,
00:12:51
I believe, pushed out a
fix within seven days.
00:12:55
[Narrator] More troubling,
00:12:56
was that Project Zero's analysis
revealed the exploits
00:12:58
had been in use for
quite some time.
00:13:01
[Tim] The exploits
that were discovered
00:13:03
went back many generations
00:13:06
of this particular
mobile technology device.
00:13:09
This had been happening
for many years.
00:13:14
[Narrator] The exploits were
being used to surveil members
00:13:16
of the Uyghur community,
an ethnic minority in China.
00:13:20
[Tim] Seeing a capability
like this being used
00:13:22
against a population,
00:13:24
it's like a stark reminder
00:13:25
of what we're doing
here has importance.
00:13:28
And it's not just playing around
00:13:30
with code or dealing
with vendor politics
00:13:34
or company politics when
it comes to disclosures
00:13:36
and to and fros.
00:13:37
There are real people getting
attacked by bugs like this.
00:13:40
And it's important that
we do something about it.
00:13:43
[city sounds]
00:13:44
[♪ soft music ♪]
00:13:45
[Narrator] The
exploit being used
00:13:46
to surveil the Uyghurs
was a major find,
00:13:49
but it was just one of many.
00:13:51
To date, Project Zero has found
00:13:53
over 1,800
zero-day vulnerabilities
00:13:56
in everything from operating
systems to dating sites
00:13:58
to Google's own
apps and services.
00:14:01
That's 1,800 trap doors
00:14:03
that will never be
crawled through.
00:14:04
1,800 fortresses that have
been made a little more secure.
00:14:08
But every day
new code is written,
00:14:10
new apps are launched
00:14:11
and the internet
we all depend on
00:14:13
gets a little more
interconnected
00:14:15
and a little more vulnerable.
00:14:17
[Tim] Is my job getting
harder every year?
00:14:19
Well I hope so,
00:14:20
because otherwise we're
probably not doing it well.
00:14:23
[Natalie] We could
sometimes see on the forums
00:14:24
these financial attackers,
00:14:26
credit card thieves
being like, “Darn it,
00:14:28
that didn't work anymore.”
00:14:30
And that was
extremely satisfying
00:14:33
because I think everyone
deserves to be secure.
00:14:35
I think that vulnerabilities
00:14:37
and security
problems harm people
00:14:40
both financially and
sometimes physically.
00:14:43
And I think it's important
00:14:44
that everyone is
able to use computers
00:14:46
in a way that doesn't
threaten them.
00:14:49
[Tim] Is there an end
game for Project Zero?
00:14:52
I would like to
see a world where
00:14:55
it's incredibly hard to
find a vulnerability.
00:14:57
Will we get there
anytime soon?
00:14:58
Probably not.
00:15:00
But does that mean we
should stop trying?
00:15:01
Absolutely not.
00:15:03
[Narrator] So Project Zero
stays on the battlefield,
00:15:07
inspecting the walls,
00:15:09
trying to find and test
vulnerabilities first
00:15:11
so they can never
be used for harm.
00:15:15
[Parisa] You have hackers
who use their skills
00:15:17
to harm other people and profit.
00:15:20
And I usually call
them attackers
00:15:23
and you have a lot of hackers
00:15:25
who do their work
00:15:27
to make software and
systems more secure.
00:15:29
And I call those folks...
00:15:34
heroes.
