3.3.4. Cryptographic, Mobile, and Zero-Day Vulnerabilities

💡 First Principle: Some vulnerabilities transcend a single category. Cryptographic weaknesses undermine all security that depends on encryption. Mobile vulnerabilities exploit the unique constraints of portable devices. Zero-day vulnerabilities are unknown and therefore indefensible with signature-based tools. Each requires different defensive strategies.

Cryptographic vulnerabilities include using deprecated algorithms (MD5, SHA-1 for integrity; DES, 3DES for encryption), insufficient key lengths (RSA keys under 2048 bits), improper implementation (predictable random number generators, hardcoded encryption keys in source code), and protocol weaknesses (downgrade attacks that force use of weaker algorithms by manipulating the negotiation handshake). Cryptographic vulnerabilities are especially dangerous because they undermine the foundation that secure communications, authentication, and data protection all depend on.

Mobile vulnerabilities are amplified by the device's portability and connectivity: unsecured Wi-Fi connections (automatic association with known SSIDs), excessive app permissions (apps requesting camera/microphone/location access beyond what they need), lack of encryption on the device or removable storage, outdated OS versions (especially Android devices that don't receive vendor updates), and sideloaded applications bypassing app store security reviews. Mobile devices also face physical theft risk that servers don't — a stolen phone with no lock screen exposes everything.

Zero-day vulnerabilities are unknown to the vendor and have no available patch. They're the most dangerous because no signature-based detection can identify them and no patch exists to apply. Zero-days are highly valued on the black market (some sell for hundreds of thousands of dollars). Defense against zero-days requires behavioral detection (identifying anomalous behavior rather than known signatures), application whitelisting (allowing only approved software to execute), micro-segmentation (limiting lateral movement), and defense in depth — assume something will get through and limit the blast radius.

⚠️ Exam Trap: A zero-day is defined by the vendor not knowing about it. Once the vendor is notified, it's no longer a zero-day, even if no patch exists yet. The period between disclosure and patch availability is the "vulnerability window" — different from zero-day.