Is 'Zero Day' a Warning? What the Show Missed (and What Keeps Security Engineers Up at Night)

Warning: The following blog is a commentary of the Netflix limited series, "Zero Day" and may contain spoilers.  

Have you seen the Netflix original series “Zero Day” yet? If not, and you have any interest in cybersecurity, politics, or both, it is definitely a series that you need to give some of your attention to. For those without Netflix or the time to watch, I will give a quick synopsis of what the series is about. Set in the modern day, with many parallels to current events and personalities, there is a cyber-attack unleashed on the entirety of America. This cyber-attack stops all communication through satellite and cell phone towers. Phone calls drop, GPS stops tracking location, traffic signals are disabled, and vital communication is severed for major services, such as the railroads, air traffic control, and radio communications. As a result, there is nationwide death and destruction on the scale of 9/11, with over 3,400 people being killed. When communication stopped and people looked at their phones, they found an ominous message saying, “This will happen again.” Fear takes over, chaos ensues, and the American people demand answers. President Mitchell, who is coming up for reelection, appoints the only person in the country that is trusted by the American people, former President Mullen, to lead the Zero Day Commission. What follows is a mostly political tale of a divided country, overcome by fear, reacting in violent ways to the loss of life, life sustaining services, and even their constitutional rights.

While the political ramifications of the show are immense, and it is primarily a politically-driven show, there is a lot to take away from the cybersecurity aspect of the show. Most notably, can this really happen? Should we, as Americans, be scared (if not terrified) of such an attack happening? That is where I will take a deep dive in the following paragraphs. If you have not watched the series yet and do not want any part of it spoiled, then consider this your spoiler alert to stop reading and comeback when you are finished. Going forward I will be discussing the technical events that transpired in detail.

Looking at the attack on a granular level, what actually happened?

Firstly, malware was created by the NSA to be used in cyber-warfare should the need ever arise for it. An angry NSA employee decided to steal this malware and sell it to a hacktivist group, who were going to expose this dangerous malware to the public. However, the people behind the attack are actually people who hold some of the highest offices in American politics, looking to destabilize the government to make the American people come together.

The malware itself is designed to shut down communications, regardless of the operating system the communications run on. After the malware is delivered, AI is used to dynamically generate the malware coding necessary for each operating system to ensure the malware’s nefarious aspirations are achieved.

The first question that came to my mind when I watched this scenario play out was how in the world did this malware get propagated out to nearly EVERYONE in the country? The series explains this by having the malware distributed by an angry rogue mobile app magnate named “Kidder”. Kidder’s company, Panoply, has ownership of all or part of over 80% of the apps that are available. The magnate implants the malware in each and every one of the apps she controls. So, if a person has downloaded any of these apps, their phone is infected with the malware through a forced update.

Can this situation happen in real life?

Certainly, yes it could. The greatest threat any organization or individual faces is the threat from within their own organization (or family). Why? Because it is not expected. Loyalty is expected. That is the key cog in the entire attack: malicious insiders with an ax to grind betray their loyalty to their leaders. This happens every day, in every country. Sadly, it is human nature.

So, what organizations would have such reach to have their apps stored on over 80% of the country’s phones? Apple, Google, and Meta for starters. Other possibilities would be “must have apps” that most all of us download as a necessity, such as The Weather Channel. Perhaps even an extremely popular game, such as Pokemon Go, Candy Crush, or Angry Birds. While the 80% mark may be a stretch to achieve, it is not unlikely that 50% or even 60% could be achieved. Would the effect be that much less severe if only 50% of our communications were disabled opposed to 80%? Not really. Massive calamity would still ensue.

So, I have demonstrated that there are app developers with a vastly large enough customer base to pull off this attack. But is there any precedent we can look at of this happening already? Unfortunately, yes! TikTok and Temu have backdoor tracking and surveillance included in the app that is used to collect and spy on Americans. That is an instance of a company complying with a nation state that they are beholden to. What is the likelihood that they would object to taking the next step to malware weaponization?

Could we be tricked into downloading the malware willingly?

There is precedence for this too, in the “Angry Birds: Space” or “Angry Birds: Transformers” apps from 2012. These apps were not legitimate Angry Birds games but were so good at disguising themselves as an official Rovio (the owner of Angry Birds) app that millions of people downloaded them onto their Android phones. These apps instead installed a trojan horse malware program called “WipeLocker” that allowed an attacker to take over control of the phone and delete apps, files, and change settings. While this likely wouldn’t have gained access to even 20% of American Android devices, it shows that people can be tricked. Millions were in this situation.

I believe the propagation of this malware could easily be achieved by an insider at one of the major tech companies and could also be assisted by malicious impersonation apps. Android is relatively easy to crack because it has open-source apps that can be uploaded to the Play store without any oversight. Android controls roughly 42% of the market share as of February 2025, according to StatCounter.com. Apple is more difficult because they use code-signing, which means that Apple has to review all code of any application to verify it is not malicious before they make it available on the App Store. Apple currently enjoys approximately 58% of US market share (StatCounter). Combined, Apple and Android make up 99.7% of the US cell phone market.

So, in theory, yes, there could always be a grand conspiracy that sees a developer at Apple willing to infect a ubiquitous iOS app (such as Maps) in coordination with an open-source app designed to attack Android devices. Assuming this could be done, which is unlikely, but if it could, then it is safe to assume that 99.7% of devices would be infiltrated.

The next step in the attack chain is the operating system agnostic malware. While I never want to say never in the digital world, especially with the emergence of artificial intelligence, this strikes me as a rather difficult hill to climb. To analyze this, let’s break down malware into its core functions and parts. Malware is a program like any other program. The only difference is it has negative and malicious intentions. Otherwise, it still needs the basic building blocks of a programming language to create it. Malware does not exist in a vacuum. Without programming it does not exist. Well, not all programming languages are understood by all devices. Apple programs run off of the Swift programming language, which is a child of a proprietary language created by Apple named “Objective-C”. So, if I created malware for a Windows device and then plugged the thumb drive into a MacBook, it won’t work. It does not understand the core language it is seeing and cannot initialize itself. The same goes if I plugged it into a machine running Linux, or AS/400, or Unix, or any other type of OS. If it doesn’t understand the core building blocks of the language, how can it run?

Let’s use an analogy… if an individual came up to me and started speaking to me in Mandarin, telling me to go do something malicious, I wouldn’t understand him to know that he was telling me to do anything at all, much less what specific task he has in mind. For all I know, he stopped me to tell me that I have great hair and a nice smile. The only way he could achieve his goal is to have a translator.

So, the malware would need a translator to translate it into a language that the machine’s operating system would understand.  As the show pointed out, the malware used AI to determine the operating system and to write the code specifically for that machine. AI acted as the translator. On the surface this sounds plausible because AI has been used to write exploit code and to create viruses. But it does not solve the problem of not understanding the core language on the victim device. After all, the malware has to start and understand its environment enough to understand that it needs to go to the internet (and how to get there on this particular device), then contact an AI bot to tell it the OS so that it can generate the specific exploit code. Again, this goes back to my analogy. If the man comes up to me and says to me in Mandarin, “go to the internet, go to Chat GPT, and use it to translate this malware coding into coding that would be understood by Linux instead of Windows,” I wouldn’t understand his initial instructions. He could tell me to go get an interpreter, but I wouldn’t understand that either. More than likely, I would just ignore him and go about my day, which is what computers do when they are presented with coding they do not understand. So, this tells me that for this process to work, it could not be initiated from the victim PC. It would instead need to be initiated from the attacker.

Now, this brings us to discussing how this hack would have to transpire. If I wanted to perform this type of attack, I would have to run a port scan against the device using a switch to tell me the operating system. This report would have to be 100% accurate for me to determine the OS and create the exploit code specifically for that device. I don’t know how many port scans you have run in your lifetime, but in my experience, the OS fingerprinting is never 100% accurate, and I am given multiple possibilities for what the OS may be based on characteristics of how it behaved. There is not a 100% full proof way to remotely determine the OS of a remote device, much less to be able to do so repeatedly for 80% of the devices in America. Even if the attacker has pinpointed the OS with 100% accuracy, he now has to find a way to circumnavigate all countermeasures in place and deliver the payload to the victim machine. This doesn’t have a high success rate either.

With all of this being said, I do not believe that our current technology could allow a piece of malware to magically morph its coding into the language the victim machine would understand. This attack could not happen today, using current technology, on the scale that it was presented in “Zero Day.”  So, should we be complacent and breathe easily knowing this? Not at all.

This scale of attack could not happen using the means described in “Zero Day,” but the same results can be achieved with technology that exists today. As I stated earlier, even if we only have malware find its way to 50% of devices, will that not still create a major problem for our country?

What we truly need to worry about from a cyber-warfare standpoint is an attack on our power grid. Society as a whole is largely a single point of failure system, and that single point of failure is the power grid. If the power grid goes down, literally EVERYTHING is affected. This has never been more true as our society has grown to rely on computers for everything and has even sought to remove other fail-safe manual processes. When I play this attack scenario out in my mind, I see a world where people cannot conduct transactions because they no longer carry cash and instead rely on credit. The credit card network requires electricity to run. This will cause people to run to their banks and pull out their money, which could lead to banking failure.

Computer networks also require electricity to run, obviously. Law enforcement and first responders have largely discontinued their use of analog radio communications in favor of IP based networked radio systems such as StarNet or OpenSky. Without power, these first responders cannot communicate. Cell phones won’t work because the towers will not be powered. Another means of communication gone. The public will not be able to gather information because the flow of information will be stopped, so the fear of the unknown takes over their minds. What about food? It’s hard to cook these days without electricity. Even those with natural gas will eventually suffer because the gas will no longer flow once the electronic compressors that run the transmission lines lose power when their battery backups fail. Sewage containment systems require electricity to remove waste. Water purification requires electricity too.

What I’m saying is that everything relies on electricity and if our adversaries find a way to take down the power grid, we will be in just as bad of a situation as was depicted in Zero Day.

As all of these necessary systems fail, fear and panic will overtake the citizenry. The longer these systems remain unavailable, the more likely this fear and panic will turn to anger and hatred. Resource gathering will begin as people begin hoarding what they can and fighting over what little supplies are available. Looting begins. People’s animalistic instincts will take over, and they will do what they need to survive, even if it means hurting others. This is when society breaks down. Research shows it can take only one week without core services for this process to take place, as most people are only equipped with enough food and supplies to sustain themselves and their families for 3 to 7 days. Is there any precedence for this happening? Sadly, yes there is, as recently as last year in Western North Carolina after the flooding and destruction of Hurricane Milton. It took one week for the local community to break down. The typical recovery time for a ransomware attack is two weeks, even if the victim was well-prepared.

In conclusion, we don’t need to worry about a “Zero Day” style cyber-attack taking down all systems at once. Societal collapse doesn’t require a grand cyber-attack using AI driven OS agnostic mutating malware propagating across the entire country. It just requires insider knowledge of the vulnerabilities that exist in our power grid and how to exploit them, when to exploit them, and where to exploit them in order to have the most severe impact on society. We do need to worry about a cyber-attack taking down a large portion (or the entire) power grid at once. The rest of the systems we rely on will fail along with it as a cascading consequence of our failure to create a system that can function not only with power, but also without it. How long will it be until our own “Zero Day”?

Curtis McPherson is a security engineer and writer who focuses his time on penetration testing and incident response.  Curtis graduated cum laude from Penn State University with a bachelor’s degree in Security and Risk Analysis, concentrating on cybersecurity and digital forensics. In his time at Penn State, he participated in the Technology Club, which conducted open-sourced intelligence (OSINT) investigations into missing person cases, using social media and the internet to find clues to their disappearance. Curtis is married with two cats and a bouncy bearded collie named Laddie. In his spare time, Curtis is an avid fiction writer, Civil War historian, and a tried and true lover of all things related to airplanes and aviation.