Remember the final battle scene in Star Wars: A New Hope? Remember how Luke Skywalker slotted a bomb from his X-Wing down the Death Star’s exhaust port to blow the spherical space-station apart? Well that port is much like a zero-day vulnerability, and the rebel force’s attack was a carefully constructed zero-day exploit.
Despite the Force being so strong in him, Darth Vader managed to commission a ship with a glaring flaw in it. In the same way, developers often create, and proudly deliver, software covered in holes. When they are exploited, and attackers fire malware or some other nasty code through them, owners of that software can be blown apart too.
Intelligence on such weaknesses, and the tools needed to exploit them, now sell for considerable sums. That’s because of what can be achieved with zero-days. As seen with super-virus Stuxnet, which took advantage of four zero-day flaws, weaponised vulnerabilities can have a major real-world impact. In that case, the malware disrupted Iran’s uranium enrichment project by sending centrifuges potty. It was said to have set the process back by two years.
Governments of both east and west, and large private businesses, are thought to be spending vast portions of their budgets on acquiring zero-day exploits. Meanwhile, vendors and users of their wares never learn of them. It’s bad news for Internet security, many argue.
Regardless of their quarrels, a bustling market has emerged, and it is one that has caused ruptures in the security community.
The good old days?
Yet it’s a far cry from what researchers had hoped it would become. Back in 2002, industry experts felt Internet security was in desperate need of a shot in the arm. They thought the best way to get companies and software vendors interested in improving the security of their estates was to make vulnerability hunting a more prosperous activity. They started talking openly about a more formal approach to introducing market incentives for security flaws.
Just after the turn of the Millenium, Jean Camp from Harvard University and Catherine Wolfrom from Berkeley wrote a paper entitled ‘Pricing Security’. In it, they argued that the Internet and “the larger information infrastructure” was awash with easily exploitable flaws. “The only ubiquitous testing of Internet security is done by egocentric hackers,” they said.
Camp and Wolfrom argued that security should be viewed as an “externality”, where if one party is hit, another can be affected either positively or negatively, but without compensation. To counter this, they suggested looking at vulnerabilities as goods, items to be bought and sold. Those who discovered vulnerabilities would effectively own them.
The researchers had a vision of a credit system, where each Internet-connected machine would be given vulnerability credits by a government body. When a machine was compromised by known flaws, the owner of the machine would relinquish their credits, or pay out in cash if they had no credits left. Those who discovered vulnerabilities, whether exploited or not, could “demand some form of payment or validation of credit ownership”. Perhaps because of the somewhat inchoate ideas put forward by Camp and Wolfrom, their vision never became a reality.
At what cost?
But start-ups did emerge in the early 2000s who did treat vulnerabilities as commodities. The most notable one was TippingPoint, which founded the Zero-Day Initiative (ZDI), a program that rewarded researchers for responsibly disclosing vulnerabilities, which were reported to vendors as soon as the flaw was validated. TippingPoint was subsequently bought by HP, but ZDI still operates today, as do many other bug bounty programmes, run by the likes of Google and Facebook.
They offer decent money – usually between $1,000 and $10,000 for each flaw found. Researchers get both monetary and reputational rewards, meaning they fill their pockets and bolster their CV for future consulting gigs.
Yet some believe they can and should make much more money from selling zero-days. Even back in 2002, this publication understands an iTunes vulnerability was sold for $13,000. But now much more is up for grabs.
On the one side, private firms are willing to pay significant fees because they want to gain an advantage over rivals, either by being better protected or by launching attacks themselves. On the other, governments want to buy in preparation for cyber warfare. Now they have seen the damage cyber tools can do, from Stuxnet to the super-sophisticated spy tool Flame, governments know what is at stake.
One industry insider, who preferred to remain anonymous, told TechWeekEurope a single zero-day can sell for anything between $5,000 and $500,000. Often, the higher-cost vulnerabilities can be bought as a package with the tools and services needed to exploit them, the insider added.
“It depends on the quality. They sell for what they are worth,” the source said. “The growing need, coupled with the shrinking availability and the time it takes to find and write, sets the price for exploits. Its just basic supply and demand.”
‘Security for the one percent’
Zero-day merchants take a variety of forms. Major government contractors such as Lockheed Martin, Harris Corporation, Northrop Grumman and Raytheon are thought to be involved, but a host of specialised firms have emerged over the last decade, including Netragard, Errata Security and Vupen. It is the latter group who have been involved in a vituperative war of words with Internet activists and the more vocal members of the security industry.
The main criticism of zero-day sellers is an obvious one. By not sharing their information with the wider community, a flaw is known to a select few, often government bodies and big businesses, whilst the majority go unprotected.
This lack of what is widely-known as “responsible disclosure” is what perturbs many. “It’s security for the one percent and it makes the rest of us less safe,” the Electronic Frontier Foundation said in an essay earlier this year. “These companies are basically selling burglary tools,” claims Professor Ross Anderson, of the University of Cambridge.
When Vupen decided not to tell Google about a zero-day in the Chrome browser, even though it claimed $60,000 in CanSecWest prize money for finding it, it became the bete noire of an industry that had already attracted a lot of bad publicity. Chrome users would be placed at risk, all because one company wanted to keep its handful of customers happy, onlookers moaned.
Even though he said he would only sell to NATO governments and partners, Chaouki Bekrar, CEO of Vupen, told Forbes magazine that he wouldn’t share the information with Google, even for $1 million. “We don’t want to give them any knowledge that can help them in fixing this zero-day exploit or other similar exploits. We want to keep this for our customers.”
Open source troubles?
But there may be an even more pernicious side-effect of the market’s growth. Anderson believes open source projects are now threatened by people wanting to profit from weaknesses.
Researchers are purposefully placing bugs in open source software during the development stages, so that when code appears in completed products, those same researchers can highlight the flaws and profit from them where companies are willing to pay, Anderson has told TechWeekEurope. He claimed to know of several projects where this has happened, but declined to name names.
“That’s now happening. I’ve seen it in the last four months,” Anderson said. Imagine if Linux had flaws purposefully written into it, he ponders. “Intelligence agencies would be willing to pay an extraordinary amount for zero-days for Linux.”
Those against “irresponsible” vulnerability sellers want tighter regulation. Globally, there is little restriction on the practice. Germany, which is known for having strict rules when it comes to data, is one of the only nations to have made it illegal to sell exploits. It’s even illegal there to research zero-day exploits at all.
In the UK, Anderson says he wants more controls over who UK-based zero-day merchants can sell to overseas. He doesn’t want repressive regimes using British technology to carry out mass surveillance on citizens, as has allegedly occurred in the case of Andover-based Gamma International, whose FinSpy tool has appeared tracking dissidents in Syria and Bahrain. Privacy International has threatened the UK government with legal action, if it fails to introduce tighter checks.
Now, having been criticised ad infinitum, zero-day hunters are biting back at critics. And at journalists. Is your article going to be another piece of “troll journalism”, Vupen’s CEO asked your reporter, while this article was in progress. He declined to answer any of TechWeekEurope’s questions. Indeed, he has been wary of journalists since that infamous Forbes article.
But others are happy to speak out. When asked about the open source issue, zero-day sellers say they have heard rumours of such subterfuge, but never have they seen it.
When it comes to regulation, they believe they are, at heart, no different from coders. And there shouldn’t be laws stymying the work of coders, they argue. Those calling for legislation, they say, are just jealous, because they don’t have the skills to find the zero-days and subsequently profit from them.
“The recent industry obsession with doting on vulnerability markets is an unproductive campaign with improperly informed champions striving for idealistic, and ultimately useless, regulations,” says Aaron Portnoy, vice president of research and co-founder of Exodus Intelligence. Portnoy was one of the big-shots of the HP TippingPoint ZDI, running it for two years out of the six he was there. The rest of his five-man team is from ZDI too.
His company has a slightly different model to others, selling a feed of data on zero-days and related exploits, and promising to eventually disclose vulnerabilities to vendors for free. It finds vulnerabilities, but also pays external researchers when they hand Exodus their findings. Portnoy might run things differently to the more controversial players in the industry, but he has similarly strong views on those calling for governments to tighten their grip on the market. Security for the one percent? Nonsense, Portnoy says.
“If the ability to sell an exploit suddenly disappeared the Internet would not be a safer place, and individuals would not cease their research into discovering innovative ways to break code,” he told TechWeekEurope. “Those who believe regulation or transparency into this market seem to think otherwise, and that is likely because they themselves aren’t the ones finding the bugs.
“By fixing a single vulnerability, you protect one piece of software from one flaw… by providing enterprises and vendors insight into what attackers are capable of, you enable them to better design their defenses and hopefully develop solutions that are wider in scope.
“If people are concerned about the safety of their Internet, they should stop focusing on trying to stop curious people from being curious.”
Many exploit experts would rather see the software development industry better regulated. They believe vendors should be held more accountable when holes in their software cause harm to Internet users. That’s what Charlie Miller, one of the most noted flaw finders in the world, backs. “Exploits aren’t the problem, vulnerable programs are. Let’s make our devices unbreakable and end the discussion,” he recently tweeted.
But whilst zero-day dealers have been lashing out at critics, the market is prone to infighting too. Unlike the traditional security market, where anti-virus vendors at least ostensibly work closely with one another and willingly share threat information, exploit dealers are considerably more antagonistic.
Earlier this month, Bekrar sent a message to Netragard CEO Adriel Desautels, accusing the latter of “trolling” Vupen. “Stop promoting yourself and your s**t by trolling about us, you don’t know a s**t about us nor our customers, teenager,” read one message. “We’re a 100% research compny while u’re just another broker compny without balls to do your own 0Ds,” read another.
Desautels says the argument was over ethics. Netragard offers penetration testing services and claims to do plenty of its own research on the exploit side. It also acts as a broker of exploits, selling other researchers’ work on to the highest bidder.
The company chief tells TechWeekEurope he is far from fond of the Vupen model, in particular its unwillingness to inform vendors. “I couldn’t believe he was talking like that in public,” Desautels says. “Vupen says it won’t sell to a vendor. In my opinion that is both irresponsible and unethical. It’s unethical because if a vendor approaches you willing to pay an exclusive price for a zero-day, it’s the same thing as anyone else willing to pay for a zero-day.
“It’s irresponsible because look at who is in NATO. There are a lot of countries in NATO that don’t like each other.”
Desautels, whilst against regulation of coding, is in favour of tighter rules on brokering, even for a more dirigiste approach. Much like Anderson, he wants to see governments put stronger controls on who brokers sell to. At the same time, however, he does not believe researchers should be limited in who they can sell to.
“Legislation needs to keep its hands out of the research world because if they don’t they are going to drive it towards the black hat world and the underground. It’ll benefit the bad guys,” he adds.
“But there has to be some sort of a body that can keep brokers in check ethically… There has to be some way to control it. It will tick off a lot of the businesses that are doing it, and I understand why, because it means they won’t get easy money anymore.”
In our Star Wars analogy, few people would argue that Princess Leia and the Rebel Alliance should have practised responsible disclosure and warned the Galactic Empire of the flaw in the Death Star, instead of smuggling the plans out in secret and using them for a destructive attack.
In that case moral issues came into the picture, and the issue of marketing the flaw did not arise. Perhaps that’s because there was no market at all.
Yet in the real world. the growth of the zero-day vulnerability market seems inexorable, despite the mounting criticisms of the market, and the bad etiquette of certain players in it. If researchers can make more by selling to governments and private firms, they will increasingly look at that route before going to vendors.
It doesn’t look like the cost of zero-days has hit a peak either. David Maynor, CTO of Errata Security, certainly doesn’t think so. “Do you think the cost of conventional weapons has hit a peak? We have seen the most someone is willing to pay for a jet fighter?”
And it’s unlikely governments will wrap more red tape around the market. After all, why would they want to mitigate the rise of an industry of which they are the chief beneficiaries?