Right now, all over the world, experts are poring over code looking for weaknesses in software. Their exploits they discover--virtual break-ins for everyday computer programs and services that allow entry to hackers, spies, and all manner of digital ne'er-do-wells--can sell for thousands. Buyers include Fortune 500 firms, household name tech firms, foreign intelligence services, and even, according to some reports, the United States government.
While no one will go on record asserting that, say, the U.S. government uses Windows exploits to spy on Mexican drug cartels or that Israel pays certain researchers big cash for backdoors onto Hezbollah servers, the market for these types of exploits and the potential for these kinds of uses is massive. And most of it isn't technically illegal--yet.
James Denaro of CipherLaw, a legal firm specializing in intellectual property and information security law, told Fast Company in a phone conversation that while the exploit marketplace is unregulated, it is tangentially affected by existing legislation. Hacking activity used to discover vulnerabilities, for instance, can run afoul of regulations such as the Computer Fraud & Abuse Act (CFAA), and sale of exploits by U.S. citizens to foreign entities can violate security, customers, and terrorism regulations.
Denaro says that, under the law, the reporting of exploits to software companies for free by good security samaritans and resale of exploits are two very different things. But, Denaro says, researchers “need to be careful about who they sell to” and that “selling on anonymous marketplaces is very different from selling exploits directly to the American government--they're two very separate things. A great deal turns on what the researcher knows about who the buyer is and what the buyer’s intentions might be.”
There are also attempts to clamp down on the exploit trade from within the industry. The HP-affiliated Zero Day Initiative funnels compensation money directly to researchers who discover exploits; the organization then gives information about the security flaw directly to the software publisher rather than selling to a third party. Dutch politician Marietje Schaake is attempting to have the European Union regulate the zero-day trade; Schaake's proposal includes exploits among a larger collection of technology products she believes should not be sold to repressive governments. Denaro also speculated about the future possibility in the United States of a “cyber good samaritan law,” which would steer information about security holes directly to the original software provider and direct regulation of the sale of exploits by governments.
But for now, the market flourishes. Chris Sogohian, a technology researcher at the ACLU and a prominent public critic of the exploit marketplace, told Kaspersky Labs' Dennis Fisher in a 2012 podcast that exploit sales are a “secret business in the flimsiest sense of the word,” and, for the most part, an open secret.
Exploits fall into two categories. There are conventional exploits--which deal with software versions already on the market, and zero-days--which use holes in newly released software updates.
Exploit researchers come from a variety of backgrounds. Some are academics and students hoping to monetize their in-class information security research. Others are underemployed technology experts looking for potentially lucrative paydays and a chance to have their talents recognized. Even more are located in Russia, Eastern Europe, or Asia, and find that the grueling drudgery of finding software holes is the most lucrative security job available to them. The exploits they create are small software programs designed to take advantage of vulnerabilities, giving purchasers access to unauthorized systems. Exploits can also deliver "payloads" such as viruses or surveillance software on a third party's behalf.
Zero-days target everything from Microsoft Windows to Cisco Linksys routers. Due to the time-sensitive nature of zero-days, researchers can make large sums of money on quick sales to software companies. The payment is essentially a ransom, where a company with a security hole compensates security researchers for telling them--and not would-be criminals--of the danger.
Of course, the buyer isn't always the firm that made the software.
When Forbes's Andy Greenberg went out last year to find out how much zero-day researchers earn, he found one Bangkok-based security expert called “the Grugq” who allegedly sold a single zero-day iOS exploit for $250,000 as a broker on a developer's behalf; The Grugq earned $37,500 on the sale through commission, with the exploit allegedly going to a U.S. government contractor. And in 2011, WikiLeaks revealed that security firm Endgame Systems sold packages of 25 zero-day exploits to clients--primarily American government contractors--for $2.5 million a year.
Foreign governments, it turns out, are keenly interested in purchasing security exploits for offensive cyberwar (just as, it must again be noted, is the American government). Slate and Future Tense's Ryan Gallagher wrote in a January article that one prominent exploit marketer puts cyberwar front and center. France's Vupen Security claimed approximately $1.2 million in revenue from selling “government-grade exploits specifically designed for the intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” The bulk of these sales went to customers outside of France.
The most prominent exploit marketplace is ExploitHub, which bills itself as “the first legitimate marketplace for validated, non-zero-day exploits.” Catering to white-hat hackers interested primarily in improving site security, the site creates an Amazon-style market for security holes. Older exploits can be obtained for as little as $30, while more recent exploits or tools to penetrate specialist software can cost far, far more. According to the site's most recent metrics, the average price of an exploit is about $300, and the highest individually priced product is $1,500. ExploitHub claims to regulate who can buy or sell on their marketplace, and to keep a strict eye on how the service works.
More shadowy zero-day products are primarily bought and sold on underweb sites accessible through the Tor Onion Router or through invite-only, protected web forums. A number of third-party brokers such as Massachusetts-based Netragard buy and resell zero-day exploits on researchers' behalfs as well.
Sales of exploits are highly capitalist in the purest sense of the word. Due to the lack of regulation of the exploit marketplace, informal rules and protocols have arisen among individual buyers and sellers. Netragard, for instance, will only sell exploits to “vetted U.S. based buyers who have a legitimate need for such technology.”
In an email, Soghoian also noted that many exploit sale agreements are designed to keep money flowing to researchers as long as the security hole is undiscovered. Monthly payments are sent to researchers as long as the flaw remains unfixed, giving the researcher an incentive not to tell anyone else about the security hole. This, of course, also gives the buyer the opportunity to exploit that security hole for surveillance or other purposes.
When unleashed into the wild, exploits can wreak havoc. A zero-day Java exploit was used by unknown hackers allegedly linked to China to penetrate Apple and Facebook's internal systems. Zero-day exploits obtained from Gamma Group, a British “technical surveillance and monitoring group,” were allegedly used to sneak powerful surveillance software onto the computers of Egyptian, Bahraini, Ethiopian, and Malaysian dissidents.
Gamma's best known product, FinSpy, is also allegedly used by governmental customers in the United States, Mexico, and Australia--the company is currently being sued by the Mozilla Foundation over claims that Gamma disguised their spy software as a Firefox product.
[Image: Flickr user Daniel R. Blume]
Correction: An earlier version of this article misstated the commission made on the sale of an iOS exploit.