Hackers Black Market: Selling System Flaws and Fixes to the Highest Bidder
By Yves Eudes, Le Monde, Feb. 26, 2013
PARIS—In 140 characters of hacker jargon, French security company Vupen tweeted on Oct. 30, 2012 that they had discovered a security flaw in Windows 8 and that they were selling it to the highest bidder.
Microsoft had just launched its new operating system for computers, phones and tablets. Thanks to this “vulnerability” (also called a “zero-day exploit”), Vupen—or another team of hackers—could create a malware to hijack any Windows 8 device remotely.
The firm, based in Montpellier, France, is famous in the field of software hacking. In March 2011, during the Pwn2Own hacker challenge held at the CanSecWest security conference in Vancouver, Canada, Vupen won by using a weakness in Apple’s Safari browser to hijack a Macbook.
At the time, Vupen’s co-founder, Chaouki Bekrar, had told Zdnet: “The victim visits a web page, he gets owned. No other interaction is needed.”
Vupen did it again at the 2012 Pwn2Own challenge when it successfully hacked Google Chrome and Microsoft’s Internet Explorer 9. Google had offered a $60,000 reward for Chrome-specific exploits, and full details of zero-day exploits used, but Chaouki Bekrar created controversy by refusing Google’s offer. He said he would be withholding the details of the exploit to sell to his better paying customers. Google replied by calling him “an ethically challenged opportunist.”
Who are these high-paying customers? When hackers find an exploit (or flaw), they are supposed to inform the software vendor or a security company that will verify the exploit and find a way to patch the software’s flaws. For a long time, software vendors enjoyed these services for free, but in the 2000s, U.S. hackers launched a movement to get paid. Since then, many software, Internet and telecommunication companies have been publishing the going rate they are willing to pay for security vulnerabilities: from $100 to $20,000 depending on complexity or originality.
But some companies have chosen a more lucrative market. They deal in “offensive security”—a euphemism for spying and data theft. Instead of working with software vendors, these firms sell their exploits to the highest bidder, which are usually official organizations: police, army, secret services. These organizations use the exploits to track delinquents, monitor companies, foreign governments or their own citizens.
Some countries also use these tools to sabotage servers. This is what happened in Iran in 2010 when a uranium enrichment plant was attacked by the Stuxnet malware virus, which was assumably created by the U.S. and Israel. Because of this risk, countries need to be constantly aware of newly detected flaws in software and networks—and for this they turn to the private sector.
In the U.S., weapon manufacturers such as Raytheon and Northrop Grumman have opened “offensive computer security” departments. Several American companies have specialized in this field as well. The most famous is Immunity, based in Miami Beach, which organizes every year a security conference called “Infiltrate.” Immunity sells software packages with various infiltration methods, including fake websites that mimic Amazon, LinkedIn or Hotmail to trap the user.
There are new actors on this highly lucrative market—exploit brokers. They buy zero-day exploits from independent hackers and resell them to the highest bidder. The two best-known brokers are Netragard, from Massachussets and The Grugq, a South-African living in Bangkok, Thailand, who claims to make hundreds of thousands of dollars a year. The most famous European company is Vupen.
On its official website, Vupen claims that it doesn’t sell its products to just anyone. The firms says it respects the embargos enforced by the EU, the UN and the U.S., and only deals with “trusted” States, members of NATO, Anzus (in the Pacific region) and Asean (in the Asian region), as well as special “partner States”—meaning it still has plenty of countries to work with.
U.S. activist Christopher Soghoian, of the American Civil Liberties Union (ACLU), accused his own government of being the best client of these zero-day salesmen: “Google and Microsoft can’t outbid the U.S. government—they will never win a bidding war with the army, navy or NSA.”
He also says that Western countries are playing a dangerous game and warned of a risk of “blowback,” saying that weaponized zero-day exploits sold by Vupen to a foreign government could be sold over and over again, without any control—to be later used against the Western countries that bought them in the first place.
Eric Filiol, a former French secret services agent and cryptography expert doesn’t agree. He says that Vupen is “one of France’s technological jewels.” He believes that “Chaouki Bekrar is a true CEO and a patriot, working for his country.” Yes, he knows Vupen sells his exploits to foreign countries, “but that’s a good thing, it brings in foreign currencies.”