There’s an interesting article in the New York Times this weekend, all about the shady world of the vulnerability researchers who find serious security holes in software.
These bughunters don’t find security vulnerabilities in order to report them to the software vendors and perhaps claim a bounty, but instead sell them to governments prepared to pay hundreds of thousands of dollars for the right exploit.
The truth is that the likes of Google and Microsoft are never likely to be able to pay as much for a security vulnerability as the US or Chinese intelligence agencies.
And, of course, if a government or intelligence agency has paid through the nose for an unpatched zero-day exploit, they’re hardly likely to tell the rest of the world about the security issue.
After all, that would very quickly slam the door shut on the flaw and prevent them from spying upon whoever they wish to watch or steal information from.
One of the most eyecatching claims of the article is that a highly-coveted zero-day exploit in iOS (the operating system used on iPhones and iPads) sold for $500,000, according to two unnamed people that reporters spoke to.
It’s easy to imagine how attractive a method to break into targets’ iPhones, and potentially snoop upon their activities, would be to law enforcement bodies and military intelligence agencies.
Some of the vulnerability researchers prepared to sell exclusive details of zero-day exploits to the highest bidder do so publicly, and have even formed companies with names such as Endgame Systems, VUPEN, and ReVuln.
The New York Times article chooses two Italian bug-hunters, 32-year-old Luigi Auriemma, and Donato Ferrante, 28, the co-founders and researchers at Maltese firm ReVuln, as the hook for the article.
Unlike some of those who sell details of security vulnerabilities, ReVuln doesn’t hide its business model.
ReVuln’s website declares that it can provide details of undisclosed and unpatched vulnerabilities in SCADA/HMI/ICS systems. These are the types of industrial control systems which are used by critical infrastructure such as water treatment, power stations and gas pipelines.
In addition, it is commonly trading in zero-day vulnerabilities for OS, hardware and software products in mainstream use.
Information about undisclosed and unpatched security vulnerabilities found by our team in third party hardware and software products of various vendors. The vulnerabilities included in our 0-day feed remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue.
No-one is suggesting that companies like ReVuln are operating outside the law. ReVuln’s website, for instance, publishes a statement declaring - for instance - that it abides by EU and US sanctions on who it can sell its services to.
You will find remarkably similar wording (even the HTML styling is similar) on VUPEN’s website:
We shouldn’t underestimate the skills of vulnerability researchers who work for companies like VUPEN and ReVuln. They’ve applied their expertise and much effort into uncovering vulnerabilities in different systems. They aren’t exploiting the security holes themselves, and aren’t breaking into anyone’s computers without permission.
But, inevitably, details of the vulnerabilities don’t always get passed to the company capable of fixing them, meaning that customers and users of the affected hardware and software may be left exposed to surveillance or hacking by the third party that bought th exclusive rights to the exploit.
It’s no surprise that companies like Endgame Systems, VUPEN and ReVuln have something of an image problem, and are not necessarily looked upon warmly.
And policies which declare that these companies will not sell details of vulnerabilities to UN/US-embargoed countries aren’t going to much reassurance when more and more evidence is coming to light that it’s not just “the usual suspects” of China and North Korea who may be engaged in cyber-espionage, but also *friendly* nations have been snooping on each other’s activities.
(See “US allies Mexico, Chile and Brazil seek spying answers”, “New NSA leaks show how US is bugging its European allies”, “US and Germany to hold talks over European NSA surveillance concerns”, and many more…)
Against this backdrop, it seems hard to believe that the exploit trading industry will be able to adequately police itself to the satisfaction of countries being spied upon. Inevitably, the-powers-that-be will seek to regulate businesses who sell vulnerabilities to other nations, which may only drive the unregulated sale of exploits, to perhaps unfriendly nations or the criminally-minded, deeper underground.