Nothing strikes more fear into the IT department of a company or government agency than the dreaded zero-day exploit. This is simply a cyber attack that uses a previously undiscovered vulnerability in software to penetrate a network. If well-designed, the exploit can remain undetected for a much longer time than known exploits, and this makes them valuable to attackers. The extended time to detection means that financially motivated hackers can get richer and information-motivated hackers can get more information. This is why software developers will pay good money for anyone who can find a bug in their software…especially bugs that can be exploited for evil purposes and, in the process, ruin the developer’s reputation.
Microsoft is the top of the ‘bug bounty’ payers. Most, but not all, software developers follow the bug bounty model. Adobe is an exception and only gives a ‘pat-on-the-back’ award to bug finders, hoping that raising a hacker’s reputation will be more important than money in disclosing a bug. Critics say that this is because Adobe has so many bugs that they couldn’t possibly afford to pay for the disclosure of all of them.
In the biggest award ever given to any ethical hacker, Google paid 17-year-old George Holtz $150,000 for a vulnerability he found and fixed in the Chrome operating system. George has since become a member of Google’s Project Zero, a hacker dream team that has been put together to find vulnerabilities in software before the hackers do. Most ethical hackers do not make out as well financially as Holtz and his comrades, and this raises one important question: Why shouldn’t these hackers sell the exploit they find to someone who would be happy to pay far more for it? Well, of course, there is the ethical consideration and the looming possibility of a prison term, but this does not always act as a deterrent. Besides, what would stop a hacker from working both sides of the aisle? In other words, why couldn’t they get the bug bounty while secretly selling it to unethical hackers at the same time?
The main reason they wouldn’t is that once the bug was disclosed to the software programmers, it would lose its value as a zero-day exploit…wouldn’t it? Actually, it’s not as clear cut as that. There will certainly be a time lag between exposing and fixing the vulnerability. Then, there will be another lag between creating and releasing the patch for the vulnerability. Finally, there will be an additional lag between releasing the patch and users actually installing the patch. This gives hackers a window of opportunity during which time they can enter a network undetected. Sure, it’s not as good as a true zero-day exploit, but it’s not bad. Actually, there is a term used for a similar type of hack. It is referred to as a ‘1-day exploit’.
True 1-day exploits basically back-engineer newly released patches to find out where the original vulnerability was. Hackers realize that not everyone will install the patch as soon as it is released, if at all. In other words, there will still be plenty of machines that have the original vulnerability and are open to be exploited. And if you think 1-day exploits come at a bargain price, think again. One that is currently for sale on the deep web is going for about $70,000. This one takes advantage of a Microsoft vulnerability and it’s possible that Microsoft (or some legitimate exploit seller) is going to pay for information on this, for, as the seller notes, “Offering this for a limited amount of time only as I might already have client in real life.”
This brings up an angle that many really don’t want to mention. What if the vulnerability was discovered internally and one of those working on the patch decided to make a little extra money by releasing the vulnerability to the deep web before it was released publicly? I’m not saying this is the case here, but, given the amount of money available as an incentive, it is a possibility that cannot be completely discounted.
This possibility was first exposed by French company, Vupen, when, at an HP-sponsored hackathon in 2012, they refused to sell a vulnerability they found in the Chrome browser to Google, even though they could have received $60,000 dollars for it. They, in fact, ridiculed the offer and said that they would keep the exploit to sell to their customers. These customers would pay 10 to 100 times more than the software companies. And who were these rich customers? Mainly governments, big companies, and policing agencies. Vupen claims to sell only to reputable governments but some have claimed that they will make governments engage in bidding wars for its zero-day vulnerabilities. It has recently been disclosed that Vupen (now with offices in the US) has a contract with the NSA. In 2013, the NSA had a $25 million budget for the purchase of exploits. Why would the NSA want zero-day vulnerabilities? Think about it.
Vupen has recently revealed that it sold Microsoft an Internet Explorer vulnerability for $300,000. Vulpen had sat on this vulnerability for many years. In fact, it has been claimed that the NSA or other governments had control of this vulnerability and, only when it looked like the vulnerability might be discovered, did Vupen agree to sell it. In other words, every person who used Internet Explorer versions 8 through 11 has been exposed for years to possible attack. In its defense, a Vupen spokesman said, “It was a security vulnerability dealing with IE. We figured it wasn’t too important to notify MS about it right away, because, let’s be honest, anyone who still uses IE likely doesn’t care too much about proper security anyway.” Isn’t that like saying, “this bank doesn’t have very good security so it deserves to be robbed”?
Vupen is not alone in the zero-day business. There are other ‘legitimate’ companies that sell them. According to one source, “boutique vulnerability providers, such as VUPEN Security, ReVuln, NetraGard, Endgame Systems, and Exodus Intelligence, sell subscriptions that include 25 zero-day flaws per year for $2.5 million.” It’s a good business but some question whether these vulnerabilities might get into the wrong hands if profits are the only motive. Besides, with all these zero-day companies competing for clients, how do you know that the zero-day you bought hasn’t already been sold to other buyers and is, therefore, not a true zero-day at all? Remember that it does no one who possesses a zero-day exploit any good to disclose it, so everyone who has a zero-day exploit would remain secretive. In the end, not only could individual computer users be exposed to attack but national security could also be at stake. You may think you’re selling your zero-day exploit to a reputable country or individual but nothing will stop them from selling it on to someone less reputable, especially if the price is right.
The lure of wealth is strong, but many private hackers may have trouble finding a legitimate buyer for a zero-day exploit that they develop. No problem. You can always work through a middleman who can find you an appropriate buyer. Perhaps the most famous middleman goes by the name, Grugq. Grugq, a South African who lives in Bangkok, will use his government contacts to find you a buyer for your exploits. Of course, he won’t do this for free. It will cost you 15%. Is it profitable? Well, his philosophy is, “I refuse to deal with anything below mid-five-figures these days”: A philosophy that makes him at least a million a year.
It should be clear by now that governments around the world are anxious to get their hands on the latest zero-day exploits so as to use them for their own purposes. It is also clear that, for most, price is no obstacle. There’s a lot of easy money flowing around here, which brings us to another problem or another scam, however you want to look at it. Let’s call it the financially motivated insider scam.
What if software developers inside companies decided to work with hackers or companies like Vupen? In other words, what if they intentionally designed vulnerabilities into their products that others could then ‘find’? I’m not the first to suggest this as a real possibility. I have no doubt that most software developers are trying their best to do the difficult job of designing bullet-proof software, but it only takes a few insiders to bring down their best efforts.
Whether zero-day exploits qualify as a true scam is difficult to say. In a scam, you don’t really get what you pay for. With a zero-day exploit, you may or may not get what you pay for. Basically, a person who wants a true zero-day exploit expects to get sole access to a software vulnerability that no one else knows about. However, the monetary incentive to sell the exploit to a number of buyers makes keeping the vulnerability truly secret difficult. There is no control over the process, which, in itself, has a number of vulnerabilities. Any buyer who purchases complete control over an exploit, by extension, has complete control over whether to sell it on to others or not. So, in the world of the zero-day exploit, it’s let the buyer beware.
About InZero Systems’ Approach to the Zero-day Exploit: InZero Systems bases its security architecture on the premise that all software contains exploitable vulnerabilities. It also realizes that such vulnerabilities can exist in endpoints connected to a corporate or government network. Exploiting an endpoint means exploiting a network, thus, exposing sensitive corporate data to attack. InZero Systems’ architecture effectively makes one endpoint device (smartphone, tablet) into two, each with its own separate operating system. This means that any exploits on endpoints cannot cross the OS-OS barrier to gain access to protected information. The zero-day exploit may exist on an endpoint, but that’s where it stays.