Related Links

Top 5 Stories


Governments are Big Buyers of Zero-Day Flaws

15 July 2013

The extent and sophistication of the market for zero-day vulnerabilities is becoming better understood. It appears that governments – especially the US, UK, Israel, Russia, India and Brazil – are among the biggest customers.

A new report in the New York Times describes the market for zero-day flaws. "On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs... secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit." The hackers in question run the company known as Revuln, and like France-based Vupen, it finds or acquires zero-day vulnerabilities that it can sell on to the highest bidder.

Vupen charges its customers an annual subscription fee of $100,000 merely to see its catalog of flaws – and then charges extra for each vulnerability. At these prices, it is unsurprising that the buyer is usually a government agency. As Graham Cluley comments, "The truth is that the likes of Google and Microsoft are never likely to be able to pay as much for a security vulnerability as the US or Chinese intelligence agencies." Although Microsoft has recently introduced a maximum bug bounty of $150,000, it pales into insignificance in the face of the reputed $500,000 paid for an iOS bug.

Revuln's work has long been known. The Q4 2012 ICS-CERT Monitor warned, "Malta-based security start-up firm ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors." ICS vulnerabilities are precisely those needed by states to protect their own or attack foreign critical infrastructures.

Last week, Der Spiegel published details of an email interview between Jacob Appelbaum and Edward Snowden. Snowden confirmed that Stuxnet had been jointly developed by the US and Israel. There is no information on whether the zero-days in Stuxnet were discovered or bought, but nevertheless ACLU policy analyst Christopher Soghoian blames Stuxnet for the success of companies like Vupen and Revuln. 

The knowledge that military organizations are interested in and use zero-day flaws "showed the world what was possible," explains the Times. "It also became a catalyst for a cyberarms race."

The military establishment, said Soghoian, “created Frankenstein by feeding the market.” The problem now is that no-one knows how big or scary this Frankenstein might become. Is there a danger, for example, that developers could be persuaded to build in backdoors that they can later sell? Jeremiah Grossman, Founder and CTO of WhiteHat Security thinks this is a possibility. "As 0-days go for six to seven figures, imagine the temptation for rogue developers to surreptitiously implant bugs in the software supply chain," he commented. "It's hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them."

This is a problem that is not going away. "Vulnerability is a function of complexity, and as operating systems and source code continually trend to more complexity, so does the scope for vulnerabilities and exploits," said Adrian Culley, a consultant with Damballa (and a former Scotland Yard detective) to Infosecurity. "All code is dual use. The reality is there is now a free market; and to coin a trite cliche, the lid is off off Pandora's box."

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector



dwchadwick says:

16 July 2013
If civil engineers build bridges with as many flaws as computer scientists have in their software, who would travel on them? This situation has developed in part as a result of rushing to market with software products before they have been properly tested and bug fixed, and licensing agreements which absolve suppliers of all responsibility for bugs in their programs. If legislation were introduced to make suppliers financially responsible for losses incurred as a result of bugs in their software, then the whole industry would take a different approach to software development and there would be far less bugs and zero days to exploit.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×