Security researchers and hackers around the world are in locked in a constant struggle to detect security weaknesses in a wide range of software, and a whistleblower has revealed the enormous market for selling on the information.
The result of their fattening labour are zero-day exploits, bits of custom code specifically tailored to exploit software flaws which have not been made public yet. While they may sound scary to the average user, they are also a vital resource for security researchers. However, in the wrong hands they can cause plenty of havoc, as they can be deployed as cyber weapons used by governments, or the 21st century equivalent of a crowbar in the ever growing cybercrime scene.
What most people don’t know is that zero-day exploits are being traded on a routine basis. Legitimate companies are selling them to governments, law enforcement agencies or other security outfits. However, as Slate found in its excellent report, the market is unregulated and there are concerns that rogue governments could simply buy exploits they might need for their next cyber attacks.
For example, undisclosed vulnerabilities in Windows were put to good use by the developers of the Stuxnet virus, which targeted Iranian nuclear enrichment facilities. A Chinese hacker group also used zero-day exploits found in Flash and Internet Explorer to target more than 1,000 computers used by corporations and human rights groups.
The risky trade has prompted whistle-blowers to come forward and shed a bit more light on the practice. Andriel Desautels, a 36-year-old exploit broker from Boston, claims to have sold exploits for as much as $250,000. However, although the market is unregulated, Desautels has his own rules. His company will not sell exploits abroad, it only operates with US clients who he claims are rigorously vetted before any deal is sealed.
“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” he said. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”
Desautels warns that greedy and irresponsible people could sell exploits to anybody, or that they could sell the same exploit over and over again. In one scenario, two governments could use the same exploit to target each other.
“If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops – it’s the same concept,” Desautels said.
The dangers of the exploit trade have already been recognised in Europe. Dutch politician Marietje Schaake is calling for new laws which should curb the trade. She describes zero-day exploits as “digital weapons” and says the European Commission should take action. Schaake believes the commission should create an entirely new regulatory framework that would include the trade in zero-day exploits.
Such a move would encourage researchers and hackers to act more responsibly and fix the vulnerabilities, rather than sell them on to the black or gray markets.