A Spy Firm’s Price List for Secret Hacker Techniques

The trader in the secret hacker techniques known as “zero day exploits” has long taken place in the dark, hidden from the companies whose software those exploits target, and from the privacy advocates who revile the practice. But one zero-day broker is taking the market for these hacking techniques into the open, complete with a full price list.

In an unprecedented move, the zero-day broker startup Zerodium published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and resells in a subscription service to customers that include government agencies. 

The list, which details the sums it pays for attack methods that effect dozens of different applications and operating systems, represents one of the most detailed views yet into the controversial and murky market for secret hacker exploits. “The first rule of [the] 0days biz is to never discuss prices publicly,” Zerodium CEO Chaouki Bekrar wrote in a message to WIRED prior to revealing the chart. “So guess what: We’re going to publish our acquisition price list.”

'The first rule of the 0days biz is to never discuss prices publicly.'
An attack that can fully, remotely take over a victim’s computer through his or her Safari or Internet Explorer browser, for instance, fetches a price of as much as $50,000. For the harder target of Google Chrome, Zerodium’s price rises to $80,000. Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.

Zerodium explicitly warns sellers that any zero-day exploit Zerodium buys must be for Zerodium’s eyes only; enterprising hackers can’t resell it to other buyers or disclose it to the software’s vendor, who might release a patch that protects users and renders the attack useless. The company stipulates that it will pay the listed prices only for “original, exclusive, and previously unreported zero-day exploits.”

Zerodium, in other words, is keeping its fresh hacker techniques under wraps for its customers, which it says, include “government organizations in need of specific and tailored cybersecurity capabilities,” as well as corporate customers it says use the techniques for defensive purposes. Zerodium founder Bekrar says Zerodium clients pay subscription rates of at least $500,000 a year for access to its exploits. He wouldn’t name any specific customers. But Bekrar’s last startup, the French company Vupen, more explicitly offered its zero-day exploits to customers it described as government agencies within NATO and “NATO ally” countries. A Freedom of Information request from the investigative news site Muckrock in 2013 showed that Vupen’s customers included the NSA.

Just what affect publicly pricing zero day exploits might have on the market for secret hacker techniques is far from clear. But it could actually encourage more hackers to sell the intrusion methods they create; Independent security researchers have long complained that the lack of public pricing in the zero-day trade makes it difficult for them to get a “fair” price, as in this 2007 paper from former NSA hacker Charlie Miller. Bekrar pitches Zerodium, which launched in July, as leveling that playing field for independent security researchers. “With Zerodium, security researchers can finally make money with their security findings and hard work,” he writes.

Publicly trading in secret intrusion techniques has also made Bekrar an easy target for criticism from both the privacy community and the software companies whose hackable flaws he exploits for a profit. Google security staffer Justin Schuh once called him an “ethically challenged opportunist.” ACLU lead technologist Chris Soghoian has labelled Bekrar’s Vupen a ““modern-day merchant of death,” selling “the bullets for cyberwar.”

Even if it's intended for marketing alone, the price list may offer valuable information about the relative vulnerability of certain software.

Bekrar’s decision to list his exploit prices publicly, Soghoian argues, isn’t an attempt to bring more transparency to the zero-day trade so much as a savvy marketing technique. “Chaouki, with VUPEN, and now with Zerodium, has favored publicity over discretion. He wants free press in order to attract clients,” says Soghoian. Larger, more established defense contractors that sell zero-days, Soghoian adds, have no need for such stunts. “Raytheon and ManTech don’t need to publish price lists online…NSA knows the prices those firms charge.”

Bekrar didn’t respond to WIRED’s questions about why he’d chosen to publish the price list. But even if it’s intended for marketing alone, the chart may offer valuable information about the relative vulnerability of certain software. (Until now the only other such price list for zero-day exploits was an unofficial one I’d assembled after speaking with sources in the hacking community in 2012.) Hacking techniques affecting common web publishing software like Drupal and WordPress sell for just $5,000, according to Zerodium’s list. Perhaps more surprising is that an exploit affecting the anonymity-focused TorBrowser only fetches $30,000.

That revelation comes just days after Tor claimed that the FBI had paid $1 million to Carnegie Mellon University for a technique it had developed to break the anonymity protections of Tor’s server-focused “hidden services” feature. It’s also far less than the $110,000 the Russian government reportedly offered for a Tor-breaking technique last year. But Bekrar emphasized in an email to WIRED that Zerodium’s Tor bounty was only for vulnerabilities in the TorBrowser, which is adapted from Firefox, rather than vulnerabilities in the Tor network itself, which Bekrar notes “may threaten the security and privacy of legitimate Tor users.”

The high price for an iPhone or iPad attack—$500,000—still comes in at just half the reward that Zerodium offered in an open bounty last month. In what Bekrar now says was only a “limited-time deal,” the company very publicly agreed to pay $1 million in late October to a team of hackers who proved that they could successfully compromise an iOS device that visited a malicious web page through its Safari or Chrome browser.

Even at that reduced price, an iOS exploit is still worth five times as much as any other technique on Zerodium’s chart. Apple users may be dismayed to learn that the ability to compromise their personal device is as much a commodity as any other hacking technique. But at least it’s an expensive one.
Wired: http://bit.ly/1Xa4D5d

 

« Restricting Encryption Wouldn’t Stop Paris-Style Attacks
Phony War: US Military To Carry Out Pretend Cyber War Against China & Russia »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

European Organisation for Security (EOS)

European Organisation for Security (EOS)

EOS represents all domains of security solutions and services.providers including ICT information and communications technologies.

QuintessenceLabs

QuintessenceLabs

QuintessenceLabs offers a suite of Data Security technology, products and solutions to secure digital information in-transit, at-rest or in-use.

Dragos

Dragos

Dragos has built the first industrial cybersecurity ecosystem, the ultimate security defense.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

XTN Cognitive Security

XTN Cognitive Security

XTN is focused on the development of security, Fraud and Mobile Threat Prevention advanced behaviour-based solutions.

Haventec

Haventec

Haventec’s internationally patented technologies reduce cyber risk and enable pervasive trust services with a decentralised approach to authentication.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

WhiteJar

WhiteJar

WhiteJar offers an innovative approach to modern cybersecurity needs, empowering Ethical Hackers within its unique crowd platform.

Park Place Technologies

Park Place Technologies

Park Place Technologies' mission is to drive uptime, performance and value for critical IT infrastructure.

DataSolutions

DataSolutions

DataSolutions is a leading value-added distributor of transformational IT solutions in the UK and Ireland.

CloudScale365

CloudScale365

CloudScale365 offers state-of-the-art managed IT services and cloud, hosting, security, and business continuity solutions.

Washington Technology Solutions (WaTech)

Washington Technology Solutions (WaTech)

WaTech operates the state’s core technology infrastructure – the central network and data center, provides strategic direction for cybersecurity and protects state networks from growing cyber threats.

ScamAdvisor

ScamAdvisor

ScamAdviser helps over 3 million consumers every month to discover if a website is legitimate or a possible scam.

Reveald

Reveald

Reveald is making Exposure Management a reality to solve the biggest challenges in cybersecurity with a trailblazing ‘offense to defense’ approach that gives the advantage back to the business.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.

United Nations Office of Counter-Terrorism (UNOCT)

United Nations Office of Counter-Terrorism (UNOCT)

UNOCT provides UN Member States with the necessary policy support of the UN Global Counter-Terrorism Strategy, and wherever necessary, expedites delivery of technical assistance.