A Spy Firm’s Price List for Secret Hacker Techniques

The trader in the secret hacker techniques known as “zero day exploits” has long taken place in the dark, hidden from the companies whose software those exploits target, and from the privacy advocates who revile the practice. But one zero-day broker is taking the market for these hacking techniques into the open, complete with a full price list.

In an unprecedented move, the zero-day broker startup Zerodium published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and resells in a subscription service to customers that include government agencies. 

The list, which details the sums it pays for attack methods that effect dozens of different applications and operating systems, represents one of the most detailed views yet into the controversial and murky market for secret hacker exploits. “The first rule of [the] 0days biz is to never discuss prices publicly,” Zerodium CEO Chaouki Bekrar wrote in a message to WIRED prior to revealing the chart. “So guess what: We’re going to publish our acquisition price list.”

'The first rule of the 0days biz is to never discuss prices publicly.'
An attack that can fully, remotely take over a victim’s computer through his or her Safari or Internet Explorer browser, for instance, fetches a price of as much as $50,000. For the harder target of Google Chrome, Zerodium’s price rises to $80,000. Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.

Zerodium explicitly warns sellers that any zero-day exploit Zerodium buys must be for Zerodium’s eyes only; enterprising hackers can’t resell it to other buyers or disclose it to the software’s vendor, who might release a patch that protects users and renders the attack useless. The company stipulates that it will pay the listed prices only for “original, exclusive, and previously unreported zero-day exploits.”

Zerodium, in other words, is keeping its fresh hacker techniques under wraps for its customers, which it says, include “government organizations in need of specific and tailored cybersecurity capabilities,” as well as corporate customers it says use the techniques for defensive purposes. Zerodium founder Bekrar says Zerodium clients pay subscription rates of at least $500,000 a year for access to its exploits. He wouldn’t name any specific customers. But Bekrar’s last startup, the French company Vupen, more explicitly offered its zero-day exploits to customers it described as government agencies within NATO and “NATO ally” countries. A Freedom of Information request from the investigative news site Muckrock in 2013 showed that Vupen’s customers included the NSA.

Just what affect publicly pricing zero day exploits might have on the market for secret hacker techniques is far from clear. But it could actually encourage more hackers to sell the intrusion methods they create; Independent security researchers have long complained that the lack of public pricing in the zero-day trade makes it difficult for them to get a “fair” price, as in this 2007 paper from former NSA hacker Charlie Miller. Bekrar pitches Zerodium, which launched in July, as leveling that playing field for independent security researchers. “With Zerodium, security researchers can finally make money with their security findings and hard work,” he writes.

Publicly trading in secret intrusion techniques has also made Bekrar an easy target for criticism from both the privacy community and the software companies whose hackable flaws he exploits for a profit. Google security staffer Justin Schuh once called him an “ethically challenged opportunist.” ACLU lead technologist Chris Soghoian has labelled Bekrar’s Vupen a ““modern-day merchant of death,” selling “the bullets for cyberwar.”

Even if it's intended for marketing alone, the price list may offer valuable information about the relative vulnerability of certain software.

Bekrar’s decision to list his exploit prices publicly, Soghoian argues, isn’t an attempt to bring more transparency to the zero-day trade so much as a savvy marketing technique. “Chaouki, with VUPEN, and now with Zerodium, has favored publicity over discretion. He wants free press in order to attract clients,” says Soghoian. Larger, more established defense contractors that sell zero-days, Soghoian adds, have no need for such stunts. “Raytheon and ManTech don’t need to publish price lists online…NSA knows the prices those firms charge.”

Bekrar didn’t respond to WIRED’s questions about why he’d chosen to publish the price list. But even if it’s intended for marketing alone, the chart may offer valuable information about the relative vulnerability of certain software. (Until now the only other such price list for zero-day exploits was an unofficial one I’d assembled after speaking with sources in the hacking community in 2012.) Hacking techniques affecting common web publishing software like Drupal and WordPress sell for just $5,000, according to Zerodium’s list. Perhaps more surprising is that an exploit affecting the anonymity-focused TorBrowser only fetches $30,000.

That revelation comes just days after Tor claimed that the FBI had paid $1 million to Carnegie Mellon University for a technique it had developed to break the anonymity protections of Tor’s server-focused “hidden services” feature. It’s also far less than the $110,000 the Russian government reportedly offered for a Tor-breaking technique last year. But Bekrar emphasized in an email to WIRED that Zerodium’s Tor bounty was only for vulnerabilities in the TorBrowser, which is adapted from Firefox, rather than vulnerabilities in the Tor network itself, which Bekrar notes “may threaten the security and privacy of legitimate Tor users.”

The high price for an iPhone or iPad attack—$500,000—still comes in at just half the reward that Zerodium offered in an open bounty last month. In what Bekrar now says was only a “limited-time deal,” the company very publicly agreed to pay $1 million in late October to a team of hackers who proved that they could successfully compromise an iOS device that visited a malicious web page through its Safari or Chrome browser.

Even at that reduced price, an iOS exploit is still worth five times as much as any other technique on Zerodium’s chart. Apple users may be dismayed to learn that the ability to compromise their personal device is as much a commodity as any other hacking technique. But at least it’s an expensive one.
Wired: http://bit.ly/1Xa4D5d

 

« Restricting Encryption Wouldn’t Stop Paris-Style Attacks
Phony War: US Military To Carry Out Pretend Cyber War Against China & Russia »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Telos

Telos

Telos offers cybersecurity solutions and services that empower and protect the world’s most security-conscious enterprises.

ASU Online - Information Technology Program

ASU Online - Information Technology Program

The Information Technology program at ASU Online provides you with the expertise to design, select, implement and administer computer-based information solutions.

CyberCareers.gov

CyberCareers.gov

CyberCareers.gov is a platform for Cybersecurity Job Seekers, Federal Hiring Managers and Supervisors, Current Federal Cybersecurity Employees, Students and Universities.

Elitecyber Group

Elitecyber Group

Elitecyber group is a team of Cyber Security recruitment experts who work for Cyber Security and Cyber Defence clients and candidates throughout Europe.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF)

Enterprise Incubator Foundation (EIF) of Armenia is one of the largest technology business incubators and IT development agencies in the region.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

3wSecurity

3wSecurity

3wSecurity provides visibility to your company’s internet facing systems throughout the security life cycle, allowing for a more thorough approach to vulnerability management.

Secure Ideas

Secure Ideas

Secure Ideas is focused on penetration testing and application security including web applications, web services and mobile applications.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

10dot Cloud Security

10dot Cloud Security

10dot Cloud Security is a security service management company. Our solutions give you contextualised visibility into your network security.

LeadingIT

LeadingIT

Leading IT provides IT support, cloud computing, email support, cybersecurity, networking and firewall services to Chicagoland businesses.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Vala Secure

Vala Secure

Vala Secure is a cybersecurity and compliance consultancy that always stays ahead of regulations, future threats and ever-changing security environments.

Kubus Hitam

Kubus Hitam

Kubus Hitam are a research-based company focused on cyber security. we strongly believe that innovation and safety are the two keywords for the future business market.

FOSSA

FOSSA

FOSSA is a leading SBOM (software bill of materials) and software supply chain risk management platform.