A Spy Firm’s Price List for Secret Hacker Techniques

The trader in the secret hacker techniques known as “zero day exploits” has long taken place in the dark, hidden from the companies whose software those exploits target, and from the privacy advocates who revile the practice. But one zero-day broker is taking the market for these hacking techniques into the open, complete with a full price list.

In an unprecedented move, the zero-day broker startup Zerodium published a price chart for different classes of digital intrusion techniques and software targets that it buys from hackers and resells in a subscription service to customers that include government agencies. 

The list, which details the sums it pays for attack methods that effect dozens of different applications and operating systems, represents one of the most detailed views yet into the controversial and murky market for secret hacker exploits. “The first rule of [the] 0days biz is to never discuss prices publicly,” Zerodium CEO Chaouki Bekrar wrote in a message to WIRED prior to revealing the chart. “So guess what: We’re going to publish our acquisition price list.”

'The first rule of the 0days biz is to never discuss prices publicly.'
An attack that can fully, remotely take over a victim’s computer through his or her Safari or Internet Explorer browser, for instance, fetches a price of as much as $50,000. For the harder target of Google Chrome, Zerodium’s price rises to $80,000. Remote exploits that entirely defeat the security of an Android or Windows Phone device go for as much as $100,000. And an iOS attack can earn a hacker half a million dollars, by far the highest price on the list.

Zerodium explicitly warns sellers that any zero-day exploit Zerodium buys must be for Zerodium’s eyes only; enterprising hackers can’t resell it to other buyers or disclose it to the software’s vendor, who might release a patch that protects users and renders the attack useless. The company stipulates that it will pay the listed prices only for “original, exclusive, and previously unreported zero-day exploits.”

Zerodium, in other words, is keeping its fresh hacker techniques under wraps for its customers, which it says, include “government organizations in need of specific and tailored cybersecurity capabilities,” as well as corporate customers it says use the techniques for defensive purposes. Zerodium founder Bekrar says Zerodium clients pay subscription rates of at least $500,000 a year for access to its exploits. He wouldn’t name any specific customers. But Bekrar’s last startup, the French company Vupen, more explicitly offered its zero-day exploits to customers it described as government agencies within NATO and “NATO ally” countries. A Freedom of Information request from the investigative news site Muckrock in 2013 showed that Vupen’s customers included the NSA.

Just what affect publicly pricing zero day exploits might have on the market for secret hacker techniques is far from clear. But it could actually encourage more hackers to sell the intrusion methods they create; Independent security researchers have long complained that the lack of public pricing in the zero-day trade makes it difficult for them to get a “fair” price, as in this 2007 paper from former NSA hacker Charlie Miller. Bekrar pitches Zerodium, which launched in July, as leveling that playing field for independent security researchers. “With Zerodium, security researchers can finally make money with their security findings and hard work,” he writes.

Publicly trading in secret intrusion techniques has also made Bekrar an easy target for criticism from both the privacy community and the software companies whose hackable flaws he exploits for a profit. Google security staffer Justin Schuh once called him an “ethically challenged opportunist.” ACLU lead technologist Chris Soghoian has labelled Bekrar’s Vupen a ““modern-day merchant of death,” selling “the bullets for cyberwar.”

Even if it's intended for marketing alone, the price list may offer valuable information about the relative vulnerability of certain software.

Bekrar’s decision to list his exploit prices publicly, Soghoian argues, isn’t an attempt to bring more transparency to the zero-day trade so much as a savvy marketing technique. “Chaouki, with VUPEN, and now with Zerodium, has favored publicity over discretion. He wants free press in order to attract clients,” says Soghoian. Larger, more established defense contractors that sell zero-days, Soghoian adds, have no need for such stunts. “Raytheon and ManTech don’t need to publish price lists online…NSA knows the prices those firms charge.”

Bekrar didn’t respond to WIRED’s questions about why he’d chosen to publish the price list. But even if it’s intended for marketing alone, the chart may offer valuable information about the relative vulnerability of certain software. (Until now the only other such price list for zero-day exploits was an unofficial one I’d assembled after speaking with sources in the hacking community in 2012.) Hacking techniques affecting common web publishing software like Drupal and WordPress sell for just $5,000, according to Zerodium’s list. Perhaps more surprising is that an exploit affecting the anonymity-focused TorBrowser only fetches $30,000.

That revelation comes just days after Tor claimed that the FBI had paid $1 million to Carnegie Mellon University for a technique it had developed to break the anonymity protections of Tor’s server-focused “hidden services” feature. It’s also far less than the $110,000 the Russian government reportedly offered for a Tor-breaking technique last year. But Bekrar emphasized in an email to WIRED that Zerodium’s Tor bounty was only for vulnerabilities in the TorBrowser, which is adapted from Firefox, rather than vulnerabilities in the Tor network itself, which Bekrar notes “may threaten the security and privacy of legitimate Tor users.”

The high price for an iPhone or iPad attack—$500,000—still comes in at just half the reward that Zerodium offered in an open bounty last month. In what Bekrar now says was only a “limited-time deal,” the company very publicly agreed to pay $1 million in late October to a team of hackers who proved that they could successfully compromise an iOS device that visited a malicious web page through its Safari or Chrome browser.

Even at that reduced price, an iOS exploit is still worth five times as much as any other technique on Zerodium’s chart. Apple users may be dismayed to learn that the ability to compromise their personal device is as much a commodity as any other hacking technique. But at least it’s an expensive one.
Wired: http://bit.ly/1Xa4D5d

 

« Restricting Encryption Wouldn’t Stop Paris-Style Attacks
Phony War: US Military To Carry Out Pretend Cyber War Against China & Russia »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

Data Resolve Technologies

Data Resolve Technologies

Data Resolve offer a mechanism through which customers can detect and tackle various kinds of sensitive activities pertaining to data loss and data theft.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

Intelligent Waves

Intelligent Waves

Intelligent Waves holds and manages contracts to provide an array of intelligence, operational, communications and IT support to the USG in austere, forward-deployed, hazardous duty environments.

Neowave

Neowave

Neowave designs, manufactures and markets strong authentication solutions based on smart card components and digital certificates.

Seltek Technology Solutions

Seltek Technology Solutions

Seltek provides Digital Forensics, eDiscovery, Cybersecurity Assessments and IT Support services.

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

Nordic Cyber Summit

Nordic Cyber Summit

Nordic Cyber Security Summit addresses a wide range of technological issues from the IT Security spectrum and also provides a wider perspective from all aspects of the industry.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Stratia Cyber

Stratia Cyber

Stratia Cyber is an independent, technology agnostic company providing high quality, pragmatic cyber security consultancy and expertise.

MyCena

MyCena

MyCena has developed a complete system of security, control and management for decentralised credentials.

Securonix

Securonix

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.

OccamSec

OccamSec

OccamSec is a leading provider in the world of cybersecurity. We provide accurate, actionable information to reduce risk and enable better informed decisions.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.

Seal Security

Seal Security

Seal Security revolutionizes software supply chain security operations, empowering organizations to automate and scale their open source vulnerability remediation and patch management.

Merlin Ventures

Merlin Ventures

Merlin Ventures is a strategic investor focused on driving growth and value for cybersecurity software companies with market-leading potential.