Secrecy surrounding ‘zero-day exploits’ industry spurs calls for government oversight

Deep in Iran’s nuclear facilities, gas centrifuges used to enrich uranium began spinning erratically: fast, then slow, then fast, until they failed. First dozens, then hundreds, then an estimated 1,000 centrifuges were disabled that way, delaying Iran’s nuclear program by up to 18 months.

The cause of the failures — first disclosed in 2010 — is now well known to have been Stuxnet, the computer worm developed by U.S. and Israeli intelligence agencies. The sophisticated tool relied on computer code to take advantage of then-undiscovered security flaws, open the way into the Iranians’ software and deliver a payload.

But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece.

It is a trade, analysts say, that is becoming more controversial, one that even some of those in the business think should be regulated.

Exploits are tools developed by hackers and security researchers to take advantage of a specific flaw in a particular piece of software. They are the part of a computer virus that grants access to a user’s system — they open the way in. Stuxnet, for instance, used at least four zero-days.

Because they work in such a targeted way, their lifespan is short. Software manufacturers and antivirus providers work to patch the flaws as soon as a new exploit is spotted, often within days. An exploit that has never been seen before is called a “zero- day,” and there are no specific countermeasures designed to tackle it.

Analysts say the potency and unpredictability of zero-day exploits has created a strong demand for the tools. That has alarmed experts, some of whom are calling for greater government oversight.

“Everyone wants these things,” said Chris Soghoian, a D.C.-based security and privacy researcher. “One of the persistent things I hear is, come the end of the fiscal year, or the end of the quarter, people go out and buy more.”

Conflicting motivations

The industry is incredibly secretive. Most trades are conducted through middlemen, who closely guard their client list and require the researchers who sell to them to sign strict nondisclosure agreements.

Several companies and researchers say they have sold exploits to government agencies or military contractors, although it is impossible to verify such assertions.

Charlie Miller, a former National Security Agency staffer who is now principal research consultant at Accuvant, claims to have sold a zero-day exploit to a government contractor for $50,000 several years ago. He said selling exploits is the only way for researchers to generate significant income.

“The thing that helps out everyone on the Internet is if I write a patch” to fix the vulnerability, he says. “My choices basically boiled down to: Do I do the thing that’s good for the most people and not going to get me money at all, or do I sell it to the U.S. government and make $50,000?