But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece.
It is a trade, analysts say, that is becoming more controversial, one that even some of those in the business think should be regulated.
Exploits are tools developed by hackers and security researchers to take advantage of a specific flaw in a particular piece of software. They are the part of a computer virus that grants access to a user’s system — they open the way in. Stuxnet, for instance, used at least four zero-days.
Because they work in such a targeted way, their lifespan is short. Software manufacturers and antivirus providers work to patch the flaws as soon as a new exploit is spotted, often within days. An exploit that has never been seen before is called a “zero- day,” and there are no specific countermeasures designed to tackle it.
Analysts say the potency and unpredictability of zero-day exploits has created a strong demand for the tools. That has alarmed experts, some of whom are calling for greater government oversight.
“Everyone wants these things,” said Chris Soghoian, a D.C.-based security and privacy researcher. “One of the persistent things I hear is, come the end of the fiscal year, or the end of the quarter, people go out and buy more.”
The industry is incredibly secretive. Most trades are conducted through middlemen, who closely guard their client list and require the researchers who sell to them to sign strict nondisclosure agreements.
Several companies and researchers say they have sold exploits to government agencies or military contractors, although it is impossible to verify such assertions.
Charlie Miller, a former National Security Agency staffer who is now principal research consultant at Accuvant, claims to have sold a zero-day exploit to a government contractor for $50,000 several years ago. He said selling exploits is the only way for researchers to generate significant income.
“The thing that helps out everyone on the Internet is if I write a patch” to fix the vulnerability, he says. “My choices basically boiled down to: Do I do the thing that’s good for the most people and not going to get me money at all, or do I sell it to the U.S. government and make $50,000?