But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece.
It is a trade, analysts say, that is becoming more controversial, one that even some of those in the business think should be regulated.
Exploits are tools developed by hackers and security researchers to take advantage of a specific flaw in a particular piece of software. They are the part of a computer virus that grants access to a user’s system — they open the way in. Stuxnet, for instance, used at least four zero-days.
Because they work in such a targeted way, their lifespan is short. Software manufacturers and antivirus providers work to patch the flaws as soon as a new exploit is spotted, often within days. An exploit that has never been seen before is called a “zero- day,” and there are no specific countermeasures designed to tackle it.
Analysts say the potency and unpredictability of zero-day exploits has created a strong demand for the tools. That has alarmed experts, some of whom are calling for greater government oversight.
“Everyone wants these things,” said Chris Soghoian, a D.C.-based security and privacy researcher. “One of the persistent things I hear is, come the end of the fiscal year, or the end of the quarter, people go out and buy more.”
The industry is incredibly secretive. Most trades are conducted through middlemen, who closely guard their client list and require the researchers who sell to them to sign strict nondisclosure agreements.
Several companies and researchers say they have sold exploits to government agencies or military contractors, although it is impossible to verify such assertions.
Charlie Miller, a former National Security Agency staffer who is now principal research consultant at Accuvant, claims to have sold a zero-day exploit to a government contractor for $50,000 several years ago. He said selling exploits is the only way for researchers to generate significant income.
“The thing that helps out everyone on the Internet is if I write a patch” to fix the vulnerability, he says. “My choices basically boiled down to: Do I do the thing that’s good for the most people and not going to get me money at all, or do I sell it to the U.S. government and make $50,000?
“The big issue is really the fact that researchers are put in this position to either make $50,000 doing the thing that doesn’t help anyone, or do something for free that helps people. It would be better if the system was set up to give people $50,000 to do the right thing.”
Some software vendors offer rewards of up to $5,000 to researchers who notify them of vulnerabilities. Others run conferences and offer prizes to those who can breach their software — provided the details of the attack are handed over.
A French company, Vupen, caused an uproar at one such contest this year when it demonstrated a zero-day exploit that allowed it to break into Google’s Chrome browser — and then refused to hand over details of the exploit, thus forgoing the $60,000 prize money. The high-profile showmanship created a maverick overnight.
“We wouldn’t share this with Google for even $1 million,” Vupen chief executive and head of research Chaouki Bekrar told Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Bekrar’s actions and courting of publicity drew criticism and raised concerns that he was making the industry look irresponsible. He is eager to stress that his company is very selective about who it will sell to — but also keen to defend exploit trading.
“We highly restrict our sales and limit them to national security agencies in countries [that are] members of NATO and their allies to help them achieve their lawful intercept missions and protect our democratic countries and way of life,” Bekrar said in an interview. “Our solutions are only available to eligible governments allowed by law to perform interception missions. They are in no way available for private companies.”
Some U.S. exploit brokers offer more qualified defenses of their trade. Netragard, like several other U.S. firms, acts as a middleman, sending out a list of sought-after exploits it would be willing to buy at prices ranging from $20,000 to $100,000. The list is delivered to researchers who have signed up for its program and are willing to abide by confidentiality requirements.
Adriel T. Desautels, Netragard’s chief executive, said his business will sell only to U.S. companies and organizations and only when he can verify an end-use. Zero-days, he said, can be used to help companies develop defensive software or simulate attacks on their systems. He said that he wished his company could work more with software vendors but that they have never approached him. To make the first move, he said, would cause problems.
“If we approached a vendor and said, “Hey guys, we’ve got this awesome zero-day and we want you to buy it,’ that’s either borderline extortion, or it’s extortion,” Desautels said. “I can’t do that.”
Definition of the product
Regulating a trade such as zero-days is not unprecedented. The U.S. Commerce Department, which experts suggest would be responsible for any export controls on zero-days, regulates the sale of software and exploits related to cryptography as well as some penetration-testing software, which is used to evaluate security vulnerabilities.
Germany, meanwhile, is one of the few countries to stringently regulate exploits. Not only is it illegal to sell exploits in Germany, but it is also illegal to distribute them for free — a practice used to notify the world of vulnerabilities — or to create or research them.
The debate over regulation turns in part on whether computer code can be classified as free speech and thus be excluded from restrictions.
“The Supreme Court has never explained to us exactly where software and code fall in the spectrum of protected speech, and when code becomes a product that’s easily regulable,’’ said Andrea M. Matwyshyn, an assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School. “It’s a hole — something the Supreme Court will definitely need to take up.’’
Some are skeptical that regulating the industry is possible or even desirable.
“It’s like trying to regulate guns,” said Richard Schaeffer Jr., a former senior cybersecurity official at NSA. “We’ve got so many gun laws on the books, and yet criminals still have guns. There will always be mean, wrong, illegitimate things that human beings do for a price. So instead of trying to regulate things away, we need to accept it’s a fact of life. And the question is, how do we coexist with it?”
Another expert, Rich Mogull, said some form of regulation for exports, rather than for the domestic market, would be reasonable. But he pointed out that any stockpiling of exploits, whether by the U.S. government or others, comes with risks.
“The situation that I worry about, from a larger standpoint, is when your offensive capability is predicated on keeping the populace vulnerable. When an exploit is patched, an exploit someone has paid maybe $250,000 for is no longer usable,” he said.
“I don’t know of any other weapons that become worthless if the population becomes any better at defending themselves. This is the equivalent of restricting sales of bulletproof vests to make sure guns keep working.”
Ellen Nakashima contributed to this report.