NEW YORK– There’s a vibrant underground market for tools to hack you, but one company is making offers out in the open.
Last year, Zerodium publicly offered $1 million for a powerful, new hack that would remotely sneak into an iPhone running Apple’s latest software. In November, the firm announced the winner — an unidentified team of hackers.
Zerodium publicly offers up to $100,000 for Android and Windows Phone hacks. It’ll pay $80,000 for hacks that involve the Adobe PDF reader or Flash Player.
In a sense, Zerodium is a cyber arms dealer. It pays hackers to learn about their tactics, then packages that and sells it to elite subscribers.
For $500,000 or more a year, governments could buy a road map for hacking Android phones to spy on people. Companies could learn about a special hacking tactic before it’s used on their own Windows computers — or quietly use it themselves for corporate espionage.
Governments can even pay Zerodium a premium to get exclusive rights to a hacking method, though the company says those are rare.
Zerodium’s business is extremely controversial, because it is selling “zero-days,” the golden gun of the cyber world. These are rare, powerful hacks that exploit never-before-seen vulnerabilities. They get their name from the notion that tech companies have had “zero days” to fix them.
“This is a weapon,” said Zuk Avraham, founder of cybersecurity firm Zimperium. “It takes one man to write an exploit these days — one man willing to sell his soul to the devil.”
Selling zero-days on the open market can make the Internet and gadgets less safe to use, experts tell CNNMoney.
“This is not good for the security of the public at large,” said Patrick Wardle, the research director at cybersecurity firm Synack and one of the top Apple hackers around.
But Zerodium has a different point of view. CEO Chaouki Bekrar explained via email that he’s on a mission to help law enforcement investigate with better tools at its disposal.
“The recent story between the FBI and Apple shows the most interesting aspect of the zero-day business, which is the need for government agencies to get access to unpatched flaws to properly conduct investigations and save lives,” he wrote.
Bekrar said the alternative is much worse: governments demanding companies give them full, legal access to devices everywhere through a back door. That’s something the FBI was requesting until it ultimately managed to find a way to hack the iPhone of the San Bernardino shooter.
Zerodium’s CEO says the company is picky about whom it does business with, accepting money only from “major corporations and government organizations from western countries.”
An aggressive business model
There’s a very different — and more benevolent — way to deal with these kinds of dangerous computer flaws. Smart tech companies offer “bug bounties,” typically cash prizes given to researchers who spot nasty weak spots.
Google uses a bug bounty program to make its Android phones safer, and Facebook has paid $40,000 to spot bugs. Others take creative approaches. Uber has a new loyalty reward program for hackers, while United Airlines gave two hackers 1 million frequent flyer miles.
Those bug bounties make everyone’s devices safer. Zerodium’s business model only protects its customers.
“Hackers might be more apt to create weapons that can actively put users at risk — rather than disclosing it to us,” said Denelle Dixon-Thayer. She’s the chief legal officer of Mozilla, maker of the web browser Firefox.
Nonprofit Mozilla says it has rewarded researchers for spotting 260 bugs in the past two years, paying around $3,000 on average. But compare that to Zerodium, which openly advertises it will pay up to $30,000 for a Firefox hack.
Dixon-Thayer said there’s now direct pressure on tech companies everywhere to raise their bug bounty prices — making computer security even more expensive.
That might not be a problem for deep-pocketed Big Tech companies like Apple or Google, but it is a huge problem for the Internet’s most popular open source projects, which are funded by donors and run by volunteers. (Bekrar said neither Apple nor Google are customers.)
For example, Open SSL secures an incredible amount of online communication like banking, email and social media, but its budget is puny. The last sign of federal government support came in the form of a single $20,000 renewal contract from the Department of Defense in 2014.
Yet Zerodium will pay up to $40,000 for a flaw in OpenSSL — one like Heartbleed, the terrible Internet bug that threatened businesses and governments worldwide.
“It’s an unbalanced playing field,” said Casey Ellis, CEO of Bugcrowd, a company that runs one of the largest bug bounty programs. “There’s more incentive for people to drop cash on an exploit for offense than for raising defenses.”
It’s imbalanced by design.
“Offense market prices are very high to buy silence and are designed to extend the use of the exploit for as long as possible,” said Katie Moussouris. She’s a bug bounty expert who just founded her own consulting firm, Luta Security, to help companies and governments work with hackers to improve their defenses.
And Zerodium isn’t the only company selling zero-days to the highest bidder. Experts who closely watch the zero-day market say this business is also conducted by government contractors, like weapons maker Lockheed Martin, consultants at the RAND Corporation and the Florida-based Harris Corporation, which makes a police phone-tracking tool called the Stingray.
Austin-based Exodus Intelligence, for example, publicly acknowledges that it has kept hacks secret so that customers “could use the 0-day for as long as necessary before it was patched.”
And some engage in questionable behavior. Just last year, the Italian firm Hacking Team was caught selling spy tools to evil governments.
It’s an arms race out there.