PARIS – In 140 characters of hacker jargon, French security company Vupen tweeted on Oct. 30, 2012 that they had discovered a security flaw in Windows 8 and that they were selling it to the highest bidder.
Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8
— VUPEN Security (@VUPEN) October 30, 2012
Microsoft had just launched its new operating system for computers, phones and tablets. Thanks to this “vulnerability” (also called a “zero-day exploit”), Vupen – or another team of hackers – could create a malware to hijack any Windows 8 device remotely.
The firm, based in Montpellier, France, is famous in the field of software hacking. In March 2011, during the Pwn2Own hacker challenge held at the CanSecWest security conference in Vancouver, Canada, Vupen won by using a weakness in Apple’s Safari browser to hijack a Macbook.
At the time, Vupen’s co-founder, Chaouki Bekrar, had told Zdnet: “The victim visits a web page, he gets owned. No other interaction is needed.”
Vupen did it again at the 2012 Pwn2Own challenge when it successfully hacked Google Chrome and Microsoft’s Internet Explorer 9. Google had offered a $60,000 reward for Chrome-specific exploits, and full details of zero-day exploits used, but Chaouki Bekrar created controversy by refusing Google’s offer. He said he would be withholding the details of the exploit to sell to his better paying customers. Google replied by calling him “an ethically challenged opportunist.”
@cbekrar Some things are done solely for the purpose of making the Internet safer—despite the spin from ethically challenged opportunists.
— Justin Schuh (@justinschuh) August 10, 2011
Who are these high-paying customers? When hackers find an exploit (or flaw), they are supposed to inform the software vendor or a security company that will verify the exploit and find a way to patch the software’s flaws. For a long time, software vendors enjoyed these services for free, but in the 2000s, U.S. hackers launched a movement to get paid. Since then, many software, Internet and telecommunication companies have been publishing the going rate they are willing to pay for security vulnerabilities: from $100 to $20,000 depending on complexity or originality.
But some companies have chosen a more lucrative market. They deal in “offensive security” – a euphemism for spying and data theft. Instead of working with software vendors, these firms sell their exploits to the highest bidder, which are usually official organizations: police, army, secret services. These organizations use the exploits to track delinquents, monitor companies, foreign governments or their own citizens.
Some countries also use these tools to sabotage servers. This is what happened in Iran in 2010 when a uranium enrichment plant was attacked by the Stuxnet malware virus, which was assumably created by the U.S. and Israel. Because of this risk, countries need to be constantly aware of newly detected flaws in software and networks – and for this they turn to the private sector.
In the U.S., weapon manufacturers such as Raytheon and Northrop Grumman have opened “offensive computer security” departments. Several American companies have specialized in this field as well. The most famous is Immunity, based in Miami Beach, which organizes every year a security conference called “Infiltrate.” Immunity sells software packages with various infiltration methods, including fake websites that mimic Amazon, LinkedIn or Hotmail to trap the user.
Shady middlemen
There are new actors on this highly lucrative market – exploit brokers. They buy zero-day exploits from independent hackers and resell them to the highest bidder. The two best-known brokers are Netragard, from Massachussets and The Grugq, a South-African living in Bangkok, Thailand, who claims to make hundreds of thousands of dollars a year.
European firms are very active on this market. Gamma Group, an Anglo-German company sells software called Finfisher, which can remotely activate a smartphone“s microphone to spy on conversations. The British government has announced that it would limit the sale of Finfisher, but that it wouldn’t ban it. There is also a firm in Italy called the Hacking Team. But the most famous European company is Vupen.
On its official website, Vupen claims that it doesn’t sell its products to just anyone. The firms says it respects the embargos enforced by the EU, the UN and the U.S., and only deals with “trusted” States, members of NATO, Anzus (in the Pacific region) and Asean (in the Asian region), as well as special “partner States” – meaning it still has plenty of countries to work with.
Despite these precautions, Vupen and other offensive security companies are making many enemies. In the U.S., the libertarian hackers, privacy rights organizations, security companies and Internet giants like Google have launched campaigns in which offensive security firms are compared to weapons smugglers, “modern-day merchants of death.”
These activists and organizations are saying that the offensive security systems always end up – one way or another – into the hands of authoritarian regimes, which use them extensively.
Canadian researcher Morgan Marquis-Boire, who works for Google, says he found spyware made by the Hacking Team in Dubai, in the laptop of an opponent to the regime, and also on a pro-democratic website in Morocco. He believes the two countries are exploiting a vulnerability discovered by Vupen. Marquis-Boire also says that the Finfisher spyware was sold to the Egyptian police, and also turned up in Bahrain, Kuwait, Turkmenistan, Ethiopia and Brunei.
The libertarian groups believe these companies are a threat to civil liberties – even when they are in the hands of western countries – and that democratic nations shouldn’t use such tools.
U.S. activist Christopher Soghoian, of the American Civil Liberties Union (ACLU), accused his own government of being the best client of these zero-day salesmen: “Google and Microsoft can’t outbid the U.S. government – they will never win a bidding war with the army, navy or NSA.”
He also says that Western countries are playing a dangerous game and warned of a risk of “blowback,” saying that weaponized zero-day exploits sold by Vupen to a foreign government could be sold over and over again, without any control – to be later used against the Western countries that bought them in the first place.
Eric Filiol, a former French secret services agent and cryptography expert doesn’t agree. He says that Vupen is “one of France’s technological jewels.” He believes that “Chaouki Bekrar is a true CEO and a patriot, working for his country.” Yes, he knows Vupen sells his exploits to foreign countries, “but that’s a good thing, it brings in foreign currencies.”
