The FBI isn’t the only one paying hackers huge price tags to hand over ways to hack into personal devices.
The agency's recent purchase of a hacking tool used to unlock the San Bernardino shooter's iPhone highlighted a shadowy, high-dollar market for “zero days” — security holes that software companies don’t know exist.
Last in line are the manufacturers themselves, who don’t pay rewards nearly as rich as those offered by third parties who want the bug for offensive purposes.
While zero-days can be bought for lawful reasons — such as the unknown method the FBI purchased to break into the San Bernardino shooter’s phone — the lucrative market means that everyday users of the product can be left vulnerable to the bad guys, too.
It also means that those exploits could be sold to unethical end-users — like governments with poor human rights records that want to use the information as a surveillance tool, for example.
“When these markets are keeping the vulnerabilities out of defenders’ hands, it’s the users who suffer,” said Katie Moussouris, an independent consultant who is currently helping the Defense Department launch the first federal “bug bounty” program.
Because of the secretive nature of the business, security experts say it’s difficult to gauge the exact size of the market for “offensive” tools. Buying and selling flaws is legal, but the value of a given vulnerability skyrockets when it is exclusive to the purchaser.
Some contracts even include riders that depreciate the price if the manufacturer discovers and fixes the flaw within a given timeframe.
“The useful lifespan is only for as long as that bug continues to exist and the targets you want to use it to attack remain vulnerable,” said Casey Ellis, founder of Bugcrowd, which connects security researchers with software manufacturers.
“You can get lots of different bites out of the same piece of code, which makes that piece of code more valuable,” he says.
In other words, the business rewards discretion.
Prices can range from five to seven figures, depending on the terms of the deal.
According to documents leaked from the Italian spyware vendor Hacking Team, a Russian hacker sold the company an Adobe Flash exploit for $45,000.
In his initial pitch, the hacker offered six “ready-to-delivery” exploits with a scaled pricing model.
“All prices in the list are non-exclusive. Exclusive sales are possible but the price will grow in 3 times. [sic] Volume discounts are possible if you take several bugs,” Vitaliy Toropov wrote in an email to Hacking Team’s CEO.
In September, a company called Zerodium that compiles zero-days announced that it would pay $1 million for jailbreaking Apple’s newly-released iOS 9.
The reward was the largest known bounty ever offered — and within two months, Zerodium had its bug.
The offer required hackers not to disclose the vulnerability to Apple so that Zerodium’s customers could use the hack in secret.
The company’s founder, Chaouki Bekrar, has faced searing condemnation in the past for exploiting zero-day flaws for profit. ACLU lead technologist Chris Soghoian has called him a “modern-day merchant of death,” selling “the bullets for cyberwar.”
Bekrar, meanwhile, has remained staunchly unapologetic.
According to the company’s website, its clients include “major corporations in defense, technology, and finance, in need of advanced zero-day protection, as well as government organizations in need of specific and tailored cybersecurity capabilities.”
But because of the difficulty of tracking the secretive chain of custody for an exploit, it’s impossible to say where the knowledge will eventually end up — a fact Bekrar himself has acknowledged.
“If you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency,” he told Wired in 2012.
The government, meanwhile, has been purchasing hacking tools for years, security experts say. The difference now, thanks to the feud with Apple, is that the practice is in the public eye.
The FBI, for example, over the last five years has routinely contracted with an Israeli mobile forensics firm that publicly boasts of its ability to hack into Apple devices. Cellebrite has received over $2 million in purchase orders from the agency since 2012.
Although many of the contracts appear to be for equipment supply services, the FBI does have some five-figure contracts with the company for “information technology software.”
So why don’t software vendors offer bug bounties that can compete with the offensive market?
For one thing, Ellis says, bugs purchased for defensive purposes are a “one-shot kill,” giving them less intrinsic value in the broader marketplace for vulnerabilities.
Plus, Moussouris says, “If companies go past a certain price for an individual bug, they’d have a hard time keeping their own developer talent in-house as opposed to having them just quit and get paid monumental sums per bug.”
Many larger, multi-national platforms do offer substantive bounties. Facebook, for example, says it has paid out more than $4.3 million to more than 800 researchers globally. Google paid out over $2 million last year and this year is doubling its top reward to $100,000.
Apple, notably, does not offer a bug bounty. Senior engineers say there are pros and cons to such programs and say that altruist hackers still send it bugs to fix.
Despite the risks associated with a thriving zero-day market, security experts stress it would be almost impossible to regulate from a technological perspective.
Companies seeking to shore up their defenses use exactly the same tools to identify and patch weaknesses that the FBI might use to hack into a locked iPhone — or that an unfriendly nation-state might use to spy on the U.S.
“An exploit is dual-use at the end of the day. You can use it to do good things and you can use it to do bad things,” Ellis said