Deep in Iran’s nuclear facilities, gas centrifuges used to enrich uranium began spinning erratically: fast, then slow, then fast, until they failed. First dozens, then hundreds, then an estimated 1,000 centrifuges were disabled that way, delaying Iran’s nuclear program by up to 18 months.
The cause of the failures — first disclosed in 2010 — is now well known to have been Stuxnet, the computer worm developed by U.S. and Israeli intelligence agencies. The sophisticated tool relied on computer code to take advantage of then-undiscovered security flaws, open the way into the Iranians’ software and deliver a payload.
But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece.
It is a trade, analysts say, that is becoming more controversial, one that even some of those in the business think should be regulated.
Exploits are tools developed by hackers and security researchers to take advantage of a specific flaw in a particular piece of software. They are the part of a computer virus that grants access to a user’s system — they open the way in. Stuxnet, for instance, used at least four zero-days.
Because they work in such a targeted way, their lifespan is short. Software manufacturers and antivirus providers work to patch the flaws as soon as a new exploit is spotted, often within days. An exploit that has never been seen before is called a “zero- day,” and there are no specific countermeasures designed to tackle it.
Analysts say the potency and unpredictability of zero-day exploits has created a strong demand for the tools. That has alarmed experts, some of whom are calling for greater government oversight.
“Everyone wants these things,” said Chris Soghoian, a D.C.-based security and privacy researcher. “One of the persistent things I hear is, come the end of the fiscal year, or the end of the quarter, people go out and buy more.”
The industry is incredibly secretive. Most trades are conducted through middlemen, who closely guard their client list and require the researchers who sell to them to sign strict nondisclosure agreements.
Several companies and researchers say they have sold exploits to government agencies or military contractors, although it is impossible to verify such assertions.
Charlie Miller, a former National Security Agency staffer who is now principal research consultant at Accuvant, claims to have sold a zero-day exploit to a government contractor for $50,000 several years ago. He said selling exploits is the only way for researchers to generate significant income.
“The thing that helps out everyone on the Internet is if I write a patch” to fix the vulnerability, he says. “My choices basically boiled down to: Do I do the thing that’s good for the most people and not going to get me money at all, or do I sell it to the U.S. government and make $50,000?
“The big issue is really the fact that researchers are put in this position to either make $50,000 doing the thing that doesn’t help anyone, or do something for free that helps people. It would be better if the system was set up to give people $50,000 to do the right thing.”
Some software vendors offer rewards of up to $5,000 to researchers who notify them of vulnerabilities. Others run conferences and offer prizes to those who can breach their software — provided the details of the attack are handed over.
A French company, Vupen, caused an uproar at one such contest this year when it demonstrated a zero-day exploit that allowed it to break into Google’s Chrome browser — and then refused to hand over details of the exploit, thus forgoing the $60,000 prize money. The high-profile showmanship created a maverick overnight.
“We wouldn’t share this with Google for even $1 million,” Vupen chief executive and head of research Chaouki Bekrar told Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Bekrar’s actions and courting of publicity drew criticism and raised concerns that he was making the industry look irresponsible. He is eager to stress that his company is very selective about who it will sell to — but also keen to defend exploit trading.
“We highly restrict our sales and limit them to national security agencies in countries [that are] members of NATO and their allies to help them achieve their lawful intercept missions and protect our democratic countries and way of life,” Bekrar said in an interview. “Our solutions are only available to eligible governments allowed by law to perform interception missions. They are in no way available for private companies.”