On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs not the islands many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.
The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into the computer systems of foreign adversaries. The two will not reveal the clients of their company, ReVuln, but big buyers of services like theirs include the National Security Agency which seeks the flaws for Americas growing arsenal of cyberweapons and U.S. adversaries like the Iranian Revolutionary Guard.
All over the world, from South Africa to South Korea, business is booming in what hackers call zero days, the coding flaws in software like Microsofts Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
Just a few years ago, hackers like Auriemma and Ferrante would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay for such flaws, raising its top offer to $150,000.
Increasingly, however, the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Irans nuclear enrichment program with a computer worm that became known as Stuxnet.
The flaws get their name from the fact that once discovered, zero days exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A zero-day exploit occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.
Governments are starting to say, In order to best protect my country, I need to find vulnerabilities in other countries, said Howard Schmidt, the former White House cybersecurity coordinator. The problem is that we all fundamentally become less secure.
A zero-day bug could be as simple as a hackers discovering an online account that asks for a password but does not actually require typing one to get in. Bypassing the system by hitting the Enter key becomes a zero-day exploit. The average attack persists for almost a year 312 days before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or weaponized by both criminals and governments to spy on, steal from, or attack their target.
Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free, in exchange for a T-shirt or perhaps for an honorable mention on a companys website. Even today, so-called patriotic hackers in China regularly hand over the information to the government.
Now, the market for information about computer vulnerabilities has turned into a gold rush. Disclosures by Edward J. Snowden, the former NSA consultant who leaked classified documents, made it clear that the United States is among the buyers of programming flaws. But it is hardly alone.
Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.
For startups eager to displace more established military contractors, selling vulnerabilities and expertise about how to use them have become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Texas; and ReVuln, Auriemma and Ferrantes Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and in some cases for cyberweapons. ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access or disrupt water treatment facilities, oil and gas pipelines and power plants. They are engaging in willful blindness, said Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union.
Many technology companies have started bug bounty programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.
In 2010, Google started paying hackers up to $3,133.70 the number is hacker code for elite for bugs in its Web browser Chrome. Last month, Google increased its cash prize to $20,000 for exploits in some of its widely used products. Facebook began a similar program in 2011 and has since paid out $1 million. (One payout included $2,500 to a 13-year-old. The most it has paid for a single bug is $20,000.)
The program undermines the incentive to hold on to a bug that might be worth nothing in a day, said Joe Sullivan, Facebooks chief security officer. It had also had the unintended effect of encouraging ethical hackers to turn in others who planned to use its bugs for malicious use. Weve seen people backstab other hackers by ratting out a bug that another person planned to use maliciously, he said. In many ways, the U.S. government created the market. When the United States and Israel used a series of flaws including one in a Windows font program to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Irans ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race.
When the Stuxnet code leaked out of Irans Natanz nuclear enrichment plant in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest.
Hackers like Auriemma, who once gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights.
Providing professional work for free to a vendor is unethical, Auriemma said. Providing professional work almost for free to security companies that make their business with your research is even more unethical.