It might come as a surprise to many of you, but there is a booming market of buying and selling zero-day exploits of popular software and
operating systems. An exclusive zero-day hack for iOS could get you
anywhere in between $100,000 to $250,000.
According to reports in
Forbes, any resourceful hacker today has an option to sell zero-day
exploits to government agencies via middlemen like Bangkok based 'the
Grugq'. For those of you not familiar with the term 'zero-day hack', it
is basically a software hack that tries to exploit security vulnerabilities, which are unknown to others or the developer of
software in question.
Traditionally, hackers would tell about a
security vulnerability to the original software developer, or present it
at a security conference or even participate in zero-day initiatives by
software firm and earn $5,000-$10,000. But, within last year the
market of selling the hacks to government spy agencies has grown many
folds and there are suddenly deals worth millions going around all over.
Forbes report mentions that Grugq, who has started working as a
middleman last year itself, is already on track to earn a million in
revenue this year, thanks to the 15 percent that he gets on every deal.
While $250,000 for a security exploit might
sound like a lot but it requires the hack to be exclusive, work on the
latest version of the software and should be unknown to the developer of
that particular software. The deal money is sometime paid in
instalments, with instalments depending on the hack not getting patched
by the original software developer.
Not every hack is worth
hundreds of dollars; the price of an exploit is dependent on the
popularity of software in question as well as difficulty to crack it.
For example an iOS hack is most costly because of the tougher security
measures taken by Apple than Android hacks, which are often developed by
agencies in-house only.
The middlemen like Grugq prefer selling
the hacks to western or European governments, mainly because they pay
more than others and there is a huge competition in markets like China
from home-grown hackers. Selling to government agencies is also
considered safer because deals with mafia or other shady organisations
can go south anytime.
Grugq is not alone; there are many other individuals and firms in the business of buying and selling software exploits.
As
you would expect, there are individuals and organisations that are
vocal against these practices, one of the prominent ones being Chris
Soghoian of Open Society Foundations. He has even termed hackers selling
exploits to spy agencies as 'the modern day merchants of death' selling
'bullets of cyberwar'.
