
Hacking Team: a zero-day market case study - colinprince
https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/
======
tptacek
This is a really amazing post.

Two things that startled me:

First, there is apparently a market for vulnerabilities that bypass the Flash
access controls for cameras and audio recording. There can be no benign
purpose for those exploits. Nobody penetration tests a Fortune 500 company
looking to see if they can light up the cameras on worker desktops.

Second, there's an _eighty thousand dollar_ price tag for a Netgear
vulnerability. That shocked me: serverside, highly targeted. Only, it turns
out, there probably isn't any such market. Apparently, some of these bugs are
listed for sale at exorbitant price with no anticipation of ever selling them.
They're not listed at close to a clearing price, but rather just
aspirationally, with the idea being that anyone who will someday, maybe,
engage a serious zero-day broker for a Netgear vuln is probably going to
derive six figures of income from that bug.

That's the theory, at least.

For future HN bug bounty/black market threads: _note the absence of Facebook
XSS vulns on these price lists_. Nobody is paying tens of thousands of dollars
for web vulns. Except the vendors. :)

~~~
archgoon
> For future HN bug bounty/black market threads: note the absence of Facebook
> XSS vulns on these price lists. Nobody is paying tens of thousands of
> dollars for web vulns. Except the vendors. :)

Is this due to the fact that the value of a Facebook XSS vuln is very low, or
that the high likelihood that Facebook will notice the vulnerability (possibly
from another source) and patch the issue before a profit can be realized?

~~~
gfosco
It's because Facebook, Google, and some others run generous bug bounties /
white-hat programs. Without committing a crime, people can make a lot for
disclosing it directly and confidentially. Vulnerabilities can pay 5-15k and
there have been 30-40k payouts. Occasionally, you'll see a blog post
explaining the process from detection to payment, like:
[http://homakov.blogspot.com/2013/02/hacking-facebook-with-
oa...](http://homakov.blogspot.com/2013/02/hacking-facebook-with-oauth2-and-
chrome.html)

FB paid out 1.3m in 2014. [http://www.zdnet.com/article/facebook-bug-bounty-
program-pai...](http://www.zdnet.com/article/facebook-bug-bounty-program-paid-
out-1-3-million-in-2014/)

~~~
tptacek
No. Facebook is probably not outbidding the black market for their
vulnerabilities. I think 'grugq is exactly right: the market for serverside
vulnerabilities with hours-long half lives is very thin. Facebook could pay
$500 for RCE, and so long as they do everything else they currently do for
security, a thriving black market would not emerge for their vulnerabilities.

It's interesting to me that there's a real market price for an Adobe Reader
flaw, but that Facebook flaws have (generous) fiat prices set by Facebook.

~~~
FireBeyond
Seems to me you could "quite easily" double dip.

Sell your exploit on the black market. A day later, sell it to the vendor.
"Sorry, they must have found and patched it"? Just ask Facebook not to
disclose your information when highlighting vulnerability payouts.

~~~
tptacek
If you read this whole post, you'll see that buyers expect this behavior, and
payments are escrowed or tranched to account for ti.

------
MichaelGG
Excellent post; very interesting!

How many of these "expensive" bugs are directly due to memory safety? From a
quick glance it looks like this entire market is held up purely on that quirk
of C/C++. Of course this is nothing compared to the money being poured into
compiler and runtime tricks to try to undo those quirks. Which is probably
little compared to the amount of money via time lost developing and debugging
such an environment.

Overall these prices seem low compared to the capability. Is that because it's
easy enough for governments and big corps to just hire teams and dev in house?
These prices are well within SMB price range if an unethical company wanted to
attack a competitor (though there's probably cheaper ways in). That, plus
given that the price to compromise even federal agents (going off known cases
where FBI and CIA agents were turned)... my doubt increases that companies can
actually keep secrets. I think of this when folks like Nikon refuse to
document camera formats under the claim that it's a trade secret they are
hiding from competitors.

It is curious though how little these go for, overall. Perhaps because they
aren't overly directly profitable (exploitable for cash)? I wonder if there's
more money in exploiting server software that you can use almost directly for
profit? Perhaps not; it could be easier for the criminals with the
infrastructure in place to find and exploit directly as part of operations.

------
chinathrow
Great writeup.

Lest not forget, that people got imprisoned for political reasons because of
vendors such as HT, FinFisher by Gamma and others.

[http://www.theregister.co.uk/2014/10/16/finfisher_criminal_c...](http://www.theregister.co.uk/2014/10/16/finfisher_criminal_complaint_gamma_international/)

Vendors selling to HT and HT themselves should be sued and brought to justice
for supporting oppressive regimes. The UN charta says it all.

------
lultimouomo
Some intersting stuff that shows up in the e-mails:

Kaspersky discovered one of the exploits in use by Hacking Team, but kept shut
for a while to trace its users and other linked code. HT's CTO Marco Vallery
considers this behaviour "morally despicable".
[[https://wikileaks.org/hackingteam/emails/emailid/990150](https://wikileaks.org/hackingteam/emails/emailid/990150)]

The price for iOS exploits is apparently in the millions, because the price is
"driven by federal programs"
[[https://wikileaks.org/hackingteam/emails/emailid/15494](https://wikileaks.org/hackingteam/emails/emailid/15494)]

~~~
tptacek
The price for iOS exploits is also high because they are distinctively
difficult to generate.

------
reilly3000
The market for exploits is far cheaper than the cost of defense against them.
It seems like firms would be better off hiring real black hats to make real
exploits than mess with white hat firms.

------
jaytaylor
What is HACKING TEAMs motivation for publicly sharing all of this seemingly
private underworld information?

~~~
josu
They didn't share it voluntarily, they got hacked and 400GB of data from their
servers turned up in a data dump.

[http://leaksource.info/2015/07/07/hacking-team-
hacked-400gb-...](http://leaksource.info/2015/07/07/hacking-team-hacked-400gb-
data-dump-of-internal-documents-emails-source-code-from-notorious-spyware-
dealer/)

~~~
jaytaylor
I see, thank you for the context!

So then my next question would be what is this person hoping to do by
publishing the info like this?

~~~
lawnchair_larry
Activism. Hacking Team were not liked.

------
cletus
I don't want to be that guy but trying to read this on a tablet is a major
pain. The scrolling keeps breaking. Why do people mess with something that
isn't broken?

