The Follina vulnerability in Microsoft’s Office 365 software has been causing security headaches for IT teams in recent months. But how much is it worth? According to Zerodium, a company that buys and sells previously unknown ‘zero day’ exploits like Follina, the researcher who first discovered it could have netted themselves a cool $250,000 had they sold the details to a broker before publishing them online.
Follina is a fairly common type of vulnerability, a remote code execution flaw that allows hackers to take control of an infected system when a user clicks on a bogus link. For rarer – and more dangerous – vulnerabilities, especially those which can be deployed without any user knowledge or involvement, brokers like Zerodium claim they are prepared to pay bigger sums, sometimes running into millions of dollars.
Indeed, the trade in zero day exploits is flourishing, with cybercriminals keen to exploit these previously unknown vulnerabilities, and private companies and national governments looking to use them to gain a commercial, or geopolitical, edge. But the market remains a murky one, and the chances of greater regulation are diminishing, experts told Tech Monitor.
What is a zero day vulnerability?
A zero day, or 0-day, vulnerability is a newly discovered problem in a piece of software which can be exploited by hackers. It is so called because the company whose systems are vulnerably have had “zero days” to fix it.
Last year, 58 of these novel vulnerabilities were discovered, according to Google’s Project Zero, which tracks new zero day problems at major software vendors, making it the most prolific year since the project launched in 2014. So far 21 have been uncovered in 2022.
While these vulnerabilities are considered “new”, many relate to previous problems that have not been solved properly. Project Zero’s review of 2021 notes that the vast majority of zero days it found are “similar to previous and publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.”
This trend has continued into 2022. In an update posted last month, Project Zero engineer Maddie Stone said: “We found that at least nine of the 0-days [discovered in 2022] are variants of previously patched vulnerabilities. At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests.”
Google itself is the company that has been most commonly affected by zero days this year, according to Project Zero’s research.
Who buys and sells zero day vulnerabilities?
A market for zero days has existed for many years, but “the field has changed significantly since the early 2000s,” says Dr Max Smeets, a researcher at the ETH Zurich university Centre for Security Studies. “Back then we saw very few security researchers talking about how they would be willing to sell these exploits to the highest bidder,” he says. “And it would be an individual selling to a nation-state or particularly a private sector company.”
Now the process is more commercialised, with the emergence of brokers like Zerodium who offer to pay researchers for their discoveries and sell them on to clients in the private and public sectors. Despite this big change, the main buyers of zero days remain national governments, Smeets says.
“Many European countries won’t buy zero day exploits, but there are a select number of countries that will buy them,” he says. “This includes the US government, which has a huge budget, and the UK government, and we know typically they are bought by the intelligence agencies like the CIA or the NSA, although as we see more countries establish military cyber commands they may be interested too.”
A host of security companies has also emerged that promise clients access to certain systems. The most high profile is the NSO Group, developer of the Pegasus spyware which has been used by authoritarian regimes to snoop on political opponents, activists and reporters. European governments including the UK and Spain have been breached by Pegasus, it has been revealed in recent months.
“When you’re selling your tools to a government or another group, you may want to integrate some zero days to ensure much higher chances of access,” Dr Smeets says. “They will integrate them into a package they are selling and suddenly that platform becomes a lot more valuable. So you see many of these companies being willing to pay a really high price for certain types of exploit.”
Researchers who discover zero day vulnerabilities can report them to the companies affected, many of which will pay for the privilege through so-called ‘bug bounty’ programmes.
But a regular complaint is that companies are slow to pay out promised bounties, and Dr Smeets says that in any case, many of those who discover zero days would rather not report them through official channels. “These people have their own history, and often it is not a pretty one,” he says. “So they might be wary of going through a formal process to get paid by Microsoft or whoever. They might not want to give out their bank account details, or might request payment in a certain currency.”
The risks of the zero day market
Brokers can be useful as a matchmaking service for these sellers of zero day exploits, says Dr Smeets, but using them is not without its drawbacks. “They can add trustworthiness and a degree of transparency and are a good matchmaking service,” he says. “You might be a good developer but have no contacts in government to sell your zero day to, so the broker comes in and provides a very visible platform that you can access.”
However, what researchers actually get paid by these brokers is less clear, despite Zerodium and other brokers listing high prices they supposedly pay for exploits on their websites.
Dr Smeets points to data leaked by Italian spyware company Hacking Team in 2015, which showed that not only did the business struggle to find zero days to buy, it also had difficulty selling them. The leaks appear to show payments to researchers were heavily staggered, and could be cancelled if an exploit was discovered in use elsewhere.
“The brokers have these beautiful price lists on their website, but in reality, it’s hard to know what they pay and what they are able to sell,” says Dr Smeets. “We know from the Hacking Team leaks that those kinds of companies weren’t able to sell a lot of zero days at the time. But they need to maintain a public profile that, on the one hand, have great buying power and on the other, great selling power.”
Hacking Team’s troubles getting hold of zero days – the leaks show it was only able to buy five in six years – reflect a reticence among some security researchers to sell their exploits to governments, Dr Smeets says. If nations are able to get their hands on one, it comes with risks attached. “We’ve seen examples where governments have bought an exploit that then turned out to be useless,” he says. “You really need to test the exploit before you decide to buy it, but not every seller is willing to do that.”
The other issue for buyers, he says, is knowing they have sole access to a vulnerability. “There’s always the danger that it is not an exclusive sale, even if you agreed on it,” Dr Smeets says. “You can never know for sure.”
The future of the zero day trade
Trading zero days is not illegal, but the opacity of the market means experts have argued it should be subject to greater regulation.
Zero days could potentially be brought under the auspices of the Wassenaar agreement, a voluntary export control arrangement that governs the responsible trade in weapons and other technologies. However, Mailyn Fidler, incoming assistant professor of law at the University of Nebraska and a specialist in criminal law and cybersecurity, says this is unlikely for several reasons.
The first, Fidler says, is that the presence of private security companies in the market means the incentive to legislate against other sellers decreases. “If governments like the US can buy from regular military contractors, they have a safe supply,” she says. “And there’s less incentive to regulate the global supply of zero days and tackle less responsible sellers.”
Geopolitical changes, and tensions between the US, Europe, Russia and China are also a factor, Fidler says. “The changing context in Russia has thwarted any hopes of a concerted effort on this,” she says. “Israel [where NSO Group is based] has also been unwilling to come to the table. These are big players in this area, and without their willingness to co-operate regulation is not going to happen.”
Fidler adds that “domestically we could see countries taking action, or even regionally in places like the European Union”, limiting the trade of zero days to and from their borders. But, she says, “the chances of international regulation are slim”.
So the trade is likely to continue, and Dr Smeets says most interest in the short term is likely to remain in the area of mobile devices. The highest ticket items on Zeronium’s website are vulnerabilities offering full, zero click, access to Android systems, which could net anyone who discovers one up to $2.5m, the broker claims. Pegasus spyware works by accessing the mobile devices of targets without their knowledge.
“The trend towards mobile devices is likely to continue, and whereas iOS [Apple’s operating system] zero days used to command the highest price, we’re now seeing a trend towards Android,” Dr Smeets says. “This is because Android has improved its security, and the number of users has increased massively. This is a trend I expect to continue, at least in the short term.”