Hackers have their wealthy and generous clients on different levels. What implications does it have in cyber security trends?

Hackers get big paychecks from multiple sources 

The FBI isn’t the only one paying hackers huge price tags to hand over ways to hack into personal devices.

 

The agency's recent purchase of a hacking tool used to unlock the San Bernardino shooter's iPhone highlighted a shadowy, high-dollar market for “zero days” — security holes that software companies don’t know exist.
Such vulnerabilities aren’t only valuable to U.S. law enforcement and intelligence agencies seeking a way to intercept locked data — they’re of interest to other nation states, organized crime groups and companies that develop and sell surveillance software.Last in line are the manufacturers themselves, who don’t pay rewards nearly as rich as those offered by third parties who want the bug for offensive purposes.

While zero-days can be bought for lawful reasons — such as the unknown method the FBI purchased to break into the San Bernardino shooter’s phone — the lucrative market means that everyday users of the product can be left vulnerable to the bad guys, too.

It also means that those exploits could be sold to unethical end-users — like governments with poor human rights records that want to use the information as a surveillance tool, for example.

“When these markets are keeping the vulnerabilities out of defenders’ hands, it’s the users who suffer,” said Katie Moussouris, an independent consultant who is currently helping the Defense Department launch the first federal “bug bounty” program.

Because of the secretive nature of the business, security experts say it’s difficult to gauge the exact size of the market for “offensive” tools. Buying and selling flaws is legal, but the value of a given vulnerability skyrockets when it is exclusive to the purchaser.

Some contracts even include riders that depreciate the price if the manufacturer discovers and fixes the flaw within a given timeframe.

“The useful lifespan is only for as long as that bug continues to exist and the targets you want to use it to attack remain vulnerable,” said Casey Ellis, founder of Bugcrowd, which connects security researchers with software manufacturers.

“You can get lots of different bites out of the same piece of code, which makes that piece of code more valuable,” he says.

In other words, the business rewards discretion.

Prices can range from five to seven figures, depending on the terms of the deal.

According to documents leaked from the Italian spyware vendor Hacking Team, a Russian hacker sold the company an Adobe Flash exploit for $45,000.

In his initial pitch, the hacker offered six “ready-to-delivery” exploits with a scaled pricing model.

“All prices in the list are non-exclusive. Exclusive sales are possible but the price will grow in 3 times. [sic] Volume discounts are possible if you take several bugs,” Vitaliy Toropov wrote in an email to Hacking Team’s CEO.

In September, a company called Zerodium that compiles zero-days announced that it would pay $1 million for jailbreaking Apple’s newly-released iOS 9.

The reward was the largest known bounty ever offered — and within two months, Zerodium had its bug.

The offer required hackers not to disclose the vulnerability to Apple so that Zerodium’s customers could use the hack in secret.

The company’s founder, Chaouki Bekrar, has faced searing condemnation in the past for exploiting zero-day flaws for profit. ACLU lead technologist Chris Soghoian has called him a “modern-day merchant of death,” selling “the bullets for cyberwar.”

Bekrar, meanwhile, has remained staunchly unapologetic.