BANK ROBBER WILLIE Sutton’s famous line about why he robs banks—“because that’s where the money is”—was particularly apt this week after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were spilled to the public, along with about 400 gigabytes of company emails and other data.
Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents.
But the hack this week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties.
“Hackers have been hacking each other to steal zero-days for as long as there has been hacking,” says Katie Moussouris, chief policy officer for HackerOne, a company that helps other companies manage their zero-day bug bounty programs. “Why wouldn’t you go after people who do vulnerability research and companies that have databases of their own unpatched vulnerabilities that they’re working on? These are all potential repositories of zero-days that people will want to get.”
Zero-day exploits are malicious code designed to target security holes in software that the software maker generally doesn’t know about yet or hasn’t patched yet. This makes the exploits gold to cybercriminals, intelligence agencies, and other hackers who want to sell them or use them to attack vulnerable systems.
Zero-days, if purchased, can cost anywhere from $5,000 to more than $500,000, depending on what they target and their level of sophistication. One of the leaked emails from Hacking Team discussed the company paying the security firm Netragard $105,000 to buy one “flawless” remote-code exploit. If someone can get a whole cache of zero-days by surreptitiously stealing them instead, it would be very valuable.
Hacking Team and other entities like it that store zero-day exploits—including the US government and US defense contractors and security firms who sell to the government—put the public at risk as long as the zero-days are kept secret from vendors, and vulnerable systems remain unpatched and open to attack.
One would hope at the very least, then, that these zero-days would be stored in highly secured networks, to prevent criminal hackers and others from getting them. But Hacking Team’s security was by all accounts abysmal, making it easy for the hacker who breached it to get its exploits.
Hacking Team, ironically, published a blog post on Wednesday claiming that the hacker had put everyone at risk by leaking the company’s exploits and the source code for its surveillance tools.
“It is now apparent that a major threat exists because of the posting by cyber criminals of HackingTeam proprietary software on the Internet the night of July 6,” the company wrote in the post. “HackingTeam’s investigation has determined that sufficient code was released to permit anyone to deploy the software against any target of their choice…. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation.”
The company also said that “[b]efore the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies.”
The claim, however, is undermined by the poor security the company maintained over its network, software and exploits. If the hackers put everyone at risk, they were only able to do so because Hacking Team did so first.
There have been three exploits discovered so far by researchers among the cache of Hacking Team documents leaked by the hacker on Sunday. Two of them were zero-days. One of them targets a security hole in Adobe’s Flash Player program, the other targets a kernel vulnerability in the Windows operating system.
In an internal document, Hacking Team described one of the security holes as “the most beautiful Flash bug for the last four years.” The vulnerability affects all versions of the Flash Player since version 9, including the latest version 18.
Adobe has sincereleased a patch for its zero-day hole, but Microsoft is still working on a patch for the Windows kernel vulnerability. In the meantime, the exploits have already been added to at least three exploit kits being sold to hackers in the underground—Angler EK, Neutrino, and Nuclear Pack. Exploits kits are packages that help automate hacking for attackers.
The hacker who breached Hacking Team and dumped its data online appears to have been motivated by a sense of justice—to expose the company’s hypocritical sales to repressive regimes—and probably didn’t have an interest in using the exploits to attack other targets. But if one hacker could breach Hacking Team’s network and get its exploits, others could have, too.
Hacking Team’s collection of zero days was small, since the company didn’t generally rely on this method to get its surveillance tools onto targeted systems. Many of the systems targeted by Hacking Team’s government clients were not up-to-date on patches, which meant that they could be attacked using non-zero-day exploits that were already in the public domain.
But there are other companies that possess dozens if not hundreds of zero-days, and the situation would be much worse if they were hacked.
“I’m not convinced that zero-days are so scarce that if the bad guy wants them the best way to do that is to steal them. I think there are many bad guys who will just buy them using money they stole,” says Chris Soghoian, chief technologist for the American Civil Liberties Union and a harsh critic of firms that stockpile and sell zero days. “But a company that has a hundred zero-days, if that exists, is going to be a pretty juicy target. Ultimately you’re also talking about nation-states who might want to break in and steal them.”
In 2010, hackers, believed to be from China, broke into Google and a number of other top tech companiesseeking the source codefor their software. Source code is valuable because it allows attackers to study the software and uncover zero-day flaws in it. But that’s a lot of work. If hackers could simply siphon zero-days from a repository instead, it would save them the time and trouble of poring over source code to find vulnerabilities.
Three years ago, there were rumblings that another firm—a company that has many more zero-days than Hacking Team has—was also breached: the French company Vupen Security. Its entire business revolves around the sale of zero-day vulnerabilities and exploits to government customers. In 2012, rumors began circulating that Vupen had been hacked and that 130 of its zero-days had been leaked. The news would have been huge if it had been true. But it was never substantiated, and Vupen CEO Chaouki Bekrar denied that his company had been breached.
Soghoian says that the issue raises interesting questions about liability if a company that fails to secure its zero-day repository were hacked.
“Are they liable for any harm caused by zero days stolen from them? I can image if Vupen were hacked and their zero-days were stolen and misused by others, you might find some lawyer who would say that’s an interesting case.”
In the end, the public can do little but hope that other companies that possess zero-days are storing them more securely than Hacking Team did.