The not so black market of exploits sold by virtual arms dealers is starting to creep from the shadows and onto front page news. This is partly thanks to the new firm named Zerodium, a semi-startup whose main objective is finding exploits in software and harware and selling them to high profile companies, financial institutions, and governments. The theory is simple: find hacks in software and sell them for profit.
The clients of Zerodium and others like it are often countries, institutions, and governments seeking to either protect themselves from these exploits or to use the hacks for espionage and intelligence. Zerodium proudly flaunts the fact that they do not give up the secrets to the software companies themselves.
Recently headlines were made when Zerodium offered up a $1 Million USD bounty for a jailbreak exploit for the iPhone. Hackers were successful in finding a hole in a browser (either Chrome or Safari, it hasn’t been publicly confirmed yet) that allows the infiltration of the phone to gather data.
It was a very public announcement for a type of business transaction that has usually been kept in the shadows. Zerodium did not break any laws as of yet – it’s not a crime to discover holes in code nor sell them. Neither are they responsible to give such information back to the company or individual who owns the code in question.
Although Apple’s iOS isn’t the easiest nut to crack, it’s not impossible. The only thing you need is a lot of money. That’s why Chaouki Bekrar, founder of Zerodium, offered up the huge bounty. Bekrar will conceivably go on to sell this hack to an as yet unknown United States agency.
Bekrar has been publicly criticized by heavy hitters such as Google, who compare his dealings as selling bullets in a virtual war. Given the move to virtual everything these days, Bekrar could conceivably be seen as a kind of arms dealer. Zerodium is different in that it builds rather than buys zero day exploits such as this.
Zerodium will not immediately make the vulnerability known to Apple, although they “may” later send it to Apple’s engineers so that they can patch it.
Companies have long sponsored “hackathons,” awarding prize money to those who can dismantle a company’s software. However Zerodium is now going rogue, engineering hacks for profit.
Although Bekrar’s earlier company Vupen only dealt with NATO members, they are still criticized for operating in a very grey area that has some ethical questions. The exploits are merely sold, and what those exploits are used for can become unknown very quickly.
With the success of this rather ingenious marketing ploy, it’s likely that copycat corporations will pop up following Zerodium’s lead. The world of tech is certainly beginning to look like a cyber thriller scifi novel.