Ahmed Mansour, a human rights activist based in the United Arab Emirates, has been subject to years of cyberattacks for his activism. But this August, he received one of unprecedented sophistication.
On consecutive mornings, Mr. Mansour received texts from an unknown number with a link promising “New secrets about torture of Emiratis in state prisons.” Wary of a hack, he forwarded the message to Citizen Lab, a University of Toronto laboratory focused on electronic communications and human rights. Researchers there confirmed Mansour’s suspicions. They traced the text and link to the NSO Group, an elite Israeli cybersecurity surveillance firm that sells hacks to governments.
If Mansour had clicked the link, the sender — likely the UAE, researchers concluded — would have been able to use Mansour’s iPhone to follow his movements, log his messages, and turn on his microphone and camera to record any conversation. The hack, known as a zero-day, and was worth hundreds of thousands of dollars.
“The party responsible would have had to pay a substantial amount of money in order to successfully compromise Mansour’s phone,” Citizen Lab researcher John Scott-Railton, said. “That effectively priced the value that the state put on compromising the communications of a human rights defender“
For Scott-Railton and his colleague Bill Marczak, who traced the leak, the hack illustrated the true reach and danger of what’s become known as the zero-day economy — a vast bazaar of legitimate and dubious tech companies, nation-states, and elite hackers known as “vulnerability researchers” trading in keys to some of the world’s strongest cyber locks.
Anyone can purchase a zero-day attack — got a spare few hundred thousand dollars and a connection to the Dark Web? You can buy one yourself. And it’s 100% legal.
The most sophisticated of hacks, zero-days, derive their name from the fact that the vulnerabilities they prey on have never been found before, and therefore the product owners have “zero days” to stop the attack. Countries and zero-day exploit brokers like NSO Group have long justified this market on national security grounds, Scott-Railton said, and indeed it helped the FBI break into the iPhone of the San Bernardino shooters. But the attack like the one on Mansour and others have revealed the threat they pose in a world increasingly web-reliant.
“What we have seen clearly is that hacking can erode the democratic process,” Scott-Railton said. “It’s easy to see an analogy with the 20th century and the proliferation of weapons and the insecurity that brought, and the global proliferation of tools and hacking.”
As this “grey” marketplace — few laws regulate the sale of zero-days but they are often used illicitly — has grown, tech giants like Apple, Microsoft, and Google have set up their own marketplaces to compete and pay other hackers to find the vulnerabilities before others do. These so-called “bug bounty” programs are increasingly dominating the zero-day economy, but it remains unclear how effective they’ll be at curbing virtual break-ins.
These bug bounty programs can’t offer as high a payout as hackers can find on the grey market — where prices for, say, an iOS hack can run upwards of $1.5 million — but they offer a slew of other benefits, including public recognition and the opportunity to make the cyberworld a bit more secure. Bounty programs produce a list of all bounties found and who found them, allowing newcomers such as Roh to build a name for themselves.
The idea is to attract enough legitimate researchers to drive up the prices on the great and encourage students and young people, said Mårten Mickos, CEO of HackerOne, a company that facilitates bug bounties for large companies such as Starbucks and General Motors.
Mickos cited Kevin Roh, a senior at University of Las Vegas, who applied to be an Uber Driver last summer. But after accessing the Uber’s online portal for driver, Mr. Roh found that by clicking on a tab labeled “Vehicle” at the right time, he could access the tax information, social security numbers, and driver’s license for 900 drivers. He reported the glitch to Uber’s bug bounty program, which then fixed the glitch.
Since then, Roh has all but abandoned Uber driving to pursue bug bounties as a full-time gig alongside his studies. He’s also become the fourth-ranked researcher on HackerOne.
“In the beginning it was making money, but (now) mainly it’s to help companies fix security flaws,” Roh, who now plans on specializing said. “Every single day we use these products, and we don’t want to be vulnerable to what other hackers will be able to find.”
Before Microsoft officially launched their bounty program in 2013, the company already published an annual list naming vulnerability researchers who had voluntarily reported bugs. Cybersecurity expert Katie Moussouris convinced Microsoft to start a bug bounty program as a way of gathering even more researchers and encouraging them to report bugs during the Beta period, before Microsoft began publishing these lists.
“Researchers were already coming forward for free even though they could have been selling those bugs,” Moussouris said. “So we knew we had a pool of friendly hackers who actually just wanted to get the bugs fixed as opposed to going for highest bidder. That was a mythology that all hackers would just automatically go for the highest bidder.”
Still, it can be hard for legitimate programs to compete with the grey market. Hackers there are more established than a college student such as Roh.
“These aren’t your 15 or 16-year-olds kids,” Trey Herr, co-editor of “Cyber Insecurity: Navigating the Perils of the Next Information Age,”z said. Many are former employees of intelligence agencies or top software development companies, such as the NSO group leaders who came from the Israeli version of the NSA. They spend years refining and assembling their “test rig” – essentially a hacker tool belt – and can work for over a year on cracking a particularly secure applications, such iOS or Google.
Bug bounty programs aim to undermine the grey market by simply recruiting more, if not the best, hackers. Many of these researchers can’t enter the grey market, where one needs contacts and credibility, so their only outlet is bug bounty programs.
At its best, a bug bounty program can entice grey-market hackers to flip to the more legitimate marketplace. Mickos pointed to Apple’s bounty program as one of the most successful. Since it launched this August, Zerodium raised its bounty price for a vulnerability from $1 million to $1.5 million break into iOS has risen than tripled, Mickos said.
Still, Citizen Lab researcher Scott-Railton said there is still a lot of work to be done. Zero-days will remain attractive to undemocratic governments and other groups, he said, because nothing else can give them such easy access to anyone with a phone or laptop.
“These exploits are the keys.” Scott-Railton said. “It’s hard to think of a clearer example of knowledge directly translating into power.”