Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (17 page)

While Endgame made a concerted effort to hide its exploit business, one company that’s positively garrulous about its role in the zero-day trade is VUPEN Security, based in Montpellier, France. VUPEN bills itself as a boutique security firm creating and selling exploits to intelligence agencies and law enforcement for offensive cyber security operations and lawful intercept missions. Originally launched in 2008 to protect government clients from zero-day attacks, the company began creating exploits for offensive operations two years later. In 2011, it earned $1.2 million in revenue, nearly 90 percent of which came from sales outside France. In 2013, it announced that it was opening an office in the United States.

VUPEN’s founder and CEO, Chaouki Bekrar, is a bold and cheeky sort who likes to rile critics on Twitter who think supplying exploits to governments is unethical. He also often challenges his secretive competitors to come clean about their own zero-day trade. “We are the only company in the world saying clearly that we are doing this stuff,” he says. “There are some companies in the US or in Europe, for example, doing this, but they
are doing this undercover. But we have chosen to do it clearly, just because we want to be very transparent.”
⁷

Where Endgame and others take pains to keep a low profile, Bekrar and his researchers regularly travel the security conference circuit, participating in contests like Pwn2Own, to increase the company’s profile. At the CanSecWest conference (an annual computer security conference in Canada) in 2012, where the Pwn2Own competition is held, Bekrar and a team of four of his researchers took first place wearing matching black hoodies with the company’s name on the back.

But VUPEN’s transparency goes only so far. Bekrar won’t discuss his background or answer other personal questions, deflecting attention to his company instead. “I’m just an actor. I want to talk about the movie,” he says. But when it comes to the company, he’s equally close-mouthed—he won’t say how many employees he has, just that the company is small, or reveal their last names.

VUPEN’s researchers devote all their time to finding zero-day vulnerabilities and developing exploits—both for already-known vulnerabilities as well as for zero days. Bekrar won’t say how many exploits they’ve sold since they began this part of their business, but says they discover hundreds of zero days a year. “We have zero days for everything,” he says. “We have almost everything for every operating system, for every browser, for every application if you want.”

How much of Bekrar’s boasting is true and how much is strategic marketing is unclear, but whatever the case, his tactics seem to be working. In 2012, several months after his team won the Pwn2Own contest, the NSA purchased a one-year subscription for VUPEN’s “Binary Analysis and Exploits (BAE)” service. The contract, released under a public records request, was heavily redacted and didn’t reveal the price paid for the subscription. But a business-consulting firm, which named VUPEN entrepreneurial company of the year in 2011, indicated the subscription runs
about $100,000 a year. According to VUPEN’s website, the BAE service provides “highly technical reports for the most critical and significant vulnerabilities to understand their root cause, exploitability techniques, mitigations and both exploit-based and vulnerability-based attack detections.”
⁸

VUPEN also offers a Threat Protection Program that provides detailed research on exclusive vulnerabilities discovered by its researchers to allow customers “to reduce their exposure to zero-day attacks,” according to a company brochure that got leaked to WikiLeaks.
⁹
Both of these programs are described as if they’re meant to help customers defensively protect themselves from zero-day attacks—zero-day exploits can be used to test a system for its vulnerability to an attack—but the information provided in them can also be used to offensively attack other unpatched systems. The company’s Threat Protection Package even provides customers with ready-made exploits for attacking the vulnerabilities it reveals. And VUPEN has a third service for law enforcement and intelligence agencies that’s clearly designed solely for covertly attacking targeted machines to gain remote access to them. “Law enforcement agencies need the most advanced IT intrusion research and the most reliable attack tools to covertly and remotely gain access to computer systems,” Bekrar is quoted saying in the brochure. “Using previously unknown software vulnerabilities and exploits which bypass Antivirus products and modern operating system protections … could help investigators to successfully achieve this task.”

The intrusion program is restricted to police and intelligence agencies in NATO, ANZUS, and ASEAN, as well as the partner countries of these associations—what Bekrar describes as “a limited number of countries.”

“It’s very sensitive, so we want to keep the number of customers small,” he says. But NATO has twenty-eight member countries, including Romania and Turkey, and another some forty countries are considered its partners,
including Israel, Belarus, Pakistan, and Russia. Bekrar insists that VUPEN won’t sell to all of them, however, just because they’re on the lists.

The company sells exploits that attack all the top commercial products from Microsoft, Apple, Adobe, and others, as well as that target enterprise database and server systems made by companies like Oracle. But browser exploits are the most coveted item, and Bekrar says they have exploits for every brand. The company sells only exploits and what Bekrar calls intermediate payloads that allow a customer to burrow into a network. It’s the customer’s job to weaponize the exploit with a final payload.

After Stuxnet was discovered, VUPEN also turned its attention to industrial control systems when customers began inquiring about exploits for them. Stuxnet’s exploits, which he said his team analyzed after the attack was exposed, were admirable. “The vulnerabilities themselves were really nice, and the exploit to take advantage of them was nicer,” he says. “They were not very easy to exploit.…” But to seriously develop attacks for industrial control systems requires access to special hardware and facilities for testing, and Bekrar says, “We don’t have such things and we don’t want to have such things.”

Subscribers to their exploit service have access to a portal, where they can shop a menu of existing zero days, or special-order exploits for a specific operating system or application. Exploits are priced at four levels, according to the brochure. Subscribers purchase a set number of credits, which can be applied to the purchase of exploits worth 1, 2, 3, or 4 credits. Each exploit comes with a description of the software it targets and an indication of how reliable the exploit is. Customers can also obtain real-time alerts any time a new vulnerability is discovered and an exploit is available. VUPEN monitors announcements from Microsoft and other vendors to see when a vulnerability one of their exploits attacks is discovered or patched, and alerts customers that the bug and exploit have been burned—sometimes with an announcement through Twitter.

Bekrar says his company doesn’t offer exclusivity on exploits but sells the same exploits to multiple buyers. The more an exploit is used, however, the more likely it will be caught, which would make it less attractive to
an agency like the NSA, where stealth and secrecy are priorities. Bekrar insists that VUPEN works with only a limited number of governments, and says customers don’t use the exploits “in massive operations,” so there is “almost no chance” they will be widely deployed.

Bekrar, like Miller, has little sympathy for people who criticize the sale of exploits and has said in the past that software vendors created this government market for exploits by initially refusing to pay researchers for vulnerabilities they discovered, then refusing to pay top dollar, leaving them little choice but to turn to other buyers willing to compensate them for their work. He also insists, however, that he’s not in the exploit trade for the money. “We are not businessmen, we don’t care about sales. We mainly care about security, about ethics,” he said.

At the Pwn2Own contest, when Google offered to pay $60,000 for an exploit and information about a vulnerability the VUPEN team used against Google’s Chrome browser, Bekrar refused to hand over the information.
¹⁰
He joked that he might consider it if Google offered $1 million. But later in private he said even for $1 million, he wouldn’t hand over the exploit, preferring to keep it for his customers. Asked if VUPEN’s customers had such money to pay for an exploit, he laughed and said, “No, no, no, no. Never.… They don’t have the budget.”

But he insisted his reasons for supplying to governments went deeper than money: “We mainly work with governments who are facing national security issues … we help them in protecting their democracies and protecting lives.… It’s like any surveillance method. The government needs to know if something bad is being prepared and to know what people are doing, to protect national security. So there are many ways to use the exploits for national security and to save lives.”

But critics argue that companies like VUPEN have no way of knowing where their exploits will end up or how they will be used, such as for domestic spying on innocent citizens. Bekrar acknowledges that VUPEN’s customer agreement doesn’t explicitly prohibit a government buyer from using VUPEN exploits to spy on its citizens. “But we say that the exploits must be used in an ethical way,” he says.

Bekrar says they can’t spell it out more specifically in the contract, because the legal agreements need to be general to cover all possible cases of unethical use. “For us it’s clear,” he said. “You have to use exploits in respect of ethics, in respect of international regulations and national laws and you cannot use exploits in massive operations.” But ethics, of course, are in the mind of the beholder, and Bekrar acknowledges that he has no way to control how customers interpret ethical injunctions. “My only way, at my side, to control this, is to control to which country I sell. And we only sell to democratic countries.”

Christopher Soghoian of the American Civil Liberties Union is one of VUPEN’s biggest critics. He calls exploit sellers like VUPEN “modern-day merchants of death” and “cowboys,” who chase government dollars to supply the tools and bullets that make oppressive surveillance and cyberwarfare possible—putting everyone at risk in the process.
¹¹
He acknowledges that governments would make and use their own zero days whether or not companies like VUPEN sold them, but says the free-market sellers are a “ticking bomb” because there’s no control over their trade.

“As soon as one of these weaponized zero-days sold to governments is obtained by a ‘bad guy’ and used to attack critical US infrastructure, the shit will hit the fan,” Soghoian told an audience of computer professionals at a conference in 2011. “It’s not a matter of if, but when.… What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists? What if Anonymous hacks into
a law enforcement agency’s network and steals one of these weaponized exploits?”
¹²

In 2013, initial steps were taken to try to regulate the sale of zero days and other cyberweapons. The Wassenaar Arrangement—an arms-control organization composed of forty-one countries, including the United States, the UK, Russia, and Germany—announced that it was for the first time classifying software and hardware products that can be used for hacking and surveillance and that “may be detrimental to international and regional security and stability” as dual-use products. The dual-use designation is used to restrict materials and technology (such as maraging steel used in centrifuges) that can be used for military ends as well as peaceful ones. Although the organization’s declarations are not legally binding, member states are expected to implement requirements for export licenses in their countries and cooperate with one another in controlling sales of dual-use products.
¹³
Germany, a Wassenaar member, already has a law that effectively prohibits the sale of exploits as well as the practice of giving them away for free, something that security researchers do regularly among themselves to test systems and improve security. Lawmakers in the United States with the Senate Armed Services Committee introduced legislation in 2013 that calls on the president to establish a policy “to control the proliferation of cyberweapons through unilateral and cooperative export controls, law enforcement activities, financial means, diplomatic engagement, and such other means as the President considers appropriate.” But it’s unclear exactly how such controls would work, since zero days and other digital weapons are much more difficult to monitor than conventional weapons, and such controls requiring export licenses for the foreign sale of exploits and the screening of buyers can increase the cost for legitimate sellers, but not all sellers are interested in legitimacy.

Furthermore, these kinds of controls are meant to keep exploits only
out of the hands of criminals and rogue actors, such as terrorists. They’re not meant at all to curb government use of them for law enforcement or national security purposes. The thriving gray market for zero days makes it clear that law enforcement and spy agencies are anxious to get their hands on exploits like the ones that Stuxnet used—and are willing to pay generously for the privilege. That frenzied demand for zero days is only likely to grow, and with it, the number of state-sponsored programs that use them.