Hacking For Sale: Lucrative Deals For Security Firms
AUDIE CORNISH, HOST:
We're going to hear now about a company that's part of a lucrative and shadowy market for hacking techniques. Its expertise is finding security weaknesses in everyday software - like the operating system that runs your computer - and selling its tricks to the highest bidder, which is often government agencies.
Reporter Andy Greenberg profiled one such company in this week's Forbes magazine, and he joins us to tell us more.
Hi there, Andy.
ANDY GREENBERG: Hi.
CORNISH: So you profiled this company is called Vupen, which one industry analyst firm called the entrepreneurial company of the year in vulnerability research. So what's vulnerability research? You know, what do these guys do?
GREENBERG: Well, there's long been this industry of what we call white-hat hackers. These are hackers that aren't breaking the law; instead, that - they're working legally, finding vulnerabilities in software and usually, helping the software companies to fix those vulnerabilities.
Now, what Vupen does, on the other hand, is to find these vulnerabilities and keep them secret and instead, sell them to government agencies - that's intelligence agencies, militaries, law enforcements - specifically to be used for spying on computers and smartphones; breaking into the same devices that you and I use.
CORNISH: Which is interesting, 'cause I actually thought that these big software companies held competitions for hackers before, you know, or tried to sort of woo these guys to their side. But you're saying that now, these same hackers are basically turning it into a business.
GREENBERG: Well, software companies are, in fact, holding these hacking competitions. But the prices that they generally pay day-to-day for this vulnerability information is only a few thousand dollars. And the hacking competitions, it can be as much as $60,000 for one exploit, one hacking technique. But what these companies are getting for keeping the exploit secret, and handing it over to government agencies instead, can be 10 or even 100 times that much.
CORNISH: And in the end, I mean, is what they're doing - I guess - new? Or is it just that - the way they're making money from it?
GREENBERG: Well, I'm not sure there's anything new about it, necessarily. I think what's really novel here is just that Vupen is willing to talk about the fact that they hack the same software that you and I use, and then sell that information to governments - and don't tell users how they're doing it.
One privacy researcher I spoke to call them the Snooki of this industry - in the sense that they're so shameless, that they sort of flaunt what they're doing in public.
CORNISH: Andy, you mentioned that government agencies are big customers of this information. You know, how did you confirm this? Who are these agencies, and what do they want to do with the information?
GREENBERG: Well, Vupen, who are the primary focus of this story, openly say that they sell to NATO governments and NATO partners. But that's a very long list of governments. And it includes countries like Burma, for instance, who are known to have not-so-nice human rights records. I've also spoken with brokers in this industry. And they say that NATO governments do pay the most, and that the U.S. is the biggest customer and pays the biggest prices for these hacking techniques.
CORNISH: But so far, no word yet from, you know, any of the government investigative agencies here in the U.S.
GREENBERG: No, none of them would talk to me about this, of course.
CORNISH: Andy, do you have an example of this expertise falling into - you know, I'll use air quotes here - the wrong hands?
GREENBERG: It's really, I think, impossible to know the source of any of these exploits. The whole market is so shadowy. But we can see easily that legal surveillance products often fall into the hands of repressive regimes. Just last year, Blue Coat Systems - this California company, which sell hardware used for surveillance - admitted that its hardware had ended up in Syria, where it was being used to spy on dissidents. And we all know that the Syrian government does very nasty things to those who are organizing the revolution against its government.
CORNISH: Andy, lastly, I mean, where are consumers left in all of this? I mean, do we have access to this particular world? What can we do, I guess, to beware of these things?
GREENBERG: Well, it's not at all clear that that these specific exploits are being used against consumers. These are intelligence agencies that are buying these zero-day exploits, and they're not necessarily using them against your mother - or somebody like that. On the other hand, it's a shame that these hackers, who are finding these vulnerabilities, aren't publicizing their research and helping to fix the software, make it more secure.
Instead, they're purposefully getting paid to keep these vulnerabilities secret so that they can be exploited. And I think we would all prefer that hackers work to preserve privacy rather than to profit from its destruction.
CORNISH: You're essentially saying that it would be a good thing for these companies not to be working with governments. But I mean, is that true? I mean, don't we want our - I guess - our government to be prepared in this quote-unquote, arms race?
GREENBERG: Well, that's a fair question, and I think we do want our government to be prepared. But I would rather just see all of us have more secure software. And, in fact, we could level the playing field in cyberwarfare simply by patching software, rather than trying to escalate it into this fight where everybody has the tools to crack everybody's machines all the time.
CORNISH: Andy, thank you.
GREENBERG: Thanks so much for having me.
CORNISH: Andy Greenberg - he's a technology reporter for Forbes. He spoke to us about companies that find and sell information on software security flaws.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.