Exploits are an indispensable tool to hackers. They’re code that leverages a system’s vulnerabilities to give a hacker undue powers, enabling him or her, for example, to siphon and sabotage data. Using an analogy, exploits are like the rocket of a missile – a delivery system that’s harmless in and of itself, but necessary for delivering the payload. However, since exploits target system vulnerabilities, which can be patched, using an exploit brings about its obsolescence. Once defenders identify an exploit being used against them, they quickly work towards patching the associated vulnerability, thereby killing the exploit. Since different systems are managed by different teams, some of which patch their systems more slowly than others, an exploit doesn’t die all at once. It simply becomes increasingly unusable as system after system gets inoculated against it. The most powerful and valuable exploits are those which have never been used before, and against which systems are largely undefended. These are known as zero-day exploits.
Given their indispensability to hacking, exploits have developed into valuable digital commodities. They’re bought and sold by all sorts of actors – states and their associated organs, commercial firms, criminal groups, and rogue individuals. Depending on who’s doing the buying, these markets can be perfectly legal (white market), illegal (black market), or somewhere in-between (grey market). The white market consists of tech vendors, such as Microsoft and Apple, who pay bounties to hackers to identify vulnerabilities so they can be pre-emptively patched. You can conceptualize this market as the outsourcing of security testing, or, if not that, then an attempt to funnel hackers back towards legal activity. The black market is populated with the usual suspects: rogue hackers, criminal groups, and so on – people who want to buy exploits to victimize and unjustly profit off others. The grey market is the most interesting of the three and has long been a point of contention, existing in a space of fuzzy legality and ethics. It’s a space filled with government contractors who, acting with great secrecy, buy exploits to bolster their state’s capabilities. You can think of this as governments buying weapons from civilian mercenaries, if you will. Between the three markets, the white market brings exploits to light and increases overall cybersecurity, whereas the black and grey markets increase overall vulnerability, as various actors compete to acquire and weaponize exploits to their own ends.
These markets have existed since the late 1990s and are highly inter-reliant. At first the white market was the least competitive of the three. Software vendors valued protecting their reputations and consumers, but failed to appreciate the investments needed to adequately compensate bug catchers. Their bounty programs were rolled out belatedly and offered only marginal rewards. Hackers and security experts were slightly offended, and flocked to the grey and black markets where, by the early 2010s they could make ten times as much money selling to governments or criminals. The grey market was particularly attractive as it offered high profits without the risks associated with criminality. The market blossomed and optimism spurred innovation, leading to the emergence of firms that specialized in centralizing the sales process, buying exploits from individual hackers and reselling them to governments. In 2011 WikiLeaks revealed that a security firm named Endgame Systems had sold $2.5 million in zero-day exploits, mostly to American contractors. In the early 2010s, a firm named Vupen made waves by establishing a team of in-house researchers, becoming one of the first companies that could, in addition to buying from hackers, produce its own exploits internally. True to the times, they instituted a subscription model, where clients could purchase credits to be used across a menu of exploits.
Despite a strong demand for their product, the grey and black markets operate at an inherent disadvantage due to their need for secrecy. In the grey market, buyer-side secrecy is driven by the need to ensure that state adversaries don’t have a clear grasp of one’s cyber capabilities. For example, it doesn’t help the United States to advertise where it buys its cyber-weapons from. Individual hackers who sell on the grey market prefer secrecy because, even if grey-sales are technically legal, the hacking needed to develop sellable exploits might not be. This culture of secrecy creates a multitude of problems. How do you connect buyers and sellers if both require the utmost discretion? How do you facilitate sales in an international market that operates outside normal systems of accountability? The grey market responded with several adaptations. In addition to the rise of aforementioned firms, individual brokers emerged as conduits between hackers and buyers, taking a cut of whatever sales they facilitated. To illustrate the scale of their work, in 2012 one such broker, a Hungarian researcher called “the Grugq”, cleared approximately $1 million in sales on a 15% commission. Beyond using brokers, the grey market developed other adaptations to address the secrecy problem. It became convention for payments to be made in instalments, since, in a low-trust system, buyers needed confidence that hackers wouldn’t resell the same exploit to multiple customers – a process that would increase the chance of the exploit being identified and “killed” prematurely. Some entrepreneurs attempted to shift the exploit market away from the insular, network-oriented broker system. In 2007, ‘WabiSabi Labi’, a Swiss-start-up, tried to establish an online auction house for zero-day exploits. The project collapsed. Sellers were reluctant to demonstrate the efficacy of their exploits since, if they revealed too much, they’d risk accidentally giving away their product for free. This in turn undermined buyers’ trust in the marketplace, who had little recourse in case of fraud. The concept re-emerged in 2015 via a new marketplace, ‘TheRealDeal’, which instituted new anti-fraud measures. All payments were held in escrow and mediated through Bitcoin wallets that were jointly controlled by buyer, seller, and market admins. TheRealDeal’s low prices raised concerns that it was actually a sting operation, and the site mysteriously shut down soon after it opened.
By the mid 2010s, the grey market seemed to stabilize and formalize, with the expectation that it would be dominated by larger firms with in-house research teams, like Vupen. The auction houses had failed. Smaller brokers weren’t able to compete with the trustworthiness of larger brokers, and, above that, couldn’t customize exploits like them. Rather than compete with larger firms, individual brokers integrated into their supply chains, selling to them rather than selling directly to governments. While white market bounties had significantly increased, they still couldn’t match grey market prices. It seemed that the market had consolidated into a system where, unprecedentedly, small or medium-sized civilian firms would be the primary arms manufacturers for a class of warfare. The media took notice, leading to a public conversation about the ethics of this emerging system – about whether, for example, these firms were overly-opaque and under-regulated, and how states ought to legislate them to avoid morally questionable sales. These questions became particularly important after it was reported that some of these firms had sold exploits to repressive governments, which then used them to spy on dissidents or otherwise exert social control.
Yet, in a break from expectation, the grey market seems to be decaying. While it initially seemed lucrative, a 2017 study estimates that the market’s total size topped out at only between $4-10 million – less than what many tech start-ups can raise in a single funding round. A more recent study identifies maybe two dozen firms operating globally, with that number slowly dwindling. Part of this can be attributed to vendors’ increasing skill in patching vulnerabilities, which has made it more difficult and expensive to produce new exploits, causing the market to shrink over time. Costs have also been higher than anticipated, with the in-house development system turning out to be expensive to maintain. As of 2017 the average cost to develop an exploit is $30,000 in labour alone, plus overhead costs. Exploits typically sell for $50-100k, with some going for $150-300k, and while this may seem like a respectable profit margin, complicating factors come up. As a symptom of the market’s secrecy, firms develop exploits without any prior buyer commitment, meaning that exploits often go unsold, particularly given that buyers are understandably reluctant to articulate their exact needs. Exploit development, when it exists, is now typically offered as a service within firms that provide a larger menu of services. Given negative public perception, these firms often have to consider the risk of reputational harm. No firm wants to be called a digital merchant of death, which could alienate customers who buy more profitable services.
The prevailing trend is that, given the grey market’s disappointing performance, hackers are migrating towards the white market. White market bounties are still far below black and grey market prices, but software vendors have begun establishing more robust in-house security teams, providing more stable forms of employment while furthering diminishing the space for rogue exploit development. For example, in 2014 Google launched ‘Project Zero’, a team of security analysts devoted to discovering and reporting zero-day bugs both related and unrelated to Google’s products. Even Vupen, the once-darling of the grey market, shut down in 2015 so that its founders could launch a white market replacement firm: ‘Zerodium’. Meanwhile, individual grey market brokers, such as The Grugq, are finding themselves cut out of the market a second time. Integrating themselves into larger firms’’ supply chains may have allowed them to survive longer, but, with grey market margins getting tighter, remaining players are looking to cut brokers as a redundant layer.
Featured Image: Computer code. Via Pexels.com
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.