Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million. But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."

“Zero-day” exploit sales should be key point in cybersecurity debate


  1. I have a house with ten doors. Each door has a coded lock from a different company.   One company, not wanting to be liable for a break-in, and to prove their lock is more superior, hires VUPEN  to secretly come to my home to figure out a way to break at least one of the other nine companies codes. VUPEN then sells the info to all ten companies, who may or may not employ a band of thieves or rapists. 

  2. May I be the first to say, “DURRRRR!”

    Of course if you’re a terrorist and want to avoid all these vulns, all you probably have to do is run a web browser like Lynx.

  3. Have fun keeping Anon from burning down your house, VUPEN. You may know a list of vulnerabilities, but I bet you don’t know all of them. And you depend on your software too.

    1.  What’s to keep Anon from finding their list of vulnerabilities and posting them to the world?

        1.  I think your assessment of the capabilities of a bunch of script kiddies is extremely unrealistic.

  4. If I were a good software company, I think I would have some high grade in-house hackers to constantly try to exploit my software in order to know where the vulnerabilities are and not just wait for someone else to find out.

    1.  Where will you find these hackers? Why will they come work for you? If they’re good enough to do that, they’re usually good enough to be consultants or work for a private security firm for a hell of a lot more than you’ll be able to pay them.

  5. I dream about a future time when the US has become wiser on internet security.

    In my dream, the CDC has a branch that handles the epidemiology of computer infection. The CDC collates infection rates and  publishes meaningful metrics that allow us to judge the relative effectiveness of various programs of IT Security measures.

    A couple years ago, I doodled the outlines of those metrics at:

    In my dream, governments and ISPs have coordinated to isolate and reform any ISP that tolerates the insertion of spoofed source packets. Prolonged DoS attacks are a faint, distasteful memory.

    I dream that the US government refuses to do business with any organization that interferes with effective and timely disclosure of security vulnerabilities. Once the NSA started regularly disclose all it’s known IT vulnerabilities the world vulnerability market-place collapsed.

    And a pony. In my dreams I’m riding a blue, hypo-allergenic pony.

  6. Just a fantasy but wouldn’t it be sweet if the CEO of VUPEN had their identity stolen as a result?

  7. Is anyone concerned about the obvious next step: governments using their influence and access to *inject* vulnerabilities and back doors? For all I know, the Patriot Act might make that legal. It might even gag the targets. (Putting in tinfoil hat now…)

    1. Stay where you are Citizen. A security detail will be with you shortly. Remain Calm and stay put. This is merely for your own protection.

  8. Here is what I don’t understand:

    Obviously, the assorted spooks inhabiting NATO enjoy having exploits with which to access various computer systems.

    However, it is widely asserted that hacks against the US and other NATO-bloc nations are a serious security issue(and, as a nation with major financial, industrial, and scientific endeavors online compared to most other countries capable of fielding hackers, this isn’t exactly implausible).

    Further, the routes for legal access to most domestic systems are already quite wide(CALEA, warrants, national security letters) and extralegal access probably wider still, and you don’t need an exploit if you have a warrant and a gun.

    Given these things, why are such entities tolerated? Sure, in the CIA’s ideal world, they’d have access to absolutely everything; but this isn’t their ideal world: they know that outfits like China have fairly sophisticated hackers, and even petty racketeers have script kiddies and basic virus kits. Surely it would be in their interest to promote computer security, no?

    An insecure system can be broken with an exploit, and all sorts of people have exploits. A secure system can be broken with a warrant or a gun and rather fewer people have those. It seems like even the most nakedly self-interested intelligence entities would prefer the latter case, given their access to warrants and guns…

    1. Hell, I broke my Gunny’s Officer Voting System password in 1990 merely by guessing what a man like him might use.  I got it on the 14th attempt.  Turned out it was “lesbians”‘. Nothing is as exploitable as personal knowledge.

  9. Remember, the governments of the world got software companies to embed detection algorithms to protect us from accidentally scanning banknotes, and got printer companies to add barely visible tracking information to every print. What makes you think they wouldn’t add government-accessible holes to their OSes?

  10. Ask your congressperson about this at the next townhall meeting and write to your congressperson in the meantime. Also email this article to journalists.

  11. The scariest part about all this is that people actually assumed that the government was on their side in the first place. Surprise!!??????

  12. Hold on. The only thing we have is the word of one scuzzy “Security company” word that they only sell to “Nato governments” and “Nato Partners”, and you REALLY believe this scumbag?

    I wish the U.S. government was actually one of the customers. It would then be reported to the National Vulnerability Database and reported back to the firms that make the software. After all, security vulnerabilities hurt trust in the overall economy and makes the nation weaker. Not something any government really wants to do.

    Nor are banks VUPEN customers. U.S. regulations require banks to share known security vulnerabilities with other banks and with the company that produced the software. That would hurt VUPEN’s bottom line.

    I doubt that VUPEN is selling these exploits to either governments or banks.

Comments are closed.