Malware-Industrial Complex: how the trade in software bugs is weaponizing insecurity

Here's a must-read story from Tech Review about the thriving trade in "zero-day exploits" -- critical software bugs that are sold off to military contractors to be integrated into offensive malware, rather than reported to the manufacturer for repair. The stuff built with zero-days -- network appliances that can snoop on a whole country, even supposedly secure conversations; viruses that can hijack the camera and microphone on your phone or laptop; and more -- are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder. The US government is encouraging this market by participating actively in it, even as it makes a lot of noise about "cyber-defense."

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

Welcome to the Malware-Industrial Complex [Tom Simonite/MIT Technology Review]

(via O'Reilly Radar)


  1. First of all, software bugs affect us all.

    Second we should not reward “researchers” for finding and then extorting cash for bugs.

    Third, your government is making you LESS safe by supporting a trade in malware. This costs more in the end due to all the insurance, fraud and organized crime, but hey who cares about externalities, we just want to bag the bad guy!

    1. “First of all, software bugs affect us all.”

      It’s worse than that: Software bugs affect people who depend on software, and dependence on software is something that increases massively as the complexity of your modern infrastructure increases.

      By contrast, software attacks, while not free, are cheap enough to be within the capabilities of even fairly feeble nation states and assorted private actors, and it is (comparatively) easy to scale your attack capabilities with nothing more than nationalism and petty cash.

      For the US to act in a way that decreases computer security for everyone would be like the US acting in a way that decreases the strength of concrete for everyone. Yeah, sure, that will make busting a few bunkers easier; but it will also cause massive costs and damage across large swaths of our own infrastructure. Not a good trade-off. 

      If software bugs affected us all equally, playing for exploits rather than fixes would still be quite likely to be a zero-sum game; but that would be a hell of an improvement over the actual state of things, where it is a negative-sum game that we(along with other high-infrastructure populations) cannot possibly hope to even lose less than the other guy does.

      1. So what exactly is the up-side of the US government not buying zero-day vulnerabilities? It makes it a bit cheaper for everyone else? Sellers can earn a little less? The DoD can buy an extra drone instead?

        A non-lethal arms race sounds like a huge improvement on the last one.

  2. It’s an interesting world out there, all right.  I recently closed on a mortgage and used an online broker thinking, “Well this will be fun, I *love* docusign :D “.  Turns out they had their own proprietary client-side Java applet, and for all practical purposes I could only exchange PDFs with the loan technicians and underwriters.

    The reason I mention this is even though there are super sekret zero day vulns that none of us mere mortals know about, there are an order of magnitude more that we do know about–in client side Java and Adobe reader.  Want to pwn a mortgage company that resells loans to the largest financial companies in the world?  Apply for said loan, and embed something interesting.

    So do I have answers for what to do, general answers that help the broader community and not just one (slightly contrived) example?  Sure.  Lots of us in this space have answers.  The downside is they are modestly complex, not entirely free, and slightly hostile to users who don’t care for technology; but most of all the right answers take work and vigilance, which don’t usually lend themselves to ‘set and forget’.

    Anyway, happy 2/14!!  

  3. All the more important that we create and program our own systems.  Sounds hard, and it is, but viruses in nature and software alike are only capable of activating in a specific ecological niche.  We’ve been a little lazy with the generation of heterogenous systems, so the niches we have are large and everywhere.

    I’m going to set my kids the task of creating a new operating system on their Raspberry Pis this weekend, or no allowance.  And they’re grounded.

  4. viruses that can hijack the camera and microphone on your phone or laptop; and more — are the modern equivalent of landmines and cluster bombs: antipersonnel weapons that end up in the hands of criminals, thugs and dictators who use them to figure out whom to arrest, torture, and murder.

    Holy hyperbole Batman! 

    Landmines and cluster munitions kill indiscriminately long after conflicts have ended and the originators have disappeared off the map. 

    Malware depends on other actors to cause physical damage. It isn’t a landmine so much as an informant. 

  5. Technically, this is a “military-malware complex.” A malware-industrial complex is one where companies pay bug bounties to researchers. The military one makes everyone less safe, the industrial one makes us all more safe. 

Comments are closed.