Exploiting Privacy: Surveillance Companies Pushing Zero-Day Exploits
Private surveillance companies selling some of the most intrusive surveillance systems available today are in the business of purchasing security vulnerabilities of widely-used software, and bundling it together with their own intrusion products to provide their customers unprecedented access to a target’s computer and phone.
It's been known for some time that governments, usually at a pricey sum, purchase such exploits, known as zero- and one-day exploits, from security researchers to use for surveillance and espionage. While the focus has been on governments directly purchasing these exploits, it is equally important to highlight private surveillance firms role in the market of exploit sales.
In recent months, in the wake of new controls being agreed upon on the export of specific surveillance technologies, the debate around the sale and use of zero-day exploits has grown. Despite claims that new export controls have been introduced regulating the sale, zero-days remain uncontrolled.
The terms zero- and one-day exploits refer to the amount of time that a technology company has known about vulnerabilities in their system that could be exploited for an attack. Zero-day exploits are holes within a program that the company is not aware of, meaning that the vulnerability can be taken advantage of for a long period of time without the company's knowledge. For instance, zero-day exploits have been observed to remain unnoticed and unpatched for up to 10 months. A one-day exploit refers to a company only having just been made aware of the hole but it remains unpatched.
The sale of software flaws makes up a lucrative market, which can often land computer researchers prestige and money. When these vulnerabilities are identified, the knowledge traditionally has been sold to either the software company (in order to patch the hole) or governments (to better secure their systems, or exploit the hole as part of an attack). Security research is of course needed and legitimate, and strengthens the products we use every day.
However, with this latest development around on how zero-days are being used, it is important to look at how the surveillance market is integrating them into their products. We will look at documents detailing publicly for the first time a surveillance company's marketing strategy of acquiring the vulnerabilities from researchers, to be solely used to deliver their own product onto a target's computer, and selling the portal and the malware as a package to governments.
Surveillance companies and zero-day exploits
In Gamma Group's brochure advertising its FinFly Exploit Portal we see the company offering governments "access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more" solely for the use of deploying its own surveillance technologies.
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
The exploits Gamma sells takes advantage of vulnerabilities in internet browsers, file readers and other applications to deliver its product Finspy. Capitalising on the trust that users place in providers like Microsoft and Apple, malicious software delivered through the vulnerability could present itself as an update to iTunes, a .pdf file that could be of interest to you, or even a web page. All of this is a smokescreen, using the brands and services you identify with to lure you towards opening up your system.
Similarly to Gamma, Italian surveillance company Hacking Team also appear to provide zero-day exploits. Their 'Remote Control System' displays a lot of the same characteristics of Gamma’s product range, including intrusion onto a device and the harvesting of information. According to documents in the Surveillance Industry Index, contributed by Omega Research, Hacking Team appear to offer a zero-day exploit library to help with the installation of the Remote Control System onto a person’s device. Hacking Team have previously been involved in the targeting of Moroccan activists and Ethiopian journalists, and have been used in Azerbaijan, Egypt, Ethiopia, Kazakhstan, Malaysia, Nigeria, Oman, Saudi Arabia, Sudan, Turkey and Uzbekistan, amongst others.
Surveillance companies aren't the only ones selling access zero-day exploits. VUPEN security, a French-based company, sells exploits that enable surveillance companies to break the security features of a device, and provides access to "undisclosed vulnerabilities discovered in-house by VUPEN security researchers".
VUPEN works in a similar capacity to Gamma's Exploit Portal: money is paid to gain access to a secure portal where exploits are provided. VUPEN's database operates a user-friendly subscription service, just like the paywall behind LexisNexis and JSTOR. Except instead of news and academic articles, VUPEN provides vulnerabilities to some of the world's largest tech companies' products.
On the third page of a marketing brochure, VUPEN offers access to its "Threat Protection Program" for major corporations to be notified of any vulnerabilities discovered in their system. On page two, VUPEN advertises its "Exploits for Law Enforcement Agencies", where those same vulnerabilities are sold to law enforcement and intelligence agencies for use in their work. Two different approaches, one goal: making money for VUPEN.
In terms of whom VUPEN sells to, we have seen recently that the United States had purchased access to VUPEN’s exploit library. And there are some requirements to becoming a member to the exclusive VUPEN club:
- the customer must be an Intelligence or Law Enforcement Agency;
- they must sign a Non-Disclosure Agreement; and
- they must be a member of NATO, ANZUS or ASEAN.
However, the policy doesn’t seem to hold much water, as Citizen Lab appeared to discover VUPEN exploits being used to target a prominent blogger in the United Arab Emirates, who don't meet VUPEN's own purchaser requirements.
VUPEN were in Dubai last week for ISS World Middle East, a trade show for surveillance companies bringing them together with clients from across the Middle East. VUPEN's CEO gave a training seminar on "Zero-Day Exploits for IT intrusion (Computers & Mobiles)", teaching law enforcement agencies how their products can be used so that they can have access to computer and mobile devices.
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.
However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
Understanding the current exploit market is key to informing this debate. Knowing who the developers are, who the customers are, how they are traded, and how they are used, is critical. This famously secretive industry needs to be exposed - a lack of transparency is bad news in any commercial sector. If self-regulation is indeed the only appropriate response to this burgeoing industry, then this transparency becomes essential.