FYI.

This story is over 5 years old.

Tech

Kevin Mitnick Offers a Peek Inside the Cryptic Zero-Day Marketplace

The hacking legend is now offering zero-day exploits for $100,000 a pop. Take note, NSA.

Hacker hero/villain Kevin Mitnick's post-crime exploits now include running a pawn shop for zero-day exploits, e.g. vulnerabilities that exist in computer systems but are so-far unknown to their developers. Provided you pass Mitnick's screening process and have $100,000 to burn, you can be handed the sort of information that, in the wrong hands, could open open up a system for worms, Trojans, viruses, and really whatever else.

Advertisement

A zero-day exploit is basically an unlocked door to a computer system or network, one that the system's creator hasn't yet bothered to check. And finding these unlocked doors is big business.

A quick refresher on Kevin Mitnick. In the mid-'90s, Mitnick became a fugitive after hacking into Pacific Bell's voicemail computer system, a crime all the more damning given that the he was already on a supervised release from prison for a prior offense. He was on the lam for two and a half years, a period in which he basically went wild, cloning cell phones to hide his location, stealing proprietary software from cellular phone and computer companies, swiping passwords, breaking into email accounts, etc.

His telling of the Pacific Bell hack, however, offers a slightly different, more benevolent story. "I became aware that the government was trying to put together another case against me, this one for conducting counter- intelligence to find out why wiretaps had been placed on the phone lines of a Los Angeles P.I. firm," Mitnick wrote in his "lost bio." "In my digging, I confirmed my suspicion: the Pacific Bell security people were indeed investigating the firm. So was a computer-crime deputy from the Los Angeles County Sheriff's Department. About this time, the Feds set up a criminal informant and sent him out to entrap me."

What I did wasn't even against the law when I began, but became a crime after new legislation was passed

Advertisement

"What I did wasn't even against the law when I began, but became a crime after new legislation was passed," Mitnick noted. "I continued anyway, and was caught."

This is the sort of dude that reminds us of what hacking even is, someone that helped usher the "hacker" term itself from a word meaning someone that uses clever engineering to its modern pejorative sense. While images now so often show hackers as script kiddies launching wan DDoS attacks or wielding downloaded prefab hacking tools, Mitnick was a swordfisher, at least relatively speaking.

For one thing, he was a master social engineer, able to access systems usually with help from a small bit of carefully calibrated dialog offered to an unsuspecting system administrator. For hackers, one of the best ways to get access to a system is by simply asking for it with the right words. Mitnick called it a form of performance art, "getting people to do things they wouldn't ordinarily do for a stranger."

Eventually, his art landed Mitnick in prison for five years. Like Aaron Swartz over a decade later, Mitick's conviction and imprisonment was held up as an instance of overzealous prosecution. He was being made an example of.

Since being released in 2000, Mitnick has unsurprisingly found success as a computer security consultant. He teaches social engineering to government agencies and tests systems for vulnerabilities among the world's most powerful corporations.

Advertisement

His newest venture is called Mitnick's Absolute Zero Day Exploit Exchange, which sounds like it might be found stenciled on the awning of a check cashing joint. It's here that Mitnick plans to sell his $100,000 a pop exploits, as well as buy them from developers. Sophos Naked Security notes that one might expect the NSA, a big fan of zero-day exploits—the agency had a budget of $25 million for buying zero-day flaws in 2013—to become a customer, along with various other deep-pocketed corporations and government agencies.

As for what his clients plan to do with their newfound exploits, Mitnick isn't interested. He told Wired:

"When we have a client that wants a zero-day vulnerability for whatever reason, we don't ask, and in fact they wouldn't tell us.

Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between."

He does note that his clients will be vetted, however, so ISIS need not apply. The activity is also perfectly legal and has become a bizarre high-dollar commodity. Mitnick certainly isn't the first to offer zero-day vulnerabilities on the open-market.

A recent analysis found that boutique firms specializing in their sale are offering an average of 85 zero-day flaws on any given day. A single exploit retailer might sell 100 in a year, with individual flaws going for anywhere from $40,000 to $1,000,000 a pop. "Boutique vulnerability providers, such as VUPEN Security, ReVuln, NetraGard, Endgame Systems, and Exodus Intelligence, sell subscriptions that include 25 zero-day flaws per year for $2.5 million," notes Information Week.

This booming market is of particular concern to proponents of so-called bug bounty programs, in which companies like Microsoft and Facebook offer monetary rewards to security researchers that expose vulnerabilities in open-source software. These programs exist in part to combat the black market, revealing bugs before they can be repackaged as zero-day exploits for huge amounts of money. Unfortunately, that money provides a strong incentive to keep quiet about holes that could potentially affect your most private data, not to mention closely-guarded trade secrets and proprietary code.

Mitnick isn't selling his exploits for nefarious uses, ostensibly, but the bug market exists to keep bugs hidden, in a sense. It's like if you're the captain of the Titanic and someone offers exclusive information about a gash in the hull. The gash effects everyone on the ship, but the captain now has control of the information that could save their lives if exposed. The captain could say no deal, but ignoring the gash (which might be repaired in our alternate history) risks the ship sinking and everyone drowning.

It's no wonder the zero-day flaw market is so flush.