Zero-Day Shop Opens the Floodgates for People to Sell Exploits to Governments

Dubai-based Crowdfense, which buys zero day exploits for iOS and a variety of other platforms, is trying to streamline the process of sourcing vulnerabilities.

|
Aug 9 2018, 7:49pm

Hacking is getting harder and harder. Today, to gain meaningful, remote access to an iPhone requires a string of several different exploits, likely developed by a team of individuals focused on different parts of the operating system.

Crowdfense, a Dubai-based company which buys exploits from researchers and then sells them to government agencies, is making it somewhat easier for people who may not usually sell exploits to get into the industry. Thursday, the company announced its so-called Vulnerability Research Platform, where researchers can submit and sell individual exploits, rather than requiring a full chain. It provides a web interface for researchers to communicate and coordinate their sale to Crowdfense. The idea is to streamline the acquisition and submission process, as well as draw in researchers who may not ordinarily sell to firms like Crowdfense.

“We are now dealing with researchers who are not on the market,” Andrea Zapparoli Manzoni, the director of Crowdfense, told Motherboard in an interview at the annual Black Hat hacking conference on Thursday.

Governments use exploits, and sometimes zero-day exploits—which use vulnerabilities not known to the manufacturer of the target software—in order to install malware on a device. Perhaps a law enforcement agency wants to deploy an implant onto a iPhone so as to intercept messages before they are encrypted, or to remotely turn on the device’s microphone.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Researchers develop these exploits and may then sell them to companies such as Crowdfense, who then sell them to government agencies. Crowdfense’s likely main competitor in this exploit-middleman space is Zerodium, another company that arguably led the way in using more public means to advertise its business. On its website, Zerodium says it does buy partial exploit chains; Zapparoli said Crowdfense buys individual exploits that may not be enough to compromise a device by themselves. Meaning, more bug hunters may be able to get involved in the trade without the need of more fleshed out team behind them.

Whereas some companies that obtain exploits may evaluate, source, and communicate about the vulnerability over email, with Crowdfense’s new platform, researchers sign up, are presented with something that resembles a more traditional web portal, and provide a description of the exploit and related vulnerability. The portal includes end-to-end encrypted messaging and a tracking system so researchers can monitor the status of their exploit submissions. When researchers sign up, they only have access to their own list of exploits, so they can’t just create an account and then steal others’ vulnerability details.

Caption: A screenshot of Crowdfense's Vulnerability Research Platform. Image: Crowdfense

Zapparoli said Crowdfense has already received a wave of lower-level submissions as part of its normal acquisition process. Only about 5 to 10 percent of submissions are of top level quality, he added. Naturally, Crowdfense will need to filter through those proposals manually.

Crowdfense also allows researchers to submit exploits anonymously, if they prefer, and the company does not buy exploits on an exclusive basis.

“It’s like a hidden layer of researchers,” Zapparoli said, referring to the pool of exploit developers he believes the company will attract.