"One iPhone hack, please." "Gladly, that'll be two million dollars."
Security holes are a much sought-after commodity especially those still unknown to the security community. As there is no defense against these attacks, they're fittingly called zero-day exploits with zero being the number of days software developers have to provide a fix. They are the perfect attack vector to distribute malware, steal data or sabotage computer systems - and there's a global market for them!
Aside from faceless hackers on the darknet who prefer anonymous Bitcoin transactions in exchange for exploits, there are also security companies that quite openly offer "advice and inspiration". Then there are exploit brokers who will act as intermediaries and are known for their discretion. They have long lists of, so far, undiscovered exploits that cover anything from Flash to Android, MS Office and MacOS. It's easy to picture a bidding war between potential buyers whoever that may be. Once the knowledge has been bought, existing malware is simply modified to target new vulnerabilities - or the ready-to-use program is purchased right away! Naturally, there's is no guarantee how long a vulnerability will remain unfixed (maybe the software developer is already in the know) so buyers may have ultimately spent large sums for nothing. What is shocking though is that, on average, vulnerabilities remain exploitable for a whopping 7 years.
Here's what it looks like in practice: a hacker discovers a vulnerability that allows for execution of malicious code in a popular program, a PDF reader for example. Or they notice a security flaw in a web-based application (like a login page) that exposes the underlying database and allows access to customer data. This is often achieved by inputting special commands instead of valid login credentials since many systems aren't properly hardened. Big online stores, banks, government sites and well-liked programs across operating systems are all equally popular targets - as they mean either big money or sensitive data.
It's usually not lonely nerds in their basements that find new exploits, that's a rarity and a common cliché. Today, bug hunting is a highly professional business with entire teams picking apart program code, trying out new attacks and systematically hunting down weaknesses. Once successful, they can either sell their findings directly or fall back on brokers. Currently, there's no law that forces them to disclose their information for the public good. Naturally, the bigger the user base, the better the pay. Exploits for Firefox pay more than vulnerabilities in some niche application. Apart from Chrome, iOS and Windows are considered the major league and prices for such exploits can quickly climb up to seven-figure sums.
These days, prices are always rising anyway since weaknesses are increasingly harder to find. If you looked at past browsers or operating systems today, you'd seriously wonder why not all computers were infested with viruses back then as the software was that poorly designed. Nowadays, gaping holes are rare since companies are ramping up their security with strict quality checks for every piece of code. They know mistakes not only result in waning customer trust but may also lose them millions on the stock exchange. For vital code, companies may also hire outside agencies that legally employ hackers to track down bugs in their products. Only when they give the go will the software get published. But despite all security procedures, there's only one certainty: errors will be made - and found.
There's no shortage of buyers and they also include affected companies or security software developers, naturally. Likewise, criminals seeking to distribute malware or to make a quick buck are also among the bidders and so are intelligence agencies all over the world that would just love to use the vulnerabilities to their own ends. After all, knowing how to sneak surveillance tools into browsers can have strategic advantages especially since the Internet is also used by political opponents, terrorists and criminals. Others may think more defensively and purchase knowledge about vulnerabilities to fix them before an attack happens. The German Federal Criminal Police office bought a complete suite for €147,000 that not only included a zero-day exploit but also the software to use it. It's a bit surreal that they didn't purchase the code itself but a 1-year license. Germans are such orderly people!
Activists have long been clamoring for a legal obligation to disclose vulnerabilities especially for government institutions. For example, US intelligence agencies are known for having a wide range of exploits at their disposal - and for making good use of them to circumvent and neutralize encryption methods and security systems of their opponents. Then again, they also knowingly expose the public to a significant threat. Whether brokers sell the same exploit multiple times or vulnerabilities are rediscovered by others, billions of systems remain insecure because of secrecy. In many instances, malware programs simply exploited what the government already knew for quite some time. So does government-funded cyber warfare outweigh public security? What do you think?