Crossroads Blog | CYBER SECURITY LAW AND POLICY

cyber attack, Cyber Exploitation, international law, IT security, Legislation, Privacy, regulation, surveillance

Exploit Sales: The Unnoticed Side of the Trade in Surveillance Technologies

The Issue

Last week, London-based surveillance watchdog Privacy International raised awareness of governments’ and private spyware suppliers’ engagement in an unregulated market that supplies them with intelligence on security flaws of widely-used software. Such exclusive knowledge about generally unknown vulnerabilities is a crucial part of any cyber eavesdropping operation. It allows the operator to access the target’s system and deploy the actual spyware, which conducts the surveillance measure, for example by remotely controlling the targeted device and exfiltrating data from it.

The Background

The kind of intelligence traded in the market, which Privacy International claims to be unregulated and untransparent, is known as zero- or one-day exploits. The blog post devoted a paragraph to this terminology, which reflects the time that the technology company has been aware of the security gap (i.e. the vulnerability) in their program (say Microsoft Internet Explorer or Apple Inc. Safari).  A zero-day exploit is information on a vulnerability that the responsible company is not aware of (and allows for taking advantage of it over a longer period of time, until the responsible company learns about its existence and patches it). A one-day exploit provides intelligence on a vulnerability that is known to the owner of the program but not yet patched.

As mentioned above, these exploits are an integral part of the overall surveillance or espionage solution that state or private actors (and increasingly cyber criminals, according to researchers of security company Sophos) employ. In order to apply the exploitative software that allows eavesdroppers to control surveilled devices and extract data, they need to be deployed and installed on the targeted system. Accordingly, so Privacy International, prominent spyware companies, including the Hacking Team (which we covered earlier this month) with its Zero-Day Library, offer such exploits along with the actual intrusion tools that they originally became known for.

The Implications

Last December, Privacy International already reported on how the dual-use (military and civilian) goods and technologies control list of the Wassenaar Agreement has been harnessed to implement the first export controls on spyware (also covered on Crossroads by Tara and myself). The regime was extended by two categories of surveillance systems, of which one is referred to as “intrusion software,” and exactly the kind of technology that uses zero- and one-day exploits for its deployment. Apparently, so Privacy International, while this spyware itself is subject to the newly implemented controls, the exploits that many surveillance technology providers offer along with it are not covered by the regulation. As a result, intelligence on vulnerabilities of common-use softwares, which allows spyware operators to access targeted devices and systems, can still be sold and traded to both, countries eligible to obtain the corresponding “intrusion software,” and states that are not alike.

Furthermore, Privacy International elaborated on another ramification of the lacking regulation. VUPEN security, a French-based company, offers access to its exploit database through a subscription service similar to LexisNexis or JSTOR. The scoop is that it serves actors with contradicting interests at the same time:

On the third page of a marketing brochure, VUPEN offers access to its “Threat Protection Program” for major corporations to be notified of any vulnerabilities discovered in their system. On page two, VUPEN advertises its “Exploits for Law Enforcement Agencies”, where those same vulnerabilities are sold to law enforcement and intelligence agencies for use in their work. Two different approaches, one goal: making money for VUPEN.

 

The Solution

Due to Privacy International, the complexity of the factors and issues affected by the implementation of (external) regulatory measures make it “indeed difficult to envisage a realistic form of regulation that can achieve the right balance.” Therefore, increasing awareness in order to inform the debate is key to get on top of the problem:

This famously secretive industry needs to be exposed – a lack of transparency is bad news in any commercial sector. If self-regulation is indeed the only appropriate response to this burgeoning industry, then this transparency becomes essential.

 

Leave a Reply