underworld-type) can gain access to them.”
Dominic White from SensePost, information security specialists, says that although it is near impossible to know whether exploits are being sold in SA, “it wouldn’t surprise me if there were local people looking into it”. Potential candidates would be the military or cyber warfare research units. If these groups were participants in the market for exploits, however, this would be kept strictly confidential. According to The Economist, criminal and terror groups purchase exploits on more than two dozen illicit forums or, alternatively, from at least a dozen secret brokers.
One broker who is not so secret is in fact a South African hacker based in Bangkok, and who refers to himself as ‘the Grugq’. In an interview with Forbes, the Grugq revealed that he has been supporting his salary as a security researcher by acting as a broker for high-end exploits, connecting hackers with buyers (most of them, he claims, working for governments).
The Grugq reportedly takes a 15% commission on sales and earned more than $1m from deals last year – bringing in a cool $250 000 from his government buyers in December alone. Yet for those who develop and sell their own exploits – instead of merely playing middleman – t here i s fa r more l oot to be made. “Zero- days [the most highly valued exploits] can fetch big bucks in the underground economy… often the potential payoff determines the level of pricing, so the sky is the l imit,” Symantec’s Brown explains. “It was estimated that an Internet Explorer or Chrome vulnerability would cost $80 000-$200 000 when sold to government agencies.”
Seduced by the scent of sublime profits, several companies already specialise in this opaque trade. One of the best known, and perhaps most loathed, is a French f irm called Vupen, which was named by Frost & Sullivan as the 2011 Entrepreneurial Company of the Year in vulnerability research. According to analysts at Frost, Vupen’s clients pay up to $100 000 annually for a subscription plan, which gives them access to the firm’s techniques. And a single technique from its catalog reportedly costs far more than its six-figure subscription fee.
To the dismay of many who see exploit trading as inherently evil and extremely dangerous, Vupen peddles its potent product to multiple government agencies, positioning customers against each other in an increasingly high-stakes game of cyberspooking. Many worried onlookers are calling for legal intervention, but as Stefan Tanase, Senior Security Researcher at Kaspersky Lab, points out, this would be extremely difficult to do. “There is no law that forbids buying and selling exploits, because ultimately, computer code is a piece of knowledge,” he explains. “In most cases, those who write the exploits have no idea how they will be used. It’s like having a kitchen knife – completely legal, but a lethal weapon when placed in the wrong hands.” Whether the law intercedes or not, one can surely expect the somewhat sinister trade in exploits to get more sophisticated – and more lucrative – over time.