Not a Product Endorsement: VPN
If you are in the market for a VPN product look no further than ExpressVPN, NordVPN or Surfshark. Even though I use one of these products, the reason for mentioning them is that Zerodium is offering Windows security researchers up to $2.5m for zero-day vulnerabilities that relate to IP address leak and remote code execution. In their post, they specifically excluded local privilege escalation. This implies that, to date, Zerodium has not managed to crack these functions.
What is a Zero-day vulnerability?
A zero-day vulnerability describes a vulnerability that was previously unknown to the security community. This means that anyone with this knowledge can compromise devices because no protection has been developed since no one is aware of the weakness.
What is a VPN?
A VPN from the three companies mentioned here allows a person to create a secure tunnel between their personal network and an endpoint belonging to the VPN companies. This tunnel is secure and any data flowing through the tunnel is encrypted. This means that communications cannot be eavesdropped. Another feature of VPNs is that the IP address of the person is not revealed; all traffic appears to originate from the VPN company. As these companies recycle their addresses, it becomes practically impossible to trace the communication back to the source. Additional measures further protect the identity and communications of those wishing to remain anonymous.
Why would anyone need a VPN? Anyone who doesn’t want their online activity to be eavesdropped. For example, in the USA service providers can (and do) spy internet traffic of their clients. They sell the data to advertisers.
Others may use a VPN to view content that is geographically restricted. For example, you would like to view content provided by Netflix in a different country from your own.
Others use VPN because their lives depend on it. Journalists, activists, whistleblowers and citizens in oppressed regimes rely on VPN to communicate and find out information. Some of these people know that if their activities are detected, their lives (and the lives of their families) will be impacted.
The way Zerodium’s shopping list was worded indicates that Zerodium and their clients are particularly interested in identifying who their target really is and what is their electronic activity.
An IP address leak vulnerability would allow a hacker to discover the network address of the victim. With a VPN they can only trace back to the IP address of the VPN company. A remote code execution hack could be used to install spyware such as keyloggers, screen grabbers, password stealers or other nefarious code on the target user’s computer. Once the Windows computer has been compromised, the hackers could hack other devices connected to the computer potentially discovering other individuals who interact with the targeted person.
Security Researcher Categories
When an ethical security researcher discovers a vulnerability they:
● Privately contact the company responsible for the software to inform them of the vulnerability
● Negotiate with the company a time window (typically 90 - 270 days)
● Before the time window expires the company would release a patch that addressed the vulnerability. Normally a CVE reference is assigned to the vulnerability.
● After the time window closes, the security researcher shares the vulnerability, how to reproduce it and the CVE reference it links to.
● If the company has a bug bounty program (many do), the security researcher would receive payment for having found and alerted the company.
Zerodium is a Washington DC based company that pays (unethical) security researchers for vulnerabilities. Zerodium does not make their client list publicly available, but after Israeli-based NSO Group suffered a data leak, Amnesty International reported that NSO Groups’ Pegasus software was used to identify at least 180 journalists in 20 countries between 2016 to June 2021. According to WikipediaThe software was used by countries such as Bahrain, USA, Saudi Arabia, Morocco, Palestine and India to hack phones of journalists and groups opposing the government. In Mexico, it was used by drug cartels and government officials in their pay to intimidate journalists.
Pegasus spyware would jailbreak an IOS or Android phone when the victim would follow a link received as a message. Once the phone is broken into, hackers gain full control of the device. The fiancée of slain Saudi Arabia journalist Jamal Khashoggi, his wife, son and other family members were all hacked using this software. His fiancée’s phone was broken into just four days before he was murdered.
Companies like Zerodium and NSO Group compete in this market for zero-day discoveries by paying higher fees compared to commercial companies. These companies have clients with deep pockets who are willing to shell out massive amounts for the ability to spy on their adversaries.
This model of buying security flaws to sell on for a profit is sleazy. Such companies use the age-old excuse that they vet their clients and that their clients are using the tools to fight heinous crimes such as child pornography and terrorist activity. Justifying their behaviour by looping in emotional and sensitive topics they hope to hide their true selves; they are mercenaries who are risking and killing others all to make a profit. According to Dave Lee writing on BBC News, unethical security researchers and these companies are nothing short of cyber arms dealers.
 Amnesty International. (2021). Massive data leak reveals Israeli NSO spyware used to target activists, journalists, and political leaders. [online] Available at: https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/.
 Wikipedia. (2021). Pegasus (spyware). [online] Available at: https://en.wikipedia.org/w/index.php?title=Pegasus_(spyware)&oldid=1054168070 [Accessed 9 Nov. 2021].
 Lee, D. (2016). Who are the hackers who cracked the iPhone? BBC News. [online] 26 Aug. Available at: https://www.bbc.com/news/technology-37192670 [Accessed 9 Nov. 2021].