Former ‘Most Wanted’ Hacker Kevin Mitnick Is Now Selling Zero-Day Exploits


800px-Kevin_Mitnick_(4892570820)

Mitnick showing a keylogging device to a crowd in 2010. Credit: Eneas De Troya | CC BY



As a young man, Kevin Mitnick became the world’s most notorious black hat hacker, breaking into the networks of companies like IBM, Nokia, Motorola, and other targets. After a stint in prison, he reinvented himself as a white hat hacker, selling his skills as a penetration tester and security consultant.


With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray.


Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception earlier this year, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.


And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”


Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. He won’t even confirm precisely when this year his stealthy new business venture began. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”


As the zero day market has come to light over the last several years, freelance hackers’ sale of potential surveillance tools to government agencies has become a hotly debated ethical quandary in the security community. The notion of Kevin Mitnick selling those tools could be particularly eyebrow-raising; After all, Mitnick became a symbol of government oppression in the late 1990s, when he spent four and a half years in prison and eight months in solitary confinement before his trial on hacking charges. The outcry generated a miniature industry in “Free Kevin” T-shirts and bumper stickers.


Enabling targeted surveillance also clashes with Mitnick’s new image as a privacy advocate; His forthcoming book titled “The Art of Invisibility” promises to teach readers “cloaking and countermeasures” against “Big Brother and big data.”


“It’s like an Amazon wish list of exploits.”


He says his intended customers aren’t necessarily governments. Instead, he points to penetration testers and antivirus firms as potential exploit buyers, and even suggests that companies might pay him for vulnerabilities in their own products. “I’m not interested in helping government agencies spy on people,” he says. “I have a unique history with the government. These are the same people who locked me in solitary because they thought I could whistle nuclear launch codes.”


Still, the six-figure fees Mitnick names on his site are far more than most buyers would pay for mere defensive purposes. (Though his website names a minimum price of $200,000, Mitnick says that’s an error, and that he’s willing to deal in exploits worth half that much.) Companies like Facebook and Paypal generally pay tens of thousands of dollars at most for information about bugs in their products, though Google occasionally pays as much as $150,000 in hacking contest prizes.


Mitnick’s exploit exchange seems designed to cater particularly to high-end buyers. It lists two options: Absolute X, which lets clients pay for exclusive use of whatever hacking exploits Mitnick’s researchers dig up, and Absolute Z, a more premium service that seeks to find new zero-days that target whatever software the client chooses. “We have some clients that give us a menu of what they’re looking for, like ‘We’re looking for an exploit in this version of Chrome,’” he says. “It’s like an Amazon wish list of exploits.”


Mitnick is far from the only hacker to see an opportunity in the growing grey market for zero days. Other firms like Vupen, Netragard, Exodus Intelligence, and Endgame Systems have all sold or brokered secret hacking techniques. While the trade is legal, critics have argued that the services’ lax customer policies make it possible for repressive regimes or even criminals to gain access to dangerous hacking tools.


But Mitnick counters that he’ll carefully screen his buyers. “I would’t consider in a million years selling to a government like Syria or to a criminal organization,” he says. “Customers want to buy this information, and they’ll pay a certain price. If they pass our screening process, we’ll work with them.”


As an ex-convict, Mitnick’s entrance into the zero-day market may mean he’ll face extra scrutiny himself. From his teens to his early 30s, after all, Mitnick went on an epic intrusion spree through the networks of practically every major tech firm of the day, including Digital Equipment, Sun Microsystems, Silicon Graphics, and many more. For two and a half years, he led the FBI on a manhunt that made him the most wanted hacker in the world at the time of his arrest in 1995.


ACLU technologist Chris Soghoian, a vocal critic of the zero-day exploit business, used that criminal past to take a jab at Mitnick on Twitter following his announcement of the bug-selling brokerage.


Mitnick shot back: “My clients may use them to monitor your activities? How do you like them apples, Chris?”



No comments:

Post a Comment