Cyberwar (2016) s01e09 Episode Script

The Zero Day Market

They're security holes in a piece of software.
I could have made all the transmissions go to neutral for a million cars.
They're unknown to their creators.
You can find it yourself, you can hire somebody to find it, or you can be attacked.
It can be exploited for covert attacks.
Our ultimate goal is not to attack, but to defend.
They're coveted by hackers and spies alike.
We are going to bring the full array of US national power to bear to protect US interests and those of our allies.
But what do they want them for? They call them zero-days.
Hackers hunt for them, but most people have no idea what they are.
Put simply, a zero-day is a flaw in a specific piece of software, a vulnerability that the software company doesn't even know about.
That code could be running on everything from your iPhone to the webcam on your computer to the network protecting the Pentagon.
And if these holes aren't fixed with new code, hackers can design exploits, or figurative torpedoes, to attack the software.
Charlie Miller discovered one of the most mind-blowing zero-days in recent history.
He's a former NSA hacker and world-renowned security researcher based in St.
Louis.
Back in 2015, he and a partner actually found a way to remotely hack into Chrysler models with a specific computer system, and they could do it from thousands of miles away.
And it wasn't just turning the music up or jacking the AC; they could seriously mess up a car on the road.
I got in touch with Charlie and asked him if he'd hack one of these cars while I was behind the wheel.
- I'm Ben.
- Charlie.
How's it going? So this is the car? This is it? Yeah, you ready to get hacked? Yeah! So what part of this car exactly did you target that was hackable? So this part right here, it's called the head unit, and that's the part that we actually hack.
The fact it's on the internet, and that we could talk to it, and there was a vulnerability that allowed us to actually get code running on it.
We could do it remotely, but we told Chrysler about it and they fixed it, so now you can't do it remotely anymore.
How long did it take for them to patch it? Well, first I told them about it, and for nine months they were working on it.
And then once we sort of publicized it, then they fixed it within a week.
So it was once everyone was really upset, they could fix it very quickly.
So now I'm physically plugged into the head unit.
Okay, so I can start showing you some stuff here.
What was the What was the, I guess, more dangerous thing you could do to the car with this particular hack? Probably the most scary thing we can do is when you come to a stop, we can make it to where then the brakes stop working, and then you'll start going again.
- So we're stopped - Yeah.
but now we're not stopped.
Oh man, I don't like that sound at all! Yeah, no.
So the brake pedal just doesn't go down.
Jeez! Alright, so you want to see some steering and stuff? Yeah, let's see some steering.
Okay, so get somewhere where we can go backwards.
So in reverse, you can Oh, yeah.
I can crank the steering wheel as much as I want.
- No hands.
- Yep.
That's safe.
Not really.
Is there ever a scenario where you think a hacker can get access to a vulnerability in a car that's connected to the internet that a million cars could just be turned off? I could have done that.
- Just like that? - Yeah.
Even if they were driving on the highway? I could've made them all all the transmissions go to neutral for a million cars.
So including cars that are going, you know, 100 miles an hour? Yes.
You know, obviously that wasn't my intent.
Right.
My intent was to just demonstrate that - It could happen.
- Right.
Car companies are so new to this, and most car companies you don't even know who you would contact to tell them you found a vulnerability.
But the crazy thing is that even when researchers do tell a car company about a security hole in their software, they're often scorned for discovering it in the first place.
When people complain about people like me who find vulnerabilities, they don't realize that we're not putting the vulnerabilities in the product, they're already there.
Reporting the bugs is what gets them fixed, and that's the good thing.
Do you find it ridiculous that companies won't pay for them? Like Chrysler didn't give you anything, right? No, I didn't really expect them.
I think it's more ridiculous when huge companies that have been doing this for a long time and they've got a billion dollars in the bank and they tout their security, that doesn't make as much sense to me.
Like I was a consultant for many years, and companies would pay me to come in and find vulnerabilities for them, and it's hard, right? If it wasn't hard, they would find all the vulnerabilities themselves right? I feel like I worked really hard.
I should maybe get something for that.
Charlie Miller didn't get a dime for his exploit, but a year later Chrysler changed its policy.
It became the first major car company to introduce a bounty program for hackers who find flaws in its software.
And it's not just the Chryslers of the world who are willing to pay for them.
Zero-days can be worth a lot of money to a software vendor and the security companies who want to patch the holes.
At the same time, they can be sold through private brokers for upwards of half a million dollars to spy agencies or other covert operators who use them for surveillance or sabotage.
- How you doing? - Good.
My career as a professional penetration tester, with those skills, obviously I could have been robbing banks and taking the money, as opposed to being hired by the banks to see how they could be robbed, right? Katie Moussouris is a security researcher who created Microsoft's first bug bounty program in 2013.
She's based in Seattle, but I met her in Vancouver where she was attending a security conference.
People usually like to define them in terms of white market and black market, but black market actually implies that the trading is illegal.
And right now, it's not illegal to trade zero-days or exploits.
So I usually talk about them in terms of defense market and offense market.
And do you think then that bug bounties are the answer? Do you think hackers, when they find this stuff, they should be disclosing to the company? Well, my goal with creating bug bounty programs is really about giving hackers more opportunities to not just turn it over to defense, but also make money at the same time.
So they don't have to make a choice, "Do I do the right thing or do I make money?" They can do the right thing and make money.
All software contains vulnerabilities.
It's just a fact.
There are three ways you can learn about it.
You can find it yourself, you can hire somebody to find it - or pay a bug bounty if someone finds it - or you can be attacked, period.
At the Can Sec West conference in Vancouver, hackers are invited to find new ways to break into widely used software, like Safari and Adobe Flash.
Here at a competition known as Pwn2Own, the teams face off for nearly half a million dollars in prize money.
Some teams have been working for months in advance, developing and testing their exploits.
The flaws they find will be disclosed to the vendors so they can be patched.
Whitey, I'm Ben.
I met up with a volunteer named Whitey who agreed to show me around.
Pwn2Own.
So is one of them going down right now, right here? Yeah, yeah, so this is it's actually starting out now.
I gotta watch this.
We have Tencent Security Team Sniper.
This is KeenLab and PC Manager.
The target is Adobe Flash with system.
These guys are trying to break into a computer using their zero-day exploit for Adobe Flash.
That was really That was really weird! You know, it's kind of like architecting a program, and then getting that one shot to run it and make it run perfectly, and they just did that.
And you know, it might seem anticlimactic.
It's definitely not hacking that you'd see in a movie, stuff like that.
Oh no.
But this is this is the real thing.
And yet what they just did could, like you said, end a company? Oh, it could end a company, it could wreak havoc, you know, across the internet.
Tencent Security Team Sniper was eventually declared the Masters of Pwn.
The Shanghai-based researchers who work for China's biggest internet company won this ridiculous smoking jacket.
They also collected more than $142,000 in prize money.
I met up with them after a super tame hacker wrap party.
So you won Pwn2Own.
How does that feel? - Pretty good.
- Yeah.
- Relaxed now.
- You're relaxed now? Were you not relaxed before this? The day before, no, very nervous.
Could you have sold those zero-days to somebody else and gotten more money? And if so, why didn't you? So somebody actually approached you guys during Can Sec West to pay for some of the exploits you had? Who were they? And you didn't do it? You didn't want to do it? Now, the ones you found, the zero-days you found, what do they affect? For the rest of the year, if you find zero-days, what do you do with them? And you report it? I'm in Vancouver for a computer security conference, but what I'm really after is more intel on shady zero-day markets.
People here tell me I should speak with Emerson Tan.
He's worked for a major government contractor, but he's also been a part of the hacking community for years.
Tan is a self-described recovering dark lord, at least according to his Linkedln profile.
I hear you have some questions.
I want him to show me what the market place for these exploits really looks like.
So can you buy exploits on the black market? Online, dark web? Well, it depends what you mean.
So exploits, as you know, come in a couple of different flavours.
There are the ones that have already been patched, and then there are the O-days.
You wouldn't buy bother If you were a criminal, you wouldn't bother buying O-days.
No? they're very, very expensive.
It costs a huge amount of money to test them to make them reliable.
If you're a criminal, you just want the thing that works, and for the lowest cost for the maximum return.
Let's see it, what's it look like? Let's have a look at like a real forum.
It's the world's worst web design.
It's really cheap and cheesy, and they don't care.
So you can go on there, you buy an exploit.
Usually that's an exploit that hasn't been patched? No, it has been patched.
- Or has been? - It has been patched.
What you have to remember is is that huge numbers of people around the world do not patch their systems, do not patch their software.
Especially given that a huge amount of the software out there is not legally bought.
It's all It's all stolen, it's all nicked.
That stuff never gets updated.
So in that way, you still have a huge attack surface? Yeah, thous millions, millions and millions and millions and millions and millions of people.
I mean, like, the this is brilliant.
This is an Android phone, it's my Android phone.
People put all their personal details and stuff on there, you know, everything you need to go and steal their identity.
- Mm-hmm.
- It's brilliant.
But in terms of zero-days, there is no site where you can buy a zero-day? I mean, I'm sure they exist, but to be perfectly honest with you, if you were if you were a researcher and you really wanted top dollar, you wouldn't bother with these open market places.
You'd go and talk to a broker.
I mean, the thing is every this community is tiny.
They all know each other.
So brokers know the spies, the criminals, and the researchers.
Yeah, and the researchers.
And then depending on where you are in the world, you know, that's the community that you sell to.
It would be very, very odd for example for, you know, like a Russian researcher to try and sell to a broker who is I don't know, working for the Americans.
You know, in somewhere like China or Russia, selling to the opposition will get you a visit from some men in very ill-fitting leather jackets, maybe with a hose or a baseball bat.
Right.
Have you ever dealt with an intelligence agency? We'll shuffle that question off to the side.
I can neither confirm or deny, which is Beltway speak for some answer other than no.
So here's the weird thing though, is that almost everybody has done it at some point.
If you ever meet anyone who says they're whiter than white, they're lying.
One of the reasons that researchers are so easily tempted to sell zero-days to spy agencies is that governments are willing to pay a high price just so they can hack specific targets.
Finding a zero-day can also earn you a big payoff from software companies who buy them in order to patch the holes in their products.
Apple recently announced it would pay bug bounties that ranged from $25,000 to $200,000, depending on the vulnerability.
Some bug hunters do that work as a side gig, but a select few can actually earn a living finding zero-days.
Mark Litchfield is a professional bug hunter who says he's earned hundreds of thousands of dollars in bug bounties over the past few years.
I headed to the gated community outside of Las Vegas where he lives and works.
Oh my.
Wow.
He's got that baller, gated community life.
Hello.
How you doing? Hold on a minute.
No problem.
They say no, the association say no, no cameras.
You can't go back there unless you get it cleared with them, and I don't think so.
We should've just showed up in a golf cart.
What do they think we're doing? Do you remember when the White House and the FBI was easier to shoot in? We didn't manage to penetrate the perimeter of Mark Litchfield's gated community, so we met Mark and his wife, Carly-Lynn, at a nearby restaurant.
Hey, Mark.
- Hey mate, how you doing? - How's it going? Nice to meet you.
Sorry for all that trouble.
Hey, no problem.
How was the trip? - I'm Ben.
It was good.
- I'm Carly, nice to meet you.
Nice to meet you.
Yeah, it was good.
I didn't realize it would be that secure.
That's a gated community, I guess.
Yeah, it was they brought the whole, like, golf cart brigade onto us.
Yeah, they actually come up to the house.
I half expected them to be armed, but I don't think they were.
So is it tough to make a living off of finding zero-days? You seem to have a pretty good lifestyle here.
Yeah, I do okay.
What's the most you've ever gotten paid for one zero-day? One of the bug bounty programs is $15,000.
Just for one? Just for one, yeah.
Okay, so let's say you're doing your thing in your house, and you find a zero-day in a particularly large user base software.
Okay.
What do you do with it? Do you report it? Interesting question.
The first reaction would be yes, report it, absolutely.
But the second part of this is with everything that's going on right now, my personal view on this is some states could make better use of this bug than just giving it to the vendor.
So what do you mean by what's going on nowadays? ISIS, you know, North Korea, so much crap going on.
If an opportunity came my way whereby I could give a zero-day vulnerability to an agency, whoever, someone that could use this, then I would absolutely give it to them and not report it.
Have you ever done that before? Have you ever sold a zero-day to a government? No.
If you did sell to a government a zero-day, would you tell me? No.
A good poker face for a guy who lives in Las Vegas? I don't play poker.
Unpatched flaws in software can be used to hack into almost anything that runs on code, from a smartphone to a car.
Those flaws, known as zero-days, are bought and sold to companies and governments.
The US sometimes uses zero-day exploits for attack purposes, but there are also official guidelines about when they're supposed to be disclosed to the software vendor.
The rules are an attempt to balance the public's interest in protecting internet safety and the government's interest in acquiring intelligence.
So you can certainly imagine that if we discovered that and learned about a vulnerability in, say, a piece of software that was either widely used within the US government, our allies, or within our critical infrastructure, that it might be in our interest to actually purchase it so we can make sure that there was a patch for it.
I went to Washington to meet with Michael Daniel.
He's the Cybersecurity Coordinator in the Obama administration.
And when does, say, the NSA sit on a vulnerability? If you sort of look at those criteria for disclosure and imagine the inverse, right? That you've got a situation where we have a vulnerability that's in a very limited set of software or hardware that's not used very broadly, that might be frequently employed by our adversaries that would provide us a unique access that we can't get any other way, those are the kinds of things that we would retain.
Michael Daniel wouldn't get more specific about the type of zero-days the government holds onto, or the number.
What I can say is that, you know, we are going to bring the full array of US national power to bear to protect US interests and those of our allies.
But not everyone is comfortable leaving it up to the US government to judge what to do with a zero-day.
Chris Soghoian is a privacy activist who tracks the zero-day market, and he's been sounding the alarm for years.
Why are you so critical of companies that are selling zero-days to the US government or any government? You know, I really feel that there should be a public debate around the government's role in the zero-day market.
I've been really bothered by the fact that for five or 10 years there's been a conversation in Washington, D.
C.
about cybersecurity, but this was a missing piece.
And this is an essential piece.
Who are the US government agencies targeting when they're using zero-day exploits? You know, it really depends.
So for the NSA, that could be foreign leaders.
It could be foreign corporations who have information that the US government believes is of national security interest.
It could be terrorists.
On the law enforcement side, the FBI has attempted to hack people who have downloaded or shared child porn, people who have called in bomb threats to schools.
It really runs the range of the most horrific and serious crime to things that are, you know, sort of teenagers making prank calls at home.
Because I guess that's the thing though.
It's easy to be very critical of it because it sounds on the surface pretty malevolent, but then there may be instances where a zero-day is used to hack into a terrorist's computer.
It's the classic argument, right? I'm less focused and less interested on who they use it against, and more on what are the side effects of the government's acquisition and stock piling and use of that vulnerability or that exploit.
A couple years ago, protests in Ferguson happened, and Americans wake up to their morning newspapers showing photographs of armoured personnel carriers, police wearing camouflage, holding machine guns, and realizing that suddenly their law enforcement has become militarized.
They got to see the trickle-down effect, where technologies that are designed for the military and the intelligence community eventually trickle down first to the Feds, then the state and local law enforcement agencies.
And this has happened with armoured personnel carriers, it's happened with tear gas, it's happened with SWAT teams and drones and license plate readers, and it will almost certainly happen with zero-days.
And when you give those tools to people who are going to be operating them without much training and without much oversight, you know, we're going to see abuses.
We're gonna see police officers spying on their ex-spouses, or their next door neighbour who's pissing them off.
I don't think that America is ready for local cops to be hacking into computers, but we are definitely on our way there.
But it's not just the local cops.
Spy agencies and hackers everywhere want them, and they're not just for surveillance.
They can be weaponized to take over any physical object running on code, from a cellphone to an SUV to a power plant.
And that means that if zero-days fall into the wrong hands, they can be real threats to your privacy, individual freedom, and even personal safety.
But as it stands, there's no real consensus on whose hands are the wrong hands.