Critical zero-day vulnerabilities that affected certain industrial control systems used in nuclear power and water plants can be purchased for as little as $8,000 on the black market.
In marked contrast to major vulnerabilities affecting the likes of Apple’s iOS that can sell for up to a million dollars, flaws that can be exploited in SCADA (supervisory control and data acquisition) boxes installed in installations such as water plants and nuclear power plants can be purchased for under $10,000, according to a Yuriy Gurkin, a Russian businessman who sells them.
Forbes reports that Gurkin, a Russian national is the head of Gleg, a company based in Russia that amasses, researchers and then resells SCADA zero-day vulnerabilities. The company’s tools are also integrated into Canvas, a commonly used tool used for penetration testing.
An “exploit pack” sold by Gleg called SCADA+ actually researchers and collects all publicly available zero-days from SCADA vulnerabilities before making them available for sale in one place. For just $8,100, users get access to a Canvas licence plus the vulnerabilities for an entire year.
Gurkin adds that one or two zero-days are added onto the pack every month, as a minimum. A quick look at the update page for the pack shows a number of zero days including those affecting Panasonic configurations, D-Link routers, Siemens Automation framework that’s vulnerable to a DDoS (Distributed Denial of Service Attack), among other vulnerabilities.
Related Article: Spyware Provider ‘Hacking Team’ Hacked
Gurkin told Forbes that he occasionally sell the pack privately but refrains from doing so to any governments.
“We do not conduct any research aiming to control SCADA systems; we just write exploits for vulnerabilities for the Canvas framework.”
Canvas is designed to ultimately fix weaknesses and is a product developed by Immunity, a U.S. firm founded by former NSA computer scientist Dave Aitel in 2002.
The Inherent Danger of Vulnerabilities in the Wrong Hands
There is always the risk of vulnerabilities falling in the wrong hands, wherein the zero-days going into Canvas are reverse-engineered and tweaked for more nefarious purposes. However, Aitel points to just one incident in the past where a customer tried to misuse the product but were foiled before doing so and were found out soon enough.
There is no evidence confirming or denying the possibility of oppressive regimes looking to stockpile the vulnerabilities before using it when it suits their agenda.
“Of course there is no way for us or Immunity to ‘control’ the usage,” added Gurkin.
An example of governments buying vulnerabilities from a private company is the case of Italian firm Hacking Team, a security company that was hacked earlier this year.
Gurkin also says that the zero-days shown in his pack are cheap compared to most bug bounty programs that are offered by the likes of Microsoft or United Airlines due to the fact that the latter’s flaws could affect more end-users in a wider scale than SCADA vulnerabilities.
The lowered costs reveal goes to show how easily national security is at stake, especially when it costs under $10,000 to affect critical infrastructure installations.
