Prominent privacy rights advocate Christopher Soghoian is calling on the security research community to blackball middlemen companies that trade in vulnerabilities and exploits to governments.
During a presentation at the recent Kaspersky security analyst summit (see important disclosure), Soghoian warned of the risk of "blowback" if a weaponized zero-day sold to a foreign government is used against critical infrastructure in the U.S.
Soghoian (right) pinpointed VUPEN, FinFisher and HackingTeam among a handful of companies that buy and sell zero-day vulnerabilities, exploits and remote monitoring tools to governments around the world.
"As soon as one of these weaponized zero-days sold to governments is obtained by a 'bad guy' and used to attack critical U.S. infrastructure, the shit will hit the fan," Soghoian warned.
"It's not a matter of if, but when," he added.
Soghoian said these companies are purchasing vulnerabilities and exploits at prices ranging from $50,000 to $100,000 and work hard to keep these a secret forever. It's well known that companies like VUPEN never report vulnerabilities to vendors like Microsoft or Adobe and Soghoian said this presents a danger to the general public.
Noting that the security industry is completely unregulated, Soghoian said the current free-for-all encourages anyone to create weaponized exploits and sell them to shady agencies around the world. In addition to some of the companies he named, Soghoian said there are many middle-men vulnerability brokers who operate under the radar.
"This trade is not legitimate and we should not legitimize them.
"These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain," Soghoian added.