NSA purchased zero-day exploits from French security firm Vupen

The National Security Agency bought hacking tools from a security firm, based on documents unearthed by a FOI request.
Written by Charlie Osborne, Contributing Writer

The bombshell media leaks that exposed the U.S. National Security Agency's surveillance projects were easily one of the main stories of the year -- with international and political repercussions -- but now a Freedom of Information request has unearthed the additional purchase of hacking tools.

Ex-NSA contractor Edward Snowden is wanted by the U.S. government for leaking confidential documents to the media which exposed the agency's surveillance techniques used not only on American citizens, but allegedly other countries and their residents.

While Snowden is currently living in Russia under guard and silent, revelations continue to surface. One of the latest reports claims that the NSA is able to access data from Apple iPhones, BlackBerry devices, and phones that use Google's Android operating system. In addition, following document leaks which suggested the NSA was accessing email records, a number of companies offering secure email shut down, and in their place, encrypted mobile phone communication applications have risen.

A fresh report, brought on by a Freedom of Information (FOI) request by government transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities and the software to use them from French security company Vupen.

According to the documents, the NSA signed up to a one-year "binary analysis and exploits service" contract offered by Vupen last September.

Vupen describes itself as "the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research." In other words, the security firm finds flaws in software and systems and then sells this data on to governments.

In addition, Vupen offers offensive security solutions, including "extremely sophisticated and government grade zero-day exploits specifically designed for critical and offensive cyber operations."

Zero-day vulnerabilities are security flaws in systems discovered by researchers and cyberattackers which have not been found or patched by the vendor. These flaws can then be exploited to gain access to a system and its information, or the vulnerabilities can be sold on the black market. White-hat hackers may reveal the flaw to the vendor for free or as part of a 'bug bounty' program.

The finding isn't all that surprising, considering a report released in May previously claimed that the United States is the world's "biggest buyer" of malware.

View the documents here.

Editorial standards