A new startup is offering up to $3 million dollars for tools to hack into Android and iOS devices, the highest public price offered for such tools.
The startup is called Crowdfense and is based in the United Arab Emirates. In an unusual move in the normally secretive industry of so-called zero-days, Crowdfense sent out a press release to reporters on Tuesday, advertising what it calls a bug bounty.
“Zero-days” or zero-day exploits are hacking tools that leverage bugs or vulnerabilities in computer systems that are unknown to the system’s developers. Over the years, improvements in the security of popular computers and cellphones have created a secretive and controversial industry dedicated to providing these tools to government agencies that need help hacking targets.
Crowdfense’s director Andrea Zapparoli Manzoni told me that he and his company are trying to join that market, purchasing zero-days from independent researchers and then selling them to law enforcement and intelligence agencies.
“When I think about government agencies I don’t think about the military part, I think about the civilian part, that works against crime, terrorism, and stuff like that,” Zapparoli told me in a phone interview. “We only focus on tools aimed at doing activities of law enforcement or intelligence, not aimed at destroying or deteriorating the functionality and effectiveness of the target systems—but only aimed at collecting intelligence.”
The company is only looking for zero-day exploits for Windows, MacOS, iOS, and Android. It’s not interested in exploits for Internet of Things devices, critical infrastructure, telecom companies, or popular sites such as Facebook, according to Zapparoli.
Crowdfense is trying to do things in different ways, “with the maximum possible transparency,” he said. Zapparoli said he doesn’t want to repeat the same mistakes that other companies in this industry did in the past, and specifically mentioned Hacking Team, an Italian vendor of spyware that’s infamous for selling hacking and surveillance tools to oppressive governments.
“Vetting customers is the most delicate part of our whole activity,” Zapparoli said.
For now, however Zapparoli didn’t specify exactly how the company is doing the vetting or who it’s working with. He said Crowdfense is willing to sell only to “very few” customers if that’s what they need to do to make sure their hacking tools don’t end in the wrong hands. He said that in the future it might publish best practices and standards on how it vets customers but for now, it will “self-regulate.”
The local government of the UAE has authorized Crowdfense to open shop in Dubai, Zapparoli said.
“When we have to sell outside of the UAE, normally there are no objections,” Zapparoli said.
In 2016, the UAE government was accused of trying to use an iPhone zero-day exploit against the well known human rights activist Ahmed Mansoor. That exploit was provided by the Israel-based company NSO Group.
Zapparoli also said that the company will take into consideration the controversial Wassenaar international arrangement, which regulates so-called “dual-use” technologies. That is, tools that can be used both in times of peace and war. Some countries that are part of the arrangement (the UAE is not part of it) consider certain zero-days as dual-use items. Zapparoli said it will be up to the researchers who sell their exploits to Crowdfense to abide by the arrangement.
The company has a budget of $10 million for this “bug bounty.” Its backers, for now, are also secret. Zapparoli declined to specify who invested in the company.
Adriel Desautels used to act as a broker between researchers who find and develop zero-day exploits, companies that acquire them, and the government customers who end up using them. His company, Netragard, worked with several government customers as well as surveillance technology providers such as Hacking Team. When Hacking Team got hacked and its list of customers was revealed, Desautels decided to leave the industry.
Desautels said that Crowdfense’s price list is in line with the market. He mentioned that before he quit the zero-day industry, he brokered the sale of an iOS zero-day that went for $4 million. But he’s skeptical of the business model. For Crowdfense to make it work, it will have to resell the same capabilities to multiple customers, he said, which could lead to problems.
The market, however, is there.
"When you're talking about iOS and Android devices, those kinds of targets, you're talking about real operational interests,” he told Motherboard in a phone call. “You have a need, you have somebody who's on the move that has a phone and you need to track who this person is. You need something you can tie directly to a person. That's when you spend that kind of money."
Crowdfense joins a crowded market. There’s relatively public facing companies such as Zerodium, which gathered a lot of attention in the last few years by announcing similar multi-million dollar bounties for popular software. There’s also lesser known, and less bombastic firms such as Australian-based Azimuth.
Correction: A previous version of this story quoted Zapparoli saying the UAE authorized Crowdfense to sell hacking tools. Zapparoli said that the government only authorized the company to set up shop in Dubai, not to sell zero-days, as there's no need for that authorization.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.