Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,535 --> 00:00:03,435 BEN: They're security holes in a piece of software. 2 00:00:03,537 --> 00:00:05,137 I could have made all the transmissions go to neutral 3 00:00:05,239 --> 00:00:06,672 for a million cars. 4 00:00:06,774 --> 00:00:08,774 They're unknown to their creators. 5 00:00:08,876 --> 00:00:10,309 You can find it yourself, 6 00:00:10,411 --> 00:00:13,946 you can hire somebody to find it, or you can be attacked. 7 00:00:14,048 --> 00:00:16,281 It can be exploited for covert attacks. 8 00:00:16,383 --> 00:00:20,118 Our ultimate goal is not to attack, but to defend. 9 00:00:20,221 --> 00:00:22,621 They're coveted by hackers and spies alike. 10 00:00:22,723 --> 00:00:26,959 We are going to bring the full array of US national power 11 00:00:27,061 --> 00:00:29,962 to bear to protect US interests and those of our allies. 12 00:00:30,064 --> 00:00:31,430 But what do they want them for? 13 00:00:33,901 --> 00:00:43,909 ♪ 14 00:00:52,987 --> 00:00:54,653 They call them zero-days. 15 00:00:54,755 --> 00:00:56,054 Hackers hunt for them, 16 00:00:56,156 --> 00:00:58,190 but most people have no idea what they are. 17 00:00:58,292 --> 00:01:02,227 Put simply, a zero-day is a flaw in a specific piece of software, 18 00:01:02,329 --> 00:01:04,329 a vulnerability that the software company 19 00:01:04,431 --> 00:01:06,398 doesn't even know about. 20 00:01:06,500 --> 00:01:08,867 That code could be running on everything from your iPhone 21 00:01:08,969 --> 00:01:10,669 to the webcam on your computer 22 00:01:10,771 --> 00:01:13,071 to the network protecting the Pentagon. 23 00:01:13,173 --> 00:01:15,073 And if these holes aren't fixed with new code, 24 00:01:15,175 --> 00:01:19,378 hackers can design exploits, or figurative torpedoes, 25 00:01:19,480 --> 00:01:20,946 to attack the software. 26 00:01:21,048 --> 00:01:23,615 Charlie Miller discovered one of the most mind-blowing zero-days 27 00:01:23,717 --> 00:01:25,550 in recent history. 28 00:01:25,653 --> 00:01:27,286 He's a former NSA hacker 29 00:01:27,388 --> 00:01:30,722 and world-renowned security researcher based in St. Louis. 30 00:01:30,824 --> 00:01:33,925 Back in 2015, he and a partner actually found a way to remotely 31 00:01:34,028 --> 00:01:38,096 hack into Chrysler models with a specific computer system, 32 00:01:38,198 --> 00:01:41,033 and they could do it from thousands of miles away. 33 00:01:41,135 --> 00:01:43,802 And it wasn't just turning the music up or jacking the AC; 34 00:01:43,904 --> 00:01:46,371 they could seriously mess up a car on the road. 35 00:01:47,841 --> 00:01:49,408 I got in touch with Charlie and asked him 36 00:01:49,510 --> 00:01:51,910 if he'd hack one of these cars while I was behind the wheel. 37 00:01:52,012 --> 00:01:53,312 - I'm Ben. - Charlie. How's it going? 38 00:01:53,414 --> 00:01:54,479 So this is the car? This is it? 39 00:01:54,581 --> 00:01:55,547 Yeah, you ready to get hacked? 40 00:01:55,649 --> 00:01:56,815 (Laughing) Yeah! 41 00:01:58,185 --> 00:02:00,952 So what part of this car exactly did you target 42 00:02:01,055 --> 00:02:02,821 that was hackable? 43 00:02:02,923 --> 00:02:05,123 So this part right here, it's called the head unit, 44 00:02:05,225 --> 00:02:06,925 and that's the part that we actually hack. 45 00:02:07,027 --> 00:02:09,294 The fact it's on the internet, and that we could talk to it, 46 00:02:09,396 --> 00:02:10,796 and there was a vulnerability 47 00:02:10,898 --> 00:02:12,664 that allowed us to actually get code running on it. 48 00:02:12,766 --> 00:02:15,233 We could do it remotely, but we told Chrysler about it 49 00:02:15,336 --> 00:02:17,636 and they fixed it, so now you can't do it remotely anymore. 50 00:02:17,738 --> 00:02:19,404 How long did it take for them to patch it? 51 00:02:19,506 --> 00:02:21,773 Well, first I told them about it, 52 00:02:21,875 --> 00:02:24,576 and for nine months they were working on it. 53 00:02:24,678 --> 00:02:26,278 And then once we sort of publicized it, 54 00:02:26,380 --> 00:02:27,746 then they fixed it within a week. 55 00:02:27,848 --> 00:02:30,148 So it was... once everyone was really upset, 56 00:02:30,250 --> 00:02:31,750 they could fix it very quickly. 57 00:02:31,852 --> 00:02:34,086 So now I'm physically plugged into the head unit. 58 00:02:34,188 --> 00:02:36,688 Okay, so I can start showing you some stuff here. 59 00:02:36,790 --> 00:02:40,859 What was the... What was the, I guess, more dangerous thing 60 00:02:40,961 --> 00:02:43,095 you could do to the car with this particular hack? 61 00:02:43,197 --> 00:02:45,997 Probably the most scary thing we can do is when you come to 62 00:02:46,100 --> 00:02:49,334 a stop, we can make it to where then the brakes stop working, 63 00:02:49,436 --> 00:02:50,869 and then you'll start going again. 64 00:02:50,971 --> 00:02:52,838 - So we're stopped... - Yeah. 65 00:02:52,940 --> 00:02:54,172 ...but now we're not stopped. 66 00:02:54,274 --> 00:02:55,440 (Engine revving) 67 00:02:55,542 --> 00:02:57,876 Oh man, I don't like that sound at all! 68 00:02:57,978 --> 00:02:59,211 Yeah, no. 69 00:02:59,313 --> 00:03:01,680 So the brake pedal just doesn't go down. 70 00:03:01,782 --> 00:03:03,782 (Laughing) Jeez! 71 00:03:03,884 --> 00:03:05,650 Alright, so you want to see some steering and stuff? 72 00:03:05,753 --> 00:03:07,085 Yeah, let's see some steering. 73 00:03:07,187 --> 00:03:09,388 Okay, so get somewhere where we can go backwards. 74 00:03:09,490 --> 00:03:12,157 So in reverse, you can... 75 00:03:12,259 --> 00:03:14,493 Oh, yeah. 76 00:03:14,595 --> 00:03:15,994 I can crank the steering wheel as much as I want. 77 00:03:16,096 --> 00:03:17,963 - No hands. - Yep. 78 00:03:18,065 --> 00:03:19,398 (Laughing) 79 00:03:19,500 --> 00:03:20,632 That's safe. 80 00:03:20,734 --> 00:03:23,034 Not really. (Laughing) 81 00:03:23,137 --> 00:03:24,803 Is there ever a scenario where you think a hacker can get 82 00:03:24,905 --> 00:03:27,672 access to a vulnerability in a car that's connected to 83 00:03:27,775 --> 00:03:31,643 the internet that a million cars could just be turned off? 84 00:03:31,745 --> 00:03:33,011 I could have done that. 85 00:03:33,113 --> 00:03:34,679 - Just like that? - Yeah. 86 00:03:34,782 --> 00:03:36,047 Even if they were driving on the highway? 87 00:03:36,150 --> 00:03:37,883 I could've made them all... all the transmissions 88 00:03:37,985 --> 00:03:39,718 go to neutral for a million cars. 89 00:03:39,820 --> 00:03:41,420 So including cars that are going, you know, 90 00:03:41,522 --> 00:03:42,721 100 miles an hour? 91 00:03:42,823 --> 00:03:43,922 Yes. 92 00:03:44,024 --> 00:03:45,056 You know, obviously that wasn't my intent. 93 00:03:45,159 --> 00:03:46,258 (Laughing) Right. 94 00:03:46,360 --> 00:03:47,726 My intent was to just demonstrate that... 95 00:03:47,828 --> 00:03:48,827 - It could happen. - Right. 96 00:03:48,929 --> 00:03:50,662 Car companies are so new to this, 97 00:03:50,764 --> 00:03:53,698 and most car companies you don't even know who you would contact 98 00:03:53,801 --> 00:03:56,101 to tell them you found a vulnerability. 99 00:03:56,203 --> 00:03:58,770 But the crazy thing is that even when researchers do tell 100 00:03:58,872 --> 00:04:01,773 a car company about a security hole in their software, they're 101 00:04:01,875 --> 00:04:04,709 often scorned for discovering it in the first place. 102 00:04:04,812 --> 00:04:07,012 When people complain about people like me who find 103 00:04:07,114 --> 00:04:09,214 vulnerabilities, they don't realize that we're not putting 104 00:04:09,316 --> 00:04:11,082 the vulnerabilities in the product, they're already there. 105 00:04:11,185 --> 00:04:12,717 Reporting the bugs is what gets them fixed, 106 00:04:12,820 --> 00:04:14,719 and that's the good thing. 107 00:04:14,822 --> 00:04:17,088 Do you find it ridiculous that companies won't pay for them? 108 00:04:17,191 --> 00:04:18,623 Like Chrysler didn't give you anything, right? 109 00:04:18,725 --> 00:04:20,692 No, I didn't really expect them. 110 00:04:20,794 --> 00:04:22,694 I think it's more ridiculous when huge companies that have 111 00:04:22,796 --> 00:04:24,896 been doing this for a long time and they've got 112 00:04:24,998 --> 00:04:28,967 a billion dollars in the bank and they tout their security, 113 00:04:29,069 --> 00:04:31,236 that doesn't make as much sense to me. 114 00:04:31,338 --> 00:04:34,206 Like I was a consultant for many years, and companies would 115 00:04:34,308 --> 00:04:36,308 pay me to come in and find vulnerabilities for them, 116 00:04:36,410 --> 00:04:37,709 and it's hard, right? 117 00:04:37,811 --> 00:04:38,944 If it wasn't hard, they would find 118 00:04:39,046 --> 00:04:40,579 all the vulnerabilities themselves right? 119 00:04:40,681 --> 00:04:42,948 I feel like I worked really hard. 120 00:04:43,050 --> 00:04:44,649 I should maybe get something for that. 121 00:04:45,000 --> 00:04:47,860 Charlie Miller didn't get a dime for his exploit, 122 00:04:47,970 --> 00:04:50,900 but a year later Chrysler changed its policy. 123 00:04:51,000 --> 00:04:53,370 It became the first major car company to introduce 124 00:04:53,470 --> 00:04:57,510 a bounty program for hackers who find flaws in its software. 125 00:04:57,610 --> 00:04:59,740 And it's not just the Chryslers of the world 126 00:04:59,850 --> 00:05:01,680 who are willing to pay for them. 127 00:05:01,780 --> 00:05:04,510 Zero-days can be worth a lot of money to a software vendor 128 00:05:04,620 --> 00:05:08,220 and the security companies who want to patch the holes. 129 00:05:08,320 --> 00:05:11,020 At the same time, they can be sold through private brokers 130 00:05:11,120 --> 00:05:14,760 for upwards of half a million dollars to spy agencies or other 131 00:05:14,860 --> 00:05:18,060 covert operators who use them for surveillance or sabotage. 132 00:05:18,160 --> 00:05:19,530 - How you doing? - Good. 133 00:05:19,630 --> 00:05:22,770 My career as a professional penetration tester, 134 00:05:22,870 --> 00:05:26,740 with those skills, obviously I could have been robbing banks 135 00:05:26,840 --> 00:05:29,840 and taking the money, as opposed to being hired by the banks 136 00:05:29,940 --> 00:05:32,680 to see how they could be robbed, right? 137 00:05:32,780 --> 00:05:35,450 Katie Moussouris is a security researcher who created 138 00:05:35,550 --> 00:05:39,280 Microsoft's first bug bounty program in 2013. 139 00:05:39,380 --> 00:05:41,380 She's based in Seattle, but I met her in Vancouver 140 00:05:41,490 --> 00:05:43,520 where she was attending a security conference. 141 00:05:43,620 --> 00:05:46,920 People usually like to define them in terms of white market 142 00:05:47,030 --> 00:05:50,060 and black market, but black market actually implies 143 00:05:50,160 --> 00:05:51,960 that the trading is illegal. 144 00:05:52,060 --> 00:05:55,900 And right now, it's not illegal to trade zero-days or exploits. 145 00:05:56,000 --> 00:05:58,940 So I usually talk about them in terms of 146 00:05:59,040 --> 00:06:01,300 defense market and offense market. 147 00:06:01,410 --> 00:06:03,940 And do you think then that bug bounties are the answer? 148 00:06:04,040 --> 00:06:06,810 Do you think hackers, when they find this stuff, 149 00:06:06,910 --> 00:06:08,280 they should be disclosing to the company? 150 00:06:08,380 --> 00:06:12,720 Well, my goal with creating bug bounty programs 151 00:06:12,820 --> 00:06:16,620 is really about giving hackers more opportunities 152 00:06:16,720 --> 00:06:19,620 to not just turn it over to defense, 153 00:06:19,720 --> 00:06:21,290 but also make money at the same time. 154 00:06:21,390 --> 00:06:22,660 So they don't have to make a choice, 155 00:06:22,760 --> 00:06:25,260 "Do I do the right thing or do I make money?" 156 00:06:25,360 --> 00:06:27,230 They can do the right thing and make money. 157 00:06:27,330 --> 00:06:28,770 All software contains vulnerabilities. 158 00:06:28,870 --> 00:06:30,100 It's just a fact. 159 00:06:30,200 --> 00:06:31,800 There are three ways you can learn about it. 160 00:06:31,900 --> 00:06:34,770 You can find it yourself, you can hire somebody to find it - 161 00:06:34,870 --> 00:06:36,910 or pay a bug bounty if someone finds it - 162 00:06:37,010 --> 00:06:39,880 or you can be attacked, period. 163 00:06:45,420 --> 00:06:47,680 BEN: At the Can Sec West conference in Vancouver, 164 00:06:47,790 --> 00:06:49,890 hackers are invited to find new ways to break into 165 00:06:49,990 --> 00:06:53,520 widely used software, like Safari and Adobe Flash. 166 00:06:53,620 --> 00:06:57,030 Here at a competition known as Pwn2Own, the teams face off 167 00:06:57,130 --> 00:07:00,160 for nearly half a million dollars in prize money. 168 00:07:00,260 --> 00:07:03,200 Some teams have been working for months in advance, 169 00:07:03,300 --> 00:07:05,700 developing and testing their exploits. 170 00:07:05,800 --> 00:07:08,000 The flaws they find will be disclosed to the vendors 171 00:07:08,110 --> 00:07:09,740 so they can be patched. 172 00:07:09,840 --> 00:07:11,670 Whitey, I'm Ben. 173 00:07:11,780 --> 00:07:13,280 I met up with a volunteer named Whitey 174 00:07:13,380 --> 00:07:14,940 who agreed to show me around. 175 00:07:15,050 --> 00:07:17,010 Pwn2Own. (Laughing) 176 00:07:17,110 --> 00:07:19,680 (Chattering) 177 00:07:19,780 --> 00:07:22,120 So is one of them going down right now, right here? 178 00:07:22,220 --> 00:07:24,020 Yeah, yeah, so this is... it's actually starting out now. 179 00:07:24,120 --> 00:07:25,620 I gotta watch this. 180 00:07:25,720 --> 00:07:30,530 (Chattering) 181 00:07:30,630 --> 00:07:34,230 ANNOUNCER: We have Tencent Security Team Sniper. 182 00:07:34,330 --> 00:07:37,400 This is KeenLab and PC Manager. 183 00:07:37,500 --> 00:07:40,440 The target is Adobe Flash with system. 184 00:07:40,540 --> 00:07:44,870 ♪ 185 00:07:44,980 --> 00:07:47,210 These guys are trying to break into a computer 186 00:07:47,310 --> 00:07:50,250 using their zero-day exploit for Adobe Flash. 187 00:07:50,350 --> 00:07:55,120 (Applause) 188 00:07:55,220 --> 00:07:57,220 (Chuckling) 189 00:07:57,320 --> 00:07:59,390 That was really... That was really weird! 190 00:07:59,490 --> 00:08:00,920 (Laughing) 191 00:08:01,030 --> 00:08:02,720 WHITEY: You know, it's kind of like architecting a program, 192 00:08:02,830 --> 00:08:04,660 and then getting that one shot to run it 193 00:08:04,760 --> 00:08:07,260 and make it run perfectly, and they just did that. 194 00:08:07,360 --> 00:08:10,400 And you know, it might seem anticlimactic. 195 00:08:10,500 --> 00:08:12,900 It's definitely not hacking that you'd see in a movie, 196 00:08:13,000 --> 00:08:14,300 stuff like that. - Oh no. 197 00:08:14,410 --> 00:08:16,070 But this is... this is the real thing. 198 00:08:16,170 --> 00:08:18,910 And yet what they just did could, like you said, 199 00:08:19,010 --> 00:08:20,580 end a company? 200 00:08:20,680 --> 00:08:21,940 Oh, it could end a company, 201 00:08:22,050 --> 00:08:23,910 it could wreak havoc, you know, across the internet. 202 00:08:24,260 --> 00:08:28,000 Tencent Security Team Sniper was eventually declared 203 00:08:28,100 --> 00:08:30,070 the Masters of Pwn. 204 00:08:30,170 --> 00:08:32,670 The Shanghai-based researchers who work for China's biggest 205 00:08:32,770 --> 00:08:36,370 internet company won this ridiculous smoking jacket. 206 00:08:36,480 --> 00:08:40,610 They also collected more than $142,000 in prize money. 207 00:08:43,720 --> 00:08:47,550 I met up with them after a super tame hacker wrap party. 208 00:08:47,650 --> 00:08:49,220 (Music playing) 209 00:08:49,320 --> 00:08:50,720 So you won Pwn2Own. 210 00:08:50,820 --> 00:08:52,390 How does that feel? 211 00:08:52,490 --> 00:08:55,060 - Pretty good. - Yeah. 212 00:08:55,160 --> 00:08:57,130 - Relaxed now. - You're relaxed now? 213 00:08:57,230 --> 00:08:58,930 Were you not relaxed before this? 214 00:08:59,030 --> 00:09:02,800 The day before, no, very nervous. 215 00:09:02,900 --> 00:09:05,470 Could you have sold those zero-days to somebody else 216 00:09:05,570 --> 00:09:07,010 and gotten more money? 217 00:09:07,110 --> 00:09:08,640 And if so, why didn't you? 218 00:09:19,650 --> 00:09:24,090 So somebody actually approached you guys during Can Sec West 219 00:09:24,190 --> 00:09:27,060 to pay for some of the exploits you had? 220 00:09:28,260 --> 00:09:29,360 Who were they? 221 00:09:30,560 --> 00:09:31,800 (Laughing) 222 00:09:31,900 --> 00:09:33,370 And you didn't do it? You didn't want to do it? 223 00:09:35,100 --> 00:09:36,870 Now, the ones you found, 224 00:09:36,970 --> 00:09:39,240 the zero-days you found, what do they affect? 225 00:10:15,540 --> 00:10:17,580 For the rest of the year, if you find zero-days, 226 00:10:17,680 --> 00:10:19,180 what do you do with them? 227 00:10:27,220 --> 00:10:29,590 (Laughing) 228 00:10:33,560 --> 00:10:34,860 And you report it? 229 00:10:41,130 --> 00:10:43,630 BEN: I'm in Vancouver for a computer security conference, 230 00:10:43,740 --> 00:10:45,570 but what I'm really after is more intel 231 00:10:45,670 --> 00:10:47,240 on shady zero-day markets. 232 00:10:47,340 --> 00:10:50,610 People here tell me I should speak with Emerson Tan. 233 00:10:50,710 --> 00:10:52,810 He's worked for a major government contractor, 234 00:10:52,910 --> 00:10:56,150 but he's also been a part of the hacking community for years. 235 00:10:56,250 --> 00:10:59,150 Tan is a self-described recovering dark lord, 236 00:10:59,250 --> 00:11:01,720 at least according to his LinkedIn profile. 237 00:11:01,820 --> 00:11:03,390 TAN: I hear you have some questions. 238 00:11:03,490 --> 00:11:05,890 I want him to show me what the market place 239 00:11:05,990 --> 00:11:08,230 for these exploits really looks like. 240 00:11:08,330 --> 00:11:10,630 So can you buy exploits on the black market? 241 00:11:10,730 --> 00:11:12,630 Online, dark web? 242 00:11:12,730 --> 00:11:13,830 Well, it depends what you mean. 243 00:11:13,930 --> 00:11:15,770 So exploits, as you know, 244 00:11:15,870 --> 00:11:17,800 come in a couple of different flavours. 245 00:11:17,900 --> 00:11:20,500 There are the ones that have already been patched, 246 00:11:20,610 --> 00:11:22,740 and then there are the O-days. 247 00:11:24,880 --> 00:11:26,310 You wouldn't buy-- bother... 248 00:11:26,410 --> 00:11:28,910 If you were a criminal, you wouldn't bother buying O-days. 249 00:11:29,020 --> 00:11:30,310 No? 250 00:11:30,420 --> 00:11:32,920 A: they're very, very expensive. 251 00:11:33,020 --> 00:11:36,690 It costs a huge amount of money to test them 252 00:11:36,790 --> 00:11:38,620 to make them reliable. 253 00:11:38,730 --> 00:11:42,330 If you're a criminal, you just want the thing that works, 254 00:11:42,430 --> 00:11:45,330 and for the lowest cost for the maximum return. 255 00:11:45,430 --> 00:11:46,530 Let's see it, what's it look like? 256 00:11:46,630 --> 00:11:48,600 Let's have a look at like a real forum. 257 00:11:48,700 --> 00:11:50,870 It's the world's worst web design. 258 00:11:50,970 --> 00:11:54,270 It's really cheap and cheesy, and they don't care. 259 00:11:54,370 --> 00:11:55,770 So you can go on there, you buy an exploit. 260 00:11:55,880 --> 00:11:57,210 Usually that's an exploit that hasn't been patched? 261 00:11:57,310 --> 00:11:58,480 No, it has been patched. 262 00:11:58,580 --> 00:12:00,040 - Or has been? - It has been patched. 263 00:12:00,150 --> 00:12:02,450 What you have to remember is is that huge numbers of people 264 00:12:02,550 --> 00:12:05,120 around the world do not patch their systems, 265 00:12:05,220 --> 00:12:07,020 do not patch their software. 266 00:12:07,120 --> 00:12:11,490 Especially given that a huge amount of the software out there 267 00:12:11,590 --> 00:12:14,330 is not legally bought. 268 00:12:14,430 --> 00:12:17,160 It's all... It's all stolen, it's all nicked. 269 00:12:17,260 --> 00:12:19,330 That stuff never gets updated. 270 00:12:19,430 --> 00:12:23,070 So in that way, you still have a huge attack surface? 271 00:12:23,170 --> 00:12:25,670 Yeah, thous-- millions, millions and millions 272 00:12:25,770 --> 00:12:27,810 and millions and millions and millions of people. 273 00:12:27,910 --> 00:12:31,240 I mean, like, the... this is brilliant. 274 00:12:31,340 --> 00:12:34,550 This is an Android phone, it's my Android phone. 275 00:12:34,650 --> 00:12:37,010 People put all their personal details and stuff on there, 276 00:12:37,120 --> 00:12:40,990 you know, everything you need to go and steal their identity. 277 00:12:41,090 --> 00:12:42,820 - Mm-hmm. - It's brilliant. 278 00:12:42,920 --> 00:12:44,990 But in terms of zero-days, 279 00:12:45,090 --> 00:12:47,660 there is no site where you can buy a zero-day? 280 00:12:47,760 --> 00:12:50,900 I mean, I'm sure they exist, but to be perfectly honest with you, 281 00:12:51,000 --> 00:12:57,030 if you were... if you were a researcher and you really wanted 282 00:12:57,140 --> 00:13:01,410 top dollar, you wouldn't bother with these open market places. 283 00:13:01,510 --> 00:13:03,040 You'd go and talk to a broker. 284 00:13:03,140 --> 00:13:05,910 I mean, the thing is every-- this community is tiny. 285 00:13:06,010 --> 00:13:07,510 They all know each other. 286 00:13:07,610 --> 00:13:10,080 So brokers know the spies, the criminals, and the researchers. 287 00:13:10,180 --> 00:13:12,180 Yeah, and the researchers. 288 00:13:12,290 --> 00:13:14,350 And then depending on where you are in the world, 289 00:13:14,450 --> 00:13:19,420 you know, that's the community that you sell to. 290 00:13:19,530 --> 00:13:22,430 It would be very, very odd for example for, you know, 291 00:13:22,530 --> 00:13:27,430 like a Russian researcher to try and sell to a broker 292 00:13:27,530 --> 00:13:30,070 who is... I don't know, working for the Americans. 293 00:13:30,170 --> 00:13:32,700 You know, in somewhere like China or Russia, 294 00:13:32,810 --> 00:13:35,210 selling to the opposition will get you a visit 295 00:13:35,310 --> 00:13:38,240 from some men in very ill-fitting leather jackets, 296 00:13:38,340 --> 00:13:39,940 maybe with a hose or a baseball bat. 297 00:13:40,050 --> 00:13:41,210 Right. 298 00:13:41,310 --> 00:13:42,910 Have you ever dealt with an intelligence agency? 299 00:13:43,020 --> 00:13:44,820 We'll shuffle that question off to the side. 300 00:13:44,920 --> 00:13:46,320 I can neither confirm or deny, 301 00:13:46,420 --> 00:13:49,720 which is Beltway speak for some answer other than no. 302 00:13:49,820 --> 00:13:51,220 So here's the weird thing though, 303 00:13:51,320 --> 00:13:54,960 is that almost everybody has done it at some point. 304 00:13:55,060 --> 00:13:57,330 If you ever meet anyone who says they're whiter than white, 305 00:13:57,430 --> 00:13:58,900 they're lying. 306 00:13:59,500 --> 00:14:01,160 One of the reasons that researchers are 307 00:14:01,270 --> 00:14:04,170 so easily tempted to sell zero-days to spy agencies 308 00:14:04,270 --> 00:14:06,640 is that governments are willing to pay a high price 309 00:14:06,740 --> 00:14:09,410 just so they can hack specific targets. 310 00:14:09,510 --> 00:14:11,980 Finding a zero-day can also earn you a big payoff 311 00:14:12,080 --> 00:14:14,510 from software companies who buy them in order to 312 00:14:14,610 --> 00:14:16,910 patch the holes in their products. 313 00:14:17,020 --> 00:14:19,250 Apple recently announced it would pay bug bounties 314 00:14:19,350 --> 00:14:22,450 that ranged from $25,000 to $200,000, 315 00:14:22,560 --> 00:14:24,590 depending on the vulnerability. 316 00:14:24,690 --> 00:14:27,960 Some bug hunters do that work as a side gig, but a select few 317 00:14:28,060 --> 00:14:30,330 can actually earn a living finding zero-days. 318 00:14:30,430 --> 00:14:33,200 Mark Litchfield is a professional bug hunter 319 00:14:33,300 --> 00:14:35,700 who says he's earned hundreds of thousands of dollars 320 00:14:35,800 --> 00:14:38,500 in bug bounties over the past few years. 321 00:14:38,600 --> 00:14:40,470 I headed to the gated community 322 00:14:40,570 --> 00:14:42,840 outside of Las Vegas where he lives and works. 323 00:14:42,940 --> 00:14:44,010 Oh my. 324 00:14:45,710 --> 00:14:47,040 Wow. 325 00:14:48,380 --> 00:14:50,910 He's got that baller, gated community life. 326 00:14:52,620 --> 00:14:53,980 Hello. 327 00:14:54,090 --> 00:14:55,350 GUARD: How you doing? Hold on a minute. 328 00:14:55,450 --> 00:14:56,690 No problem. 329 00:14:58,660 --> 00:15:01,460 They say no, the association say no, no cameras. 330 00:15:01,560 --> 00:15:03,490 You can't go back there unless you get it cleared with them, 331 00:15:03,600 --> 00:15:05,030 and I don't think so. 332 00:15:05,130 --> 00:15:07,000 We should've just showed up in a golf cart. 333 00:15:07,100 --> 00:15:09,500 What do they think we're doing? 334 00:15:09,600 --> 00:15:11,740 Do you remember when the White House and the FBI 335 00:15:11,840 --> 00:15:13,900 was easier to shoot in? 336 00:15:14,010 --> 00:15:15,710 We didn't manage to penetrate the perimeter 337 00:15:15,810 --> 00:15:18,780 of Mark Litchfield's gated community, so we met Mark 338 00:15:18,880 --> 00:15:21,450 and his wife, Carly-Lynn, at a nearby restaurant. 339 00:15:24,020 --> 00:15:25,220 Hey, Mark. 340 00:15:25,320 --> 00:15:26,680 - Hey mate, how you doing? - How's it going? 341 00:15:26,790 --> 00:15:28,490 Nice to meet you. Sorry for all that trouble. 342 00:15:28,590 --> 00:15:29,890 Hey, no problem. How was the trip? 343 00:15:29,990 --> 00:15:31,020 - I'm Ben. It was good. - I'm Carly, nice to meet you. 344 00:15:31,120 --> 00:15:32,490 Nice to meet you. Yeah, it was good. 345 00:15:32,590 --> 00:15:34,190 I didn't realize it would be that secure. 346 00:15:34,290 --> 00:15:36,490 That's a gated community, I guess. 347 00:15:36,600 --> 00:15:37,890 (Laughing) 348 00:15:38,000 --> 00:15:40,100 Yeah, it was... they brought the whole, like, 349 00:15:40,200 --> 00:15:42,870 golf cart brigade onto us. 350 00:15:42,970 --> 00:15:44,770 Yeah, they actually come up to the house. 351 00:15:44,870 --> 00:15:46,570 I half expected them to be armed, 352 00:15:46,670 --> 00:15:47,840 but I don't think they were. 353 00:15:47,940 --> 00:15:49,540 (Laughing) 354 00:15:49,640 --> 00:15:52,910 So is it tough to make a living off of finding zero-days? 355 00:15:53,010 --> 00:15:54,340 You seem to have a pretty good lifestyle here. 356 00:15:54,450 --> 00:15:56,350 Yeah, I do okay. 357 00:15:56,450 --> 00:15:57,880 (Laughing) 358 00:15:57,980 --> 00:16:00,350 What's the most you've ever gotten paid for one zero-day? 359 00:16:00,450 --> 00:16:04,190 One of the bug bounty programs is $15,000. 360 00:16:04,290 --> 00:16:05,460 Just for one? 361 00:16:05,560 --> 00:16:06,960 Just for one, yeah. 362 00:16:07,060 --> 00:16:09,860 Okay, so let's say you're doing your thing in your house, 363 00:16:09,960 --> 00:16:11,960 and you find a zero-day 364 00:16:12,060 --> 00:16:15,630 in a particularly large user base software. 365 00:16:15,730 --> 00:16:16,800 Okay. 366 00:16:16,900 --> 00:16:19,100 What do you do with it? Do you report it? 367 00:16:19,200 --> 00:16:21,070 Interesting question. 368 00:16:21,170 --> 00:16:25,040 The first reaction would be yes, report it, absolutely. 369 00:16:25,140 --> 00:16:29,180 But the second part of this is with everything 370 00:16:29,280 --> 00:16:34,690 that's going on right now, my personal view on this is... 371 00:16:36,420 --> 00:16:39,920 some states could make better use of this bug 372 00:16:40,030 --> 00:16:43,390 than just giving it to the vendor. 373 00:16:43,500 --> 00:16:46,300 So what do you mean by what's going on nowadays? 374 00:16:46,400 --> 00:16:50,870 ISIS, you know, North Korea, so much crap going on. 375 00:16:50,970 --> 00:16:55,570 If an opportunity came my way whereby I could give 376 00:16:55,670 --> 00:16:59,240 a zero-day vulnerability to... 377 00:16:59,340 --> 00:17:00,910 (Sighing) 378 00:17:01,010 --> 00:17:04,780 an agency, whoever, someone that could use this, 379 00:17:04,880 --> 00:17:06,920 then I would absolutely give it to them and not report it. 380 00:17:07,020 --> 00:17:08,190 Have you ever done that before? 381 00:17:08,290 --> 00:17:09,850 Have you ever sold a zero-day to a government? 382 00:17:09,960 --> 00:17:11,460 No. 383 00:17:11,560 --> 00:17:14,120 If you did sell to a government a zero-day, would you tell me? 384 00:17:14,230 --> 00:17:15,130 No. 385 00:17:15,230 --> 00:17:16,490 (Laughing) 386 00:17:16,600 --> 00:17:18,330 A good poker face for a guy who lives in Las Vegas? 387 00:17:18,430 --> 00:17:19,800 I don't play poker. 388 00:17:19,900 --> 00:17:21,360 (Laughing) 389 00:17:28,790 --> 00:17:30,320 BEN: Unpatched flaws in software can be used 390 00:17:30,430 --> 00:17:33,160 to hack into almost anything that runs on code, 391 00:17:33,260 --> 00:17:35,160 from a smartphone to a car. 392 00:17:35,260 --> 00:17:37,500 Those flaws, known as zero-days, 393 00:17:37,600 --> 00:17:40,030 are bought and sold to companies and governments. 394 00:17:40,140 --> 00:17:43,970 The US sometimes uses zero-day exploits for attack purposes, 395 00:17:44,070 --> 00:17:46,140 but there are also official guidelines about when they're 396 00:17:46,240 --> 00:17:48,910 supposed to be disclosed to the software vendor. 397 00:17:49,010 --> 00:17:50,910 The rules are an attempt to balance the public's interest 398 00:17:51,010 --> 00:17:53,880 in protecting internet safety and the government's interest 399 00:17:53,980 --> 00:17:55,980 in acquiring intelligence. 400 00:17:56,080 --> 00:18:01,250 So you can certainly imagine that if we discovered that... 401 00:18:01,360 --> 00:18:04,660 and learned about a vulnerability in, say, 402 00:18:04,760 --> 00:18:07,390 a piece of software that was either widely used 403 00:18:07,500 --> 00:18:10,100 within the US government, our allies, or within 404 00:18:10,200 --> 00:18:12,200 our critical infrastructure, that it might be in our interest 405 00:18:12,300 --> 00:18:15,000 to actually purchase it so we can make sure that 406 00:18:15,100 --> 00:18:16,400 there was a patch for it. 407 00:18:16,510 --> 00:18:18,370 I went to Washington to meet with Michael Daniel. 408 00:18:18,470 --> 00:18:20,370 He's the Cybersecurity Coordinator 409 00:18:20,480 --> 00:18:22,240 in the Obama administration. 410 00:18:22,340 --> 00:18:26,550 And when does, say, the NSA sit on a vulnerability? 411 00:18:26,650 --> 00:18:30,420 If you sort of look at those criteria for disclosure 412 00:18:30,520 --> 00:18:32,520 and imagine the inverse, right? 413 00:18:32,620 --> 00:18:37,790 That you've got a situation where we have a vulnerability 414 00:18:37,890 --> 00:18:41,360 that's in a very limited set of software or hardware 415 00:18:41,460 --> 00:18:44,300 that's not used very broadly, that might be 416 00:18:44,400 --> 00:18:48,940 frequently employed by our adversaries that would 417 00:18:49,040 --> 00:18:52,240 provide us a unique access that we can't get any other way, 418 00:18:52,340 --> 00:18:55,740 those are the kinds of things that we would retain. 419 00:18:55,840 --> 00:18:58,240 Michael Daniel wouldn't get more specific about the type of 420 00:18:58,350 --> 00:19:01,480 zero-days the government holds onto, or the number. 421 00:19:01,580 --> 00:19:05,050 What I can say is that, you know, we are going to 422 00:19:05,150 --> 00:19:09,490 bring the full array of US national power to bear 423 00:19:09,590 --> 00:19:13,130 to protect US interests and those of our allies. 424 00:19:13,230 --> 00:19:15,630 But not everyone is comfortable leaving it up 425 00:19:15,730 --> 00:19:18,730 to the US government to judge what to do with a zero-day. 426 00:19:18,830 --> 00:19:22,000 Chris Soghoian is a privacy activist who tracks the zero-day 427 00:19:22,100 --> 00:19:25,140 market, and he's been sounding the alarm for years. 428 00:19:25,240 --> 00:19:28,810 Why are you so critical of companies that are selling 429 00:19:28,910 --> 00:19:32,480 zero-days to the US government or any government? 430 00:19:32,580 --> 00:19:36,620 You know, I really feel that there should be a public debate 431 00:19:36,720 --> 00:19:39,790 around the government's role in the zero-day market. 432 00:19:39,890 --> 00:19:44,520 I've been really bothered by the fact that for five or 10 years 433 00:19:44,630 --> 00:19:47,030 there's been a conversation in Washington, D.C. 434 00:19:47,130 --> 00:19:50,160 about cybersecurity, but this was a missing piece. 435 00:19:50,270 --> 00:19:52,170 And this is an essential piece. 436 00:19:52,270 --> 00:19:54,000 Who are the US government agencies targeting 437 00:19:54,100 --> 00:19:56,340 when they're using zero-day exploits? 438 00:19:56,440 --> 00:19:58,300 You know, it really depends. 439 00:19:58,410 --> 00:20:01,270 So for the NSA, that could be foreign leaders. 440 00:20:01,380 --> 00:20:03,880 It could be foreign corporations who have information that 441 00:20:03,980 --> 00:20:06,880 the US government believes is of national security interest. 442 00:20:06,980 --> 00:20:08,720 It could be terrorists. 443 00:20:08,820 --> 00:20:13,550 On the law enforcement side, the FBI has attempted to hack people 444 00:20:13,660 --> 00:20:15,820 who have downloaded or shared child porn, 445 00:20:15,920 --> 00:20:18,730 people who have called in bomb threats to schools. 446 00:20:18,830 --> 00:20:22,530 It really runs the range of the most horrific and serious crime 447 00:20:22,630 --> 00:20:25,670 to things that are, you know, sort of teenagers making 448 00:20:25,770 --> 00:20:27,170 prank calls at home. 449 00:20:27,270 --> 00:20:28,500 Because I guess that's the thing though. 450 00:20:28,600 --> 00:20:30,140 It's easy to be very critical of it because 451 00:20:30,240 --> 00:20:32,340 it sounds on the surface pretty malevolent, but then 452 00:20:32,440 --> 00:20:35,040 there may be instances where a zero-day is used 453 00:20:35,140 --> 00:20:36,980 to hack into a terrorist's computer. 454 00:20:37,080 --> 00:20:38,750 It's the classic argument, right? 455 00:20:38,850 --> 00:20:40,550 I'm less focused and less interested on 456 00:20:40,650 --> 00:20:43,850 who they use it against, and more on what are 457 00:20:43,950 --> 00:20:47,320 the side effects of the government's acquisition 458 00:20:47,420 --> 00:20:49,720 and stock piling and use of that vulnerability or that exploit. 459 00:20:49,820 --> 00:20:51,720 (Siren blaring) 460 00:20:51,830 --> 00:20:54,430 A couple years ago, protests in Ferguson happened, 461 00:20:54,530 --> 00:20:57,760 and Americans wake up to their morning newspapers 462 00:20:57,870 --> 00:21:00,400 showing photographs of armoured personnel carriers, 463 00:21:00,500 --> 00:21:02,900 police wearing camouflage, holding machine guns, 464 00:21:03,000 --> 00:21:06,570 and realizing that suddenly their law enforcement 465 00:21:06,680 --> 00:21:08,270 has become militarized. 466 00:21:08,380 --> 00:21:09,740 They got to see the trickle-down effect, 467 00:21:09,840 --> 00:21:12,550 where technologies that are designed for the military 468 00:21:12,650 --> 00:21:15,050 and the intelligence community eventually trickle down first 469 00:21:15,150 --> 00:21:18,280 to the Feds, then the state and local law enforcement agencies. 470 00:21:18,390 --> 00:21:21,250 And this has happened with armoured personnel carriers, 471 00:21:21,360 --> 00:21:23,890 it's happened with tear gas, it's happened with SWAT teams 472 00:21:23,990 --> 00:21:26,460 and drones and license plate readers, 473 00:21:26,560 --> 00:21:30,100 and it will almost certainly happen with zero-days. 474 00:21:30,200 --> 00:21:33,370 And when you give those tools to people who are going to be 475 00:21:33,470 --> 00:21:36,270 operating them without much training and without much 476 00:21:36,370 --> 00:21:39,040 oversight, you know, we're going to see abuses. 477 00:21:39,140 --> 00:21:42,780 We're gonna see police officers spying on their ex-spouses, 478 00:21:42,880 --> 00:21:46,280 or their next door neighbour who's pissing them off. 479 00:21:46,380 --> 00:21:51,320 I don't think that America is ready for local cops to be 480 00:21:51,420 --> 00:21:54,620 hacking into computers, but we are definitely on our way there. 481 00:21:54,720 --> 00:21:56,990 But it's not just the local cops. 482 00:21:57,090 --> 00:21:59,590 Spy agencies and hackers everywhere want them, 483 00:21:59,690 --> 00:22:01,460 and they're not just for surveillance. 484 00:22:01,560 --> 00:22:03,130 They can be weaponized to take over 485 00:22:03,230 --> 00:22:05,630 any physical object running on code, 486 00:22:05,730 --> 00:22:08,840 from a cellphone to an SUV to a power plant. 487 00:22:08,940 --> 00:22:10,900 And that means that if zero-days fall into 488 00:22:11,010 --> 00:22:14,140 the wrong hands, they can be real threats to your privacy, 489 00:22:14,240 --> 00:22:17,180 individual freedom, and even personal safety. 490 00:22:17,280 --> 00:22:19,150 But as it stands, there's no real consensus 491 00:22:19,250 --> 00:22:22,050 on whose hands are the wrong hands. 39527