Is Zoom’s $500,000 RCE really not worth it?
Back in April it was revealed that a Zoom RCE 0-day went for sale for $500,000.
This raised plenty of eyebrows in the Info-sec community as to whether the price was justified or not.
Many believed the price was absurd and that there is no way in the world that someone would pay that much for an exploit of that kind.
The arguments varied from people claiming that you could get “better 0-day exploits” for that price to people claiming that critical 1-day exploits in unpatched systems are so common that one doesn’t have to spend that sum at all.
I thought about the arguments and while they do make sense I still believe that a none-top-of-the-shelf 0-day could still easily get sold for that price.
I will explain with an example:
Let’s say you live in Israel like I do.
Israel has plenty of enemies, whether it is terrorist groups in Gaza and the West Bank, to Lebanon’s Hezbollah in our north threatening an invasion to Israel in order to carry terror attacks, or even the looming danger of Iran’s nuclear aspirations.
This leads to large portion of our GDP going towards security budgets:
to emphasize the excess in Israel’s 5.3% of GDP going towards these budgets, Israel is ranked 11 out of 248 in military expenditure per GDP by “the world bank”[3]
So yea, Israel cares about its security.
Now if we look at how much life is literally worth in the USA, the U.S. Office of Management says $7 million to $9 million[4]:
Probably a relatively similar number in Israel.
Now imagine an offensive researcher who works for a prestigious government intelligence agency.
The agency becomes aware that a certain terrorist plans on rolling out a terror attack in Israel and if they had access to his machine they could find the location and stop the attack.
Furthermore, the agency assesses that if that terror attack is successful there will be approximately 5 casualties.
That researcher would have to figure a way to access that terrorist’s machine and the sooner the better.
Now let’s say the researcher begins tackling the task he was given, due to the extreme sensitivity of the situation, he determines he cannot rely on 1-days because if the terrorist patched his systems the exploit would fail and waste valuable time, not to mention that if the terrorist notices someone is trying to hack him, he could expedite the terror attack.
the researcher resorts to searching different 0-days he can buy in order to fulfill his task as the agency’s current arsenal doesn’t fit this specific task.
He sorts out all the 0-days he was able to find with a price tag on them ranging from browser RCEs to RCEs in common softwares.
Unlike browsers and different softwares, knowing whether the terrorist is using Zoom is quite easy if the agency has some insights on said terrorist’s accomplices (monitoring just one of them and seeing he is using Zoom with the terrorist is enough.)
The analyst also finds that Zoom’s RCE with the price tag of $500,000.
Now that analyst has to pitch the advantages and disadvantages of each 0-day to upper management in order to approve the budget for purchasing the exploit.
The upper management person who handles operation budgets is likely pretty old, as the government doesn’t trust young people with money. he is likely not very knowledgeable of what a 0-day is but when browsing the list he sees the Zoom 0-day going for $500,000.
Looking back at April when that Zoom RCE went up for sale, it was a time where literally everything was closed due to the Corona-Virus and Zoom made headlines daily because everyone was using it as an alternative of going to work.
That person in upper management looks at the price tag of $500,000 against the possible outcome of 5 casualties costing Israel ~$35,000,000-$45,000,000 and happily agrees to confirm the purchase.
Good deal if you ask me, and that is just one specific country and one specific target.
Imagine how many machines an agency can infect until the 0-day is patched.
Imagine how many hedge funds managers someone can infect to gain inside trading information.
Imagine how just one successful attack on a large Crypto holder can net the attacker far more than the cost of the 0-day.
Connect with me — https://www.linkedin.com/in/alon-gal-utb/
References:
1: https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000
2: https://en.wikipedia.org/wiki/Israel_Defense_Forces
