> In late 2016 and early 2017 I became burned-out from hunting bugs as it became a race between some very talented researchers and I. For example Derrek and I spent 2 months auditing and coding up PoCs for some bugs in a wifi driver where nearly 95% of our reports were duplicates with the Chinese teams. It was becoming hard to compete with teams who do this 40 hours a week while I do it as a hobby over coffee on Saturday mornings.
This isn't really the main focus of the article, but I find this really interesting. There are teams of full-time Chinese researchers looking for and reporting vulnerabilities in Android? Are they doing this to win the bug bounties? If so, it sounds like Google's bug bounty program is really paying off.
If they were black-hat researchers, they wouldn't have reported the vulnerabilities to Google, and thus the researcher's reports wouldn't be considered duplicates.
My guess is they're either working for the bug bounties, or they're employed by a company that uses Android extensively and wants to make sure its secure.
Exploring the acknowledgements [0] shows many of these Chinese researchers are working for the big internet firms there (Alibaba, Tencent, Baidu), so my guess is they are more motivated in securing Android for internal use than collecting bounties (its entirely possible they run their own AOSP-based Android builds for employee-provided hardware).
Being China, its also possible that the Chinese government indirectly or directly sponsors this research, since Android is by far the most common smartphone OS there.
edit: C0RE Team [1], who also has many contributions seems to be an independent research company, who may be doing it just for the bounties.
An interesting exercise would be to compile notification dates with code commit dates, and then compare the average difference (notification date - commit date) among groups.
If there's a discrepancy, then that's possible evidence one group might be hoarding bugs, or at least waiting for notification approval from, e.g., a domestic intelligence agency.
The article mention hundreds of thousands of lines of code, where they couldn't even find the entry point to begin debugging. In a single wifi driver (that's not even considering the firmware)
Oh, I mean I guess you can probably find some country that'll be able to work out a profit-sharing agreement with you and allow you to legally steal money.
The question probably wasn't about whether an exploit specialist could net a lot of money, but rather, your claim of "a few hundred million $ per year". That's pretty extraordinary.
You are describing rare, single digit numbers of events that netted enough to be characterized as hundreds of millions / year for a short time period. That's "extraordinary". Meaning that skill alone doesn't guarantee that earning level.
Generally, single digit millions/year seems a reasonable expectation for a very talented (and ethically flexible) exploit practitioner. Beyond that requires luck and right place / right time.
Hundreds of millions, per year, to a single exploit specialist, is. Not arguing your general point of financial benefit for world class exploit specialists. Just arguing the scale.
>Stealing $100M over two years from FB and Google?
Yeah, I think at this point the largest actors in this field have stolen $1B+ just by themselves.
>Social engineering isn't an inferior skill to actual code exploits.
For this specific purpose it probably is. With a single webmail exploit you could trivially be stealing similar amounts in days from vast numbers of businesses. All you need to do is automatically (or manually) replace bank account information in the emails. This is a relatively simple task to automate.
A $20M wire being sent to some random bank account copypasted from OWA is nothing out of the ordinary. There are thousands, probably tens of thousands potential targets.
At least the FBI seems to think that these email compromises are a 5 billion dollar industry, https://securityledger.com/2017/05/fbi-business-email-compro... We haven't even seen any fancy 0days being used yet, the whole industry is prime for disruption by more sophisticated, more efficient actors.
In the face of all this it really seems hard to argue that a world class exploit dev couldn't be earning hundreds of millions a year with relative ease.
This has created a strange ecosystem for app stores in China, which depend on vulnerability exploitation in varying degrees for installation privileges.
Maybe some of the work is dual use, but the primary motivation for funding this kind of vuln discovery and exploit development seems to have been App Store ecosystem development in China.
> This has created a strange ecosystem for app stores in China, which depend on vulnerability exploitation in varying degrees for installation privileges.
Can you explain that a bit more? 3rd party app stores are legitimate on Android, so why would they depend on vulnerability exploitation?
I am a little unclear on why they operate the way they do, but the k33n team guys are all employed by Tencent. I’ve asked them about it and this was the rationale they presented.
I think it's better over the long run to keep the CVE as the "canonical" name and just treat the others like nicknames. Instead we have branding, logos, domain names etc. Some argue that it's easier to get attention or shame a vendor by going all-out, but it seems like overkill for a simple mnemonic.
I think a lot of it is that there are folks who want to contribute to security awareness, and their skills lie with design/branding rather than with low level security concepts.
I can't speak for what the value-add is there, but I don't see any harm from it.
Well done to the author. I always found working on more obscure systems to be a lot more entertaining as a hobby and I'd definitely recommend it -- you'll almost never run into the issue of another researcher coming out with something first. Most security researchers seem to shy away from embedded VR due to an unjustified fear of obscure assembly languages and hardware (or perhaps they just realize there's no money in it...), but isn't nearly as hard as anyone thinks.
I expect to see drastically more work into IoT devices once tooling and knowledge sharing gets better. A lot of the articles right now begin and end with binwalk. Great tool but that's just the start.
The only hard part of embedded work is that it's really, really difficult to collaborate with anyone as VR is always filled with incredible drama and the talent pool of individuals willing to work on this (for free) with the prerequisite knowledge is almost non-existent.
Good luck. And thanks for not coming out with another media campaign first and interesting research second.
fascinating write up. Is it normal for wifi-drivers to have such an enormous code base? like, nearly 700k loc? And how much of it is generated code? I'd love any links to stuff on this if anyone has them and time to post, thanks.
Generated code can really build up quick. And that's not taking into account the transformations from higher level languages down to op codes. I use a lot of code gen and some projects I manage ~50k loc which can balloon to 10x that.
The exploits i'd bet are still in the human written weird stuff and not unfolded loops and boring setters/getters.
This isn't really the main focus of the article, but I find this really interesting. There are teams of full-time Chinese researchers looking for and reporting vulnerabilities in Android? Are they doing this to win the bug bounties? If so, it sounds like Google's bug bounty program is really paying off.