In the broad field of intrusion technology, attackers are constantly criticized by the media, privacy protectionists or occasionally the court system. However, a company can stay out of the business and get rid of the relationship. It is vupen security, known as "golden boy" in malware, to help government agencies fight terrorism. In a sense, vupen security is probably the most "successful" arms dealer in the industry.

The history of vupen

Based in Montpellier, France, on the Mediterranean coast, vupen, founded by chaouki bekrar, a top vulnerability researcher and chairman, celebrated its 10th anniversary this year. At first, the company did not intentionally deal with law enforcement and intelligence agencies for the 0-day loophole. It is more like a traditional network equipment supplier like netragard, testing bugs in customer software and providing purely defensive network tools.

Over time, a better idea came to bekrar's mind. Why not sell exploit systems?

Customers willing to pay: government agencies, which can be used to locate, monitor and catch terrorists and criminals; other companies, such as gamma group international, an old online warfare arms dealer, have entered this market in the 1990s, while hacking team began to enter in 2003, and many other companies have followed suit. The question is whether vupen can get out of the competition. Bekrar believes they can.

Bekrar believes that the main reason for other companies' failure in this field is that they rely too much on third-party hackers to find the 0-day vulnerability. Such companies only act as brokers. In contrast, vupen's internal vulnerability research team (VRT) alone completes the complicated work in the process of vulnerability mining. This skill has become the basis for today's companies to survive, through the "eye-catching" way to show their strength.

Pwn2own's game

In this event, hackers did find some unspeakable vulnerabilities in Safari and IOS. Since 2008, pwn2own has expanded its attack scope beyond apple. Successful hackers will be rewarded with cash for discovering the vulnerability and submitting it to the vendor for repair.

In 2011, vupen rushed out and began to break the rules. In the first year of its existence, vupen exploited and exploited a previously unknown 0-day vulnerability in Apple's Mac operating system. Pwn2own officials stand up and prepare cheques to reward them. However, bekrar and its company say "no way" - for vupen's own customers, the value of the vulnerability itself is far beyond that.

Vupen won the first place in pwn2own in 2012 and 2013.

In 2013, Google held its own hacking contest in conssecwest, which allowed all competitors to attack its Chrome OS. The two teams were successful and each received a check for $60000. But what happened next was legendary.

On pwn2own, vupen has analyzed chrome exclusively and found more fatal defects in OS. But vupen rejected Google's cash reward, and rejected multiple requests for technology or patch development assistance. No matter how intimidating Google is, bekrar refuses to compromise, insisting that what he and his team have done will bring more value to vupen's customers (and, of course, to vupen).

When vupen won again this year, they suddenly became generous, sharing all the 0-day vulnerabilities to the relevant companies to help them fix the problem.

Services on the vupen protection menu

Vupen continues to market protection solutions to customers through the threat protection program (TPP). Customers mainly include government agencies and companies, and must strictly abide by the confidentiality agreement with vupen.

TPP customers can choose basic, enhanced or integrated services by paying 6-digit dollars each year. But it's just the entrance fee, only getting the qualification to choose from the menu. Any 0-day vulnerability used to hack into apple, Google, Android or popular software can cost several times more than the annual subscription fee.

Why is the company willing to pay? Vupen usually discloses the 0-day vulnerability 6-9 months ahead of others. Sony suffered possible invasion from North Korea in November 2014. The attacker controlled all devices and network links in Hollywood studio for up to a week. What would happen if Sony paid vupen? With the ability to detect vulnerabilities in any system, vupen is more like an umbrella for corporate and government customers.

Attack supremacy

Vupen also markets vulnerabilities to law enforcement and government agencies, and provides exclusive exploit code discovered by vupen's internal vulnerability research team. Like finfisher, hacking team, nice in Israel, oxygen software in Russia, stratign in Dubai, Talea in Switzerland, and other tools, vupen's exploit code allows users to control target devices, monitor keyboard operations, intercept messages, view all downloads, open cameras and audio, or even change communications.

The biggest difference: given how many times it has been shown on pwn2own, it's easy for vupen to invade IOS, but not for other malware makers. For example, finfisher is a bit clumsy on IOS system, and can only invade jailbreaking iPhone and iPad.

As with the protection scheme, buyers can learn about the available attack vulnerabilities through annual subscription. In addition, annual subscriptions are just the beginning. Government and law enforcement agencies pay extra for each exploit. NSA is also one of the satisfied customers.

Vupen's King Kong is not bad

When the terms "malware", "intrusion", "DPI" or "man in the middle attack" are publicly mentioned, most of the makers of the intrusion products will seek asylum.

To escape criticism, gamma Group International said it had divested finfisher from Germany (now denies any connection).

The situation is particularly severe in France, where amesys has been under court investigation for allegedly providing Gaddafi with a glint Eagle deep package detection solution for internal review and monitoring in Libya. Qosmos, a French deep package testing giant, is also under the same scrutiny, suspected of working with utimaco in Germany and spa in Italy to provide monitoring solutions to Syria. However, the parties claimed that the deal had broken down before it was delivered to Syria. Qosmos later denied understanding the monitoring intent of the project. Qosmos sells ixengine to users all over the world, including protei Russia's largest SORM compatible equipment supplier, and points out that all agreements stipulate that ixengine shall not be used for monitoring purposes. Please refer to this announcement for details on the use of deep packet testing in network management, targeted marketing and monitoring.

In France, technology companies and monitoring companies all feel the pressure from the government on this issue. Even among peers, if asked, aqsaqam in France would deny any connection with deep packet detection or malware.

How did vupen avoid public criticism? On the one hand, the company's business is very open; on the other hand, vupen only cooperates with law enforcement agencies, governments and the Ministry of defense of NATO, Australia, Singapore, the United States, ASEAN member countries or partners. Vupen will not be sold to countries prohibited by EU restrictions, the United States or the United Nations.

In general, there are five words in the sky: vupen is smart enough!

[refer to the source of information: insidersurveillance, the content has been deleted, and the original meaning has been kept as far as possible. Translated from rabbit run, please like the article. Exclusive articles of freebuf.com, no reprint without permission]