US Navy trying to buy Zero-days of Microsoft, Adobe, Android, IBM, Apple etc., EFF catches it red-handed
Cyber criminals being on lookout for Zero-days is nothing new, even the government snooping agencies like NSA, GCHQ from time to time indulge in buying Zero-days from hackers to exploit the vulnerabilities in the software and place backdoors. But it is the first time that US Navy has been spotted trying to buy Zero-days in multiple well known softwares.
The Electronic Frontier Foundation (EFF) has spotted the US Navy publicly soliciting people to sell security vulnerabilities to well-known software. It seems that the US Navy was also buying the Zero-days as NSA, to build backdoors into the software.
The offer for the buying of Zero-days was listed on government website FedBizOpps, which was deleted shortly after being highlighted by the EFF. On the website, the US Navy detailed why it needed the zero-days. It says, “the US government needs to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software”.
EFF preserved the post which mentions that the US Navy wanted to buy Zero-days in various software packages belonging to Microsoft, Adobe, Android, IBM, Apple, EMC, Cisco, Linksys, Linux, EMC and Java. The PDF grab is given below :
All of the above tech companies manufacture products which used by billions of users daily.From the bucket list of US Navy, it is apparent that it is trying to create backdoors in as many software packages as possible.
“What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities,” the EFF writes in a blog post.
“As we’ve explained before, the decision to use a vulnerability for ‘offensive’ purposes rather than disclosing it to the developer is one that prioritises surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case.
“The Navy tried to send this particular solicitation down the memory hole, but we’re hopeful that through our FOIA suit, we can shed more light on the conflict between the government’s public statements and its apparent practices surrounding its stockpiling of zero-days.”
In the same blogpost, EFF said that it was in the process of suing the US government over the VEP. The blog goes on to say,
What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we’ve explained before, the decision to use a vulnerability for “offensive” purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case. It has even reportedly “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” which it calls the Vulnerabilities Equities Process (VEP). The government says the VEP is entirely classified, and EFF is suing to get it released.