'Cash for hacking tools' sparks debate By Chris Fox

Technology reporter Published duration 31 May 2017

image copyright Getty Images

Security researchers are considering buying undetected software security vulnerabilities from a notorious group of hackers.

The Shadow Brokers group has previously leaked exploits allegedly stolen from the US National Security Agency (NSA), and is offering more for sale.

Some researchers want to buy the next batch of hacking tools, and help fix them before cyber-criminals strike.

But critics argue that the Shadow Brokers should not be funded.

Crowd-funding

Security holes in operating systems such as Windows 10, Android and Apple's iOS can give governments and criminals a backdoor in to their targets' devices.

The Shadow Brokers group wants to sell a new batch of such exploits in June, for about $22,000 (£17,000) in virtual currency.

On Tuesday, two security researchers set up a crowd-funding campaign to buy access to the exploits, so that they could be fixed instead.

"We have seen credible threats from the Shadow Brokers," said Matthew Hickey from the cyber-security firm Hacker House, who set up the crowd-funding campaign.

"They have come good on previous promises to release tools, and one of them was involved in the spread of WannaCry ransomware.

"When somebody is releasing tools of that calibre and says they have more to release, I'm sure people would be happy to pay $20,000 to prevent them getting out."

However, the idea has divided the cyber-security community.

'Insane'

"There's a 50-50 split on whether it is a good idea and whether it would encourage Shadow Brokers to continue their activities," Mr Hickey told the BBC.

Others were more outspoken: "Individuals and corps funding criminals is insane," said security researcher Kevin Beaumont

"Here's an idea - [the NSA] should inform all vendors of bugs now since they're being traded on black market," he tweeted.

According to the Washington Post , the NSA informed Microsoft about some of the hacking tools that were stolen.

But Mr Hickey argued more needed to be done.

"If these tools have originated from the NSA, they should make a statement publicly, so that people can actively defend themselves from these threats," he told the BBC.

The Shadow Brokers group has not detailed what buyers would get if they paid the $22,000 bounty, and has offered no guarantee that buyers would be rewarded at all.

"If you caring about loosing $20k+ Euro then not being for you... playing 'the game' is involving risks [sic]," the group said in a blog post.

It is demanding payment in the form of 100 ZEC - a crypto-currency called Zcash that is designed to be untraceable.

Mr Hickey admitted the crowd-funding may be fruitless in the end, but added that he was happy to give people the option.

"If we raise the money and go ahead and buy the tools, it will stop them getting into the hands of criminals," he said.