Ho-hum? NSA bought exploits from Vupen

The US National Security Agency has obtained services from French zero-day seller Vupen, US freedom of information documents reveal.

Documents published by public records site MuckRock show the NSA bought a year-long Vupen subscription that ended earlier this month for a “binary analysis and exploits service”. [pdf]

The value of the deal was redacted, however the NSA had spent more than $25 million on exploit purchases this year, according to theThe Washington Post

While the disclosure comes on the coattails of more alarming news of the NSA potentially undermining encryption protocols and strong-arming technology vendors into opening backdoors into their products and services, the contract appeared standard business for Vupen.

The French hacker outfit has regularly publicly disclosed that it sold exploits to government agencies and has been unapologetic for the practice.

Vupen, in addressing privacy and security concerns that come from selling security exploits, says it only sold services to democracies such as the Five Eye group of nations that included Australia and had heeded international regulations.

However it remained unclear why the NSA had purchased the services. 

Chief Chaouki Bekrar told SC US some customers used the services for defensive purposes.

"Many of these agencies work with various local and foreign exploit providers to get the largest coverage and protection possible against software and hardware vulnerabilities."

Privacy advocate Chris Soghoian said on Twitter the services could offer a means of deniability for the agency's operations.

"There are times when US special forces use AK47s, even though they have superior guns available. Same for NSA's VUPEN purchase. Deniability," Soghoian said.

Earlier this month, documents from Edward Snowden revealed the NSA had obtained backdoors into vendor encryption software by either demanding access or simply stealing keys.