The role of hackers in the field of cyber security stands on a wide and varied spectrum: from white hat hackers with noble goals to malicious and dangerous black hat hackers. “Grey hat hacking” stands somewhere in the middle, blurring the lines between both sides. But what is grey hat hacking, exactly, and what are the ethical issues and implications of this morally ambiguous practice in IT security? Below, we’ll discuss the crucial question of the motivations and actions of grey hat hackers.
What Is Grey Hat Hacking?
What is a grey hat hacker, and what are the different types of hackers? There are three main types of hacking, which are classified according to their intentions and practices:
- White hat hacking (also known as ethical hacking) involves IT security experts who use their skills and techniques with good intentions. They have the full consent of their “targets” and work with organizations that want to strengthen their IT security. By probing systems and networks for vulnerabilities, white hat hacking helps identify and resolve potential issues before they can be exploited by hackers with nefarious intentions.
- Black hat hacking involves malicious hackers who do not have the consent of their targets. They often have self-serving financial or reputational motivations and sometimes also work for a political cause or government. Black hat hacking involves cyber attacks such as breaching IT environments, stealing confidential information, and installing ransomware.
- Grey hat hacking is named because it occupies a morally “grey” area between white hat and black hat hacking. Unlike white hat hacking, grey hat hacking typically doesn’t ask for explicit authorization from the affected parties. However, grey hat hackers also lack the bad intentions of black hat hackers. Instead, grey hat hacking is motivated by passion, curiosity, or the desire to improve cyber security.
What Types of Activities Do Grey Hat Hackers Engage In?
On a spectrum, grey hat hackers range from those with altruistic motivations to those who engage in borderline or highly questionable activities. Some of the common practices in grey hat hacking include:
- Security testing: Grey hat hackers may run penetration testing and other security tests on publicly available IT environments or systems, identifying vulnerabilities and weaknesses. However, unlike white hat hackers, grey hat hackers operate without the consent of their targets. For example, network scanning and probing activities to locate open ports can be seen as intrusive and unwelcome, even if they are done for research purposes.
- Public disclosure: Grey hat hackers may go public with their discoveries rather than contacting their targets directly. While this can help raise awareness of the issue and create pressure to fix it, it also opens the door to exploitation by malicious actors. A famous grey hat hacker example in this context is Khalil Shreateh, a security researcher who discovered a way for Facebook users to post a link on any other user’s page (Warren, 2017). After the company failed to take Shreateh’s report seriously, he used the vulnerability to post on the Facebook page of CEO Mark Zuckerberg.
- Dual intentions: Some grey hat hackers are classified as such because they have a mix of ethical and unethical intentions, depending on the situation. For example, they may report some vulnerabilities they discover promptly while keeping others secret to exploit them for personal gain. One notable figure is Marcus Hutchins, a security researcher who helped stop the devastating WannaCry ransomware attack (Greenberg, 2020). Despite this noble action, Hutchins had also previously worked on developing the Kronos strain of ransomware, which led to his arrest by the FBI.
- Vigilante actions: Grey hat hackers may take the law into their own hands, trying to expose or take revenge on individuals or organizations they perceive as wrongdoers or malicious actors. This can involve actions such as “hacking the hackers” in retaliation, which is illegal and can escalate tensions.
What Are the Ethical Dilemmas of Grey Hat Hacking?
Because it straddles the boundaries of both extremes, grey hat hacking can present a number of ethical dilemmas. These include:
- Lack of permission: Grey hat hackers engage in hacking activities without acquiring permission from their targets beforehand. This raises the question: is it ever acceptable to probe systems for vulnerabilities without authorization, even if the person’s intentions are good?
- Responsible disclosure: Grey hat hackers may not always follow best practices for vulnerability disclosure (HackerOne, 2021). For example, they may release their discoveries to the public before informing the affected organization. As a result, users and systems may be exposed to attacks until the vulnerability is patched.
- Harm to innocent parties: Grey hat hackers may cause harm to innocent people or organizations that get caught in the crossfire. This is especially likely with retaliatory actions, vigilante justice, and public disclosure of security vulnerabilities.
- Accountability and transparency: Many grey hat hackers operate anonymously or pseudonymously, often to avoid legal consequences or criminal charges. However, this makes it more difficult to hold these individuals accountable for their actions and to have transparency about their motivations.
What Are the Implications of Grey Hat Hacking?
Grey hat hacking is a complicated practice with positive and negative implications for cyber security. The positive implications of grey hat hacking include:
- Security improvements: Grey hat hackers may uncover previously unknown security flaws in an IT system or network. When they responsibly disclose these weaknesses, it allows organizations to fix the issue and bolster their security posture.
- Public awareness: Grey hat hackers may raise awareness of cyber security issues by highlighting unpatched vulnerabilities. High-profile disclosures can also motivate organizations to act swiftly in addressing the vulnerability and to take security more seriously.
On the other hand, the negative implications of grey hat hacking include:
- Legal consequences: Even with good intentions, grey hat hackers may face legal consequences for engaging in unauthorized hacking activities. They can create tension with law enforcement agencies and governments, leading to disagreements about the morality of their actions.
- Trust and reputation: The actions of grey hat hackers can erode trust in security researchers. By probing for weaknesses and publicly disclosing vulnerabilities without permission, grey hat hackers can make organizations more reluctant to work with them despite their advanced knowledge.
Become an Ethical Hacker with EC-Council’s C|EH Program
While grey hat hackers can play a crucial role in improving cyber security, their tendency to sidestep ethical boundaries often puts them on the wrong side of the law. For this reason, individuals interested in a hacking career should consider ethical hacking (or “white hat hacking”) instead.
If you want to get started, obtaining an ethical hacking certification is the ideal way to demonstrate that you have the right knowledge and experience for success. EC-Council’s Certified Ethical Hacker (C|EH) program teaches students everything they need to know about ethical hacking, working with organizations to strengthen cyber security and guard against attack.
The C|EH course is an intensive five-day training course with 20 modules that thoroughly cover topics in ethical hacking. Students have the opportunity to practice their skills with more than 220 hands-on practical lab exercises and over 3,500 hacking tools, learning how to attack Windows, Linux, and Android operating systems.
Greenberg, A. (2020, May 12). The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet. WIRED. https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
HackerOne. (2021, October 28). Vulnerability Disclosure | What’s the Responsible Solution? HackerOne. https://www.hackerone.com/vulnerability-disclosure/vulnerability-disclosure-whats-responsible-solution
Warren, T. (2017, December 15). LinkedIn ignored security flaw from researcher who hacked Zuckerberg’s Facebook wall. The Verge. https://www.theverge.com/2017/12/15/16776176/linkedin-security-flaw-security-khalil-shreateh
David Tidmarsh is a programmer and writer. He’s worked as a software developer at MIT, has a B.A. in history from Yale, and is currently a graduate student in computer science at UT Austin.