Google will pay bug hunters up to $1.5m if they can hack its Titan M chip
Google announced last week that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip.
Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more.
Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it.
If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.
Google is willing to give the larger payout for a bug in a preview version because it allows the company to fix a bug before the Android OS is shipped to real-world devices.
The company's move comes after earlier this year, private companies that acquired Android exploits had increased payouts for Android bugs to $2.5 million, making it the first time Android bugs were worth more than iOS exploits on the private market.
At the time, Chaouki Bekrar, CEO of private bug acquisition program Zerodium, told ZDNet that his company had increased payouts because Android devices had become harder to hack due to the constant flow of security features that Google has added to the OS, along with contributions from Samsung.
Today's announcement comes as Google also increased bug bounty payouts across the board for the entire Android Vulnerability Rewards Program (VRP).
Until today, the maximum vulnerability payout was $200,000 for "a remote exploit chain leading to a TrustZone or Verified Boot compromise."
Since the Android VRP's launch in 2015, nobody has earned this top reward, and chances are low that no one will be able to hack Android running on a Titan M chip either.
Remote exploits -- that work without the attacker having physical access to a device -- are hard to create, as most attack vectors such as networking protocols have been plugged. Even if an attacker/researcher finds a remote attack, gaining boot persistence is another major hurdle that nobody has cracked.
"We've seen two complete full-chain RCEs," a Google spokesperson told ZDNet in an interview yesterday when we asked how common are vulnerability reports for remotely exploitable bugs.
"They both came from the same researcher. The majority of exploit chains submitted are local rather than remote," the Google spokesperson said.
The researcher is Guang Gong, of Alpha Lab, Qihoo 360 Technology Co. Ltd. One of these two RCEs exploits chains has also helped Guang net the highest bug reward in 2019.
"This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device," Google said.
"Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337," it added.
"The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs."
But besides introducing a $1.5 million reward for Titan M remote hacks and increasing bug bounties across the board, Google is also adding another bug reporting category.
The OS maker says it's willing to pay up to $500,000 for bug reports involving data exfiltration and lock screen bypasses, depending on the bug's complexity.
Google's willingness to increase bug bounty payouts is certainly rooted in the company's confidence in the fact that Android is secure enough not to fall pray to easy hacks.
Either way, Google has not been shy and has been one of the companies with the largest payouts on the market. Since the Android VRP's launch in 2015, Google said it paid researchers up to $4.5 million, with $1.5 million being paid in the past 12 months alone.
"Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher," Google said.
Industry: Cyber Security
- DevSecOpp- Security design / review consultant. SC Clearance. London
CH7838 London £70,000 DevSecOpp- Security design / review consultant. DevSecOpp- Security design / review consultant will ensure that newly created, public facing apps are secure by design and by default by aligning them to current / best practice security policies and standards into the design phases. The individual must have a technical software / application development background with specalist experinece in secure architecture design. (Frameworks, processes, best practice etc) Practical experience translating and ensuring that the OWASP top 10, ISO27001, HMG frameworks requirements are reviewed and embedded into project designs which are implemented is essential. Experience working projects through a full development lifecycle is key. You will work along side the design and project teams to idenitfy and mitigate risks throughout the design phases. This is a permanent role. SC clearance is essential as is the ability to get to the London office. (When appropiate #covid) Security DevSecOps consultant. To arrange a discreet call book via https://calendly.com/chris-holt/devsecopp--security-design-review-consultant
- SPLUNK SOC Analyst level 3, London.
SPLUNK SOC Analyst level 3, Must be able to commute to the City of London. Onsite role. Security clearance needed. The SPLUNK SOC Analyst level 3 must have current experience working within a SOC environment with specific experience using a range of tools and techniques to investigate security incidents. Current experience with Splunk is essential. any additional experience Individuals with Elastic Security SIEM are highly desirable. Any of the following certifications are desirable Splunk Phantom certified admin, Splunk Core Certified Power User / Advanced, Splunk Certified Enterprise Security Admin, etc The role will include, but not be limited to working with sophisticated information security tools, investigating security incidents, incident management, technical escalation, process improvement, research into the latest threats, reporting etc The individual MUST currently be living in the UK and be able to achieve UK security clearance. (SC) This is a permanent role To arrange a call with Chris Holt https://calendly.com/chris-holt/arranged-call-with-chris-holt-elastic-siem-engineer-soc Chris.Holt@dclsearch.com
- ISO 27001 & Business Continuity Security Specialist, End User
- United Kingdom
CH7828 ISO 27001 & Business Continuity Security Specialist, End User, £70,000 United Kingdom ISO 27001 & Business Continuity Security Specialist needed to join a Cyber team within an end user. The ISO 27001 & Business Continuity Security Specialist will have end to end responsibility for the information security and Business Continuity management system. ISMS/BCMS. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. ISO 22301, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. Experience taking a company through accreditation is highly desirable Experience managing internal stakeholders, technical teams and external third parties essential Flexible working, very occasional travel to London office This is an exclusive role to DCL Search & Selection. Looking to interview immediately. https://calendly.com/chris-holt/iso-27001-business-continuity-security-specialis
- PCI- DSS Security Consultant, End User
PCI- DSS Security Consultant needed to join a Cyber team within an end user. The PCI- DSS Security Consultant will have end to end responsibility for PCI - DSS and its continuing certification. Both from an information security and technical security perspective working alongside the CISO. Experience must include, but not be limited to; a mix of Information Security standards, frameworks, audit principles, controls / policies and the management and use of the technical tooling to achieve compliance. PCI objectives / 12 key requirements, OWASP top 10, ISO 27001, NIST Cybersecurity Framework etc An ideal candidate will be working within an end user environment with a cyber consultancy background. PCI Cloud compliance, specifically someone with experience taking PCI-DSS from on premise into the cloud is HIGHLY desired. However, someone with Solid PCI experience with a strong technical background which include Cyber / Secure by design etc would be considered. Experience managing internal stakeholders and external third parties essential. Flexible working, but with the ability to get into London. This is an exclusive role to DCL Search & Selection. 1st stage interviews to happen the week of the 14th September Arrange a call with Chris on https://calendly.com/chris-holt/arrange-a-call-chris-dcl-pci-compliance