Google pays $ 1.5 million for the most serious Android exploits
New Line Cinema
Google pays up to $ 1.5 million for the most serious hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.
Google will immediately pay $ 1 million for a “full execution of external code execution with persistence that jeopardizes the safe element of Titan M on Pixel devices,” the company said in a message published Thursday. The company also pays $ 500,000 for exploits that filter out data from a pixel or bypass the lock screen.
Google offers a 50 percent bonus to all of its rewards if the exploit works on specific versions of Android for developers. That means that a critical Titan M hack on a developer example could raise $ 1.5 million, and a data exfiltration or lockcscreen bypass on a developer example could earn $ 750,000, and so on. Earlier, rewards for the most serious Android exploits were awarded at $ 200,000 if they related to the trusted execution environment – an independent operating system within Android for handling payments, multi-factor authentication and other sensitive functions – and $ 150,000 if only a compromise on the Android kernel.
Put Titan M to the test
The big reward threshold coincides with the investments that Google has made to secure the Pixel. The Titan M is a chip designed by Google that is physically separated from the main chip set of the device. In many ways it is analogous to the Secure Enclave in iPhones or the TrustZone on devices with an Arm processor. The Titan M is a mobile version of the Titan chip that Google introduced in 2017.
The Titan M performs four core functions, including:
- Save the last known safe version of Android to ensure that hackers cannot cause the bootloader (the program that validates and loads Android when the phone is switched on) to call a malicious or outdated version
- Verifying the access code or pattern of the lock screen, limiting the number of failed login attempts and protecting the device’s disk encryption key
- Save private keys and protect sensitive edits of third-party apps, such as apps used to make payments
- Prevent changes to the firmware unless an access code or pattern is entered
Titan M was first introduced in 2018 with the roll-out of the Pixel 3. It is also included in the recently released Pixel 3a and will also be included in the recently released Pixel 4. Pixel 2 models relied on less robust special tamper-resistant hardware security module. Exploits revealed in the wild that were announced last month could remotely execute malicious code on a range of Android phones, including the Pixel 1, Pixel 1 XL, Pixel 2 and Pixel 2 XL, but not the Pixel 3. The Titan M However, wasn is not responsible for stopping that attack. Instead, the reason was that the Pixel 3 and 3a received Linux patches that the vulnerable Pixels did not have.
In the four years since the Android Security Rewards program was introduced, it has paid more than $ 4 million from more than 1,800 reports. More than $ 1.5 million of that came in the last 12 months. The highest reward this year was $ 161,337, which was paid to Guang Gong from Alpha Lab of Qihoo 360 Technology for a one-click operation chain for external code execution on a Pixel 3. (Gong’s exploit received an additional $ 40,000 from the Chrome Rewards -program.)
The new rewards come nearly three months after external operator Zerodium began paying $ 2.5 million for zero-day attacks that endangered Android, a premium of 25 percent over comparable exploits for iOS. No matter how tempting it is to contrast the top Android payouts from Zerodium with those from Google, don’t. The talent and amount of work required to develop an armed exploit for Zerodium is considerably higher than what Google requires, which results in a comparison between apples and oranges.
Updating: Security researcher Saleem Rashid makes a good reason why Google’s reward is significant and in some important respects exceeds the prices Zerodium has paid:
I think we’re in the middle of a shift in the iOS / Android security paradigm https://t.co/N7UXaDHEc2
– Saleem Rashid (@ saleemrash1d) November 21, 2019
for context: Zerodium only pays $ 100,000 for a bypass on a lock screen on iOS or Android.
Google offers up to 7.5 (!) Times as much pic.twitter.com/38S6h1QO2K
– Saleem Rashid (@ saleemrash1d) November 21, 2019