EFFECTIVE IMMEDIATELY –
Big bump coincides with investments Google has poured into securing its Pixel phone.
Google will pay up to $ 1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.
Effective immediately, Google will pay $ 1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices, ”the company said in apost published on Thursday. The company will also pay $ 500, 00 0 for exploits that exfiltrate data out of a Pixel or bypass its lock screen.
Google will offer a 50 percent bonus to any of its rewards if the exploit works on specific developer preview versions of Android. That means a critical Titan M hack on a developer preview could fetch $ 1.5 million, and a data exfiltration or lockcscreen bypass on a developer preview could earn $ 750, 00 0, and so on. Previously, rewards for the most severe Android exploits topped out at $ 200, 00 0 if they involved thetrusted execution environment– an independent OS within Android for handling payments, multi-factor authentication, and other sensitive functions — and $ 150, 00 0 if they involved compromise only on the Android kernel.
Putting Titan M to the test
The big reward bump coincides with the investments Google has poured into securing the Pixel. TheTitan Mis a Google- designed chip that’s physically segregated from the main chipset of the device. In many respects, it’s analogous to theSecure Enclavein iPhones or theTrustZonein devices running an Arm processor. The Titan M is a mobile version of theTitan chipGoogle introduced in 2017.
The Titan M carries out four core functions, including:
- Storing the last known safe version of Android to ensure hackers can’t cause the bootloader — which is the program that validates and loads Android when the phone turns on — to call a malicious or out-of-date version
- Verifying the lock screen passcode or pattern, limiting the number of unsuccessful login attempts that can be made, and securing the device’s disk encryption key
- Storing private keys and securing sensitive operations of third-party apps, such as those used to make payments
- Preventing changes to the firmware unless a passcode or pattern is entered
Titan M was first introduced in 2018 with the roll out of the Pixel 3. It’s also in the recently released Pixel 3a, and will also be included in the soon-to-be- available Pixel 4. Pixel 2 models relied on a less robustdedicated tamper-resistant hardware security module. In-the-wild exploitsdisclosed last monthwere able to remotely execute malicious code on an array of Android phones, including the Pixel 1, Pixel 1 XL, Pixel 2, and Pixel 2 XL, but not the Pixel 3. The Titan M wasn’t responsible for stopping that attack, however. Instead, the reason was that the Pixel 3 and 3a received Linux patches that the vulnerable Pixels had not.
In the four years since theAndroid Security Rewards Programwas introduced, it has paid out more than $ 4 million from more than 1, 800 reports. More than $ 1.5 million of that came in the past 12 months. The top reward this year was $ 161, 337, which was paid toGuang Gongof Qihoo 360 Technology’s Alpha Lab for a one-click remote code execution exploit chain on a Pixel 3. (Gong’s exploit received an additional $ 40, 00 0 from the Chrome Rewards Program.)
The new rewards come almost three months after third-party exploit broker Zerodium startedpaying $ 2.5 million for zero-day attacks compromising Android, a 25 – percent premium over comparable exploits for iOS. As tempting as it is to contrast the Zerodium’s top Android payouts to those from Google, don’t. The talent and amount of work required to develop a weaponized exploit for Zerodium are considerably higher than what Google demands, making for an apples-to-oranges comparison.