Google Will Award $1M-Plus to People Who Can Hack Titan M Security Chip
The company expanded its Android bug bounty program as one of several recent moves to ramp up mobile security.
Google is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip on the company’s Pixel devices as part of an expansion of its Android bug-bounty program unveiled this week.
The company revealed increased payouts to its Android Security Rewards in a blog post Thursday. Google already has paid out more than $4 million in 1,800 reports to those who’ve identified vulnerabilities on the platform, it said.
The expansion of the program focuses mainly on Google’s own technology rather than the greater ecosystem, with the company offering a significant prize for hackers to test the security of its Titan security chip on forthcoming versions of Android.
“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” Jessica Lin from the Android Security Team wrote in the post. “Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.”
Google introduced Titan M in its Pixel 3 smartphone released last year. The chip adds deep, device-level protection to separate the most sensitive data stored on the Pixel from its main processor, which can protect it from certain types of attacks.[...] In addition to sweetening the deal for white-hat hackers to help it improve Titan M, Google also has expanded bug-bounty rewards in other critical device security areas. These include threats involving data exfiltration and lockscreen bypass, according to the post. Depending on the exploit category, people now can earn up to $500,000 for reporting bugs.
A comprehensive list of the changes is available on the Android Security Rewards Program Rules website.
(Score: 2) by Mojibake Tengu on Monday November 25 2019, @04:36PM (3 children)
Considering total effects and total costs of all necessary resources including equipment, human skills and time, it is not economical to provide such information to Google for that price.
Let the invisible hand of market capitalism decide the correct amount.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by takyon on Monday November 25 2019, @08:57PM (2 children)
White hats will do it for clout and less money than it might be worth on the black market.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by barbara hudson on Monday November 25 2019, @11:33PM (1 child)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 2) by takyon on Tuesday November 26 2019, @12:01AM
Those aren't white hats. Human shats maybe.
There is a bit of a malicious incentive for governments to surveill and kill independent security researchers who would responsibly disclose valuable vulnerabilities...
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Runaway1956 on Monday November 25 2019, @05:30PM (1 child)
Too many third party actors between Google's repositories, and the end user, are enabled to insert their own apps, scripts, snoopy spy programs, tracking, and surveillance into the devices. Most of that could be cured by ensuring that the end user can gain root privileges, without jumping through too many hoops.
I'll bet a relatively simple app in the app store could fix most of it. Download and install the "gimmeroot" app. Fire it up, and it lists all the programs and applications installed. "Do you want to keep the "TelcoSurveillance" app?" When you answer "no" the "gimmeroot" app purges the telco's special little surveillance app. Ditto with "masterChinasurveillance" app, and the "googleridersnooper" app, etc ad nauseum. All purged, the end user can start over, installing his/her apps of choice.
Someone mentioned in another discussion that getting a phone to work required attaching it to a Google account. I played with one of those feature phones that required the same. My solution was to create an all new account with Google, and NOT to associate that account with existing accounts in any way. That's a sucky solution - but the phone just wouldn't work until it was connected to Google. All that crap needs to be purged from Android phones.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by Mojibake Tengu on Monday November 25 2019, @06:35PM
Biggest bug in Android is Google. You just forgot Google itself is a corporate faction of CIA, spawned by In-Q-Tel. They have interests, technical interests. Having a clean, impenetrable system crosses those interests. So they want only controllable vulnerabilities they own exclusively.
But, their major problem is infoleaks and independent discoveries. This is why they are willing to nibble small money to interfere with those flows of information.
All those insolent aggressive applications in store are quite instrumental, even third party ones provide some plausibility cover bushes for their own backdooring mechanisms.
Nothing will ever change for users who can't code for themselves. They cannot own their data since they do not own their programs. And it starts with a core operating system of course.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 0) by Anonymous Coward on Monday November 25 2019, @07:44PM
Install Windows 10 on it. Hacked.
Where's my $1,000,000.00 check?
(Score: -1, Troll) by Anonymous Coward on Tuesday November 26 2019, @04:51AM
The jewish rats know they put in a lot of money hiding their backdoors and cannot afford to be found out. Then they put out bounties so any non-jew would spend their own time and money to try and find the hidden backdoors and front doors baked into the hardware and designed right into the software.
The sick jewish rat scum from khazaria never changes.