Google Will Award $1M-Plus to People Who Can Hack Titan M Security Chip

The company expanded its Android bug bounty program as one of several recent moves to ramp up mobile security.

Google is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip on the company’s Pixel devices as part of an expansion of its Android bug-bounty program unveiled this week.

The company revealed increased payouts to its Android Security Rewards in a blog post Thursday. Google already has paid out more than $4 million in 1,800 reports to those who’ve identified vulnerabilities on the platform, it said.

The expansion of the program focuses mainly on Google’s own technology rather than the greater ecosystem, with the company offering a significant prize for hackers to test the security of its Titan security chip on forthcoming versions of Android.

“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” Jessica Lin from the Android Security Team wrote in the post. “Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.”

Google introduced Titan M in its Pixel 3 smartphone released last year. The chip adds deep, device-level protection to separate the most sensitive data stored on the Pixel from its main processor, which can protect it from certain types of attacks.

Google also integrated Titan M in its Android security-key technology, releasing the Titan Security Key in August 2018. The technology is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks.

In addition to sweetening the deal for white-hat hackers to help it improve Titan M, Google also has expanded bug-bounty rewards in other critical device security areas. These include threats involving data exfiltration and lockscreen bypass, according to the post. Depending on the exploit category, people now can earn up to $500,000 for reporting bugs.

A comprehensive list of the changes is available on the Android Security Rewards Program Rules website.

Google created the Android bug bounty program in 2015 as part of its mobile security efforts, which the company has been ramping up recently as it continues to struggle to get a handle on Android mobile device and application security.

Earlier this month, Google unveiled an alliance with three endpoint security companies to help prevent the spread of malware on the ecosystem of Android mobile devices. That move came after years of unsuccessfully battling malware and bad apps in the Google Play store and on more than 2.5 billion Android devices.

The Titan Security Key itself was even a victim of Google’s persistent security woes. In May the company recalled Bluetooth versions of the device after finding a vulnerability that allows attackers in close proximity to take control of the device.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

 

 

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.