Google Will Award $1M-Plus to People Who Can Hack Titan M Security Chip

The company expanded its Android bug bounty program as one of several recent moves to ramp up mobile security.

Google is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip on the company’s Pixel devices as part of an expansion of its Android bug-bounty program unveiled this week.

The company revealed increased payouts to its Android Security Rewards in a blog post Thursday. Google already has paid out more than $4 million in 1,800 reports to those who’ve identified vulnerabilities on the platform, it said.

The expansion of the program focuses mainly on Google’s own technology rather than the greater ecosystem, with the company offering a significant prize for hackers to test the security of its Titan security chip on forthcoming versions of Android.

“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” Jessica Lin from the Android Security Team wrote in the post. “Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.”

Google introduced Titan M in its Pixel 3 smartphone released last year. The chip adds deep, device-level protection to separate the most sensitive data stored on the Pixel from its main processor, which can protect it from certain types of attacks.

Google also integrated Titan M in its Android security-key technology, releasing the Titan Security Key in August 2018. The technology is a USB dongle that offers an added layer of security features for Google accounts, such as two-factor authentication and protections from phishing attacks.

In addition to sweetening the deal for white-hat hackers to help it improve Titan M, Google also has expanded bug-bounty rewards in other critical device security areas. These include threats involving data exfiltration and lockscreen bypass, according to the post. Depending on the exploit category, people now can earn up to $500,000 for reporting bugs.

A comprehensive list of the changes is available on the Android Security Rewards Program Rules website.

Google created the Android bug bounty program in 2015 as part of its mobile security efforts, which the company has been ramping up recently as it continues to struggle to get a handle on Android mobile device and application security.

Earlier this month, Google unveiled an alliance with three endpoint security companies to help prevent the spread of malware on the ecosystem of Android mobile devices. That move came after years of unsuccessfully battling malware and bad apps in the Google Play store and on more than 2.5 billion Android devices.

The Titan Security Key itself was even a victim of Google’s persistent security woes. In May the company recalled Bluetooth versions of the device after finding a vulnerability that allows attackers in close proximity to take control of the device.

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

 

 

Suggested articles

Discussion

  • Jonathan on

    Yes they will pay it but it's just a publicity stunt making it look like this so confident that there are no bugs. The truth is this money is actually nothing compared to the advertising it gets them anything will only award for the first bug discovered the probably hundreds. This is a new technology I guarantee you they'll be more ground Zeroes on it then in Windows 95. the problem with a lot of these security Technologies is implemented to the public at large before they are secure.. they get mad when these vulnerabilities are revealed and cost them a fortune. But the actual thinking process here is what's flawed. New technologies our constantly created... so no it's not actually possible to make anything 100% hack proof. Android quick to release new buggy Technologies before the thing is reliable.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.