viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Google will pay $1.5 million for the most severe Android exploits
Technology

Google will pay $1.5 million for the most severe Android exploits

23/11/2019

Google will pay $1.5 million for the most severe Android exploits

New Line Cinema

Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.

Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen.

Google will offer a 50 percent bonus to any of its rewards if the exploit works on specific developer preview versions of Android. That means a critical Titan M hack on a developer preview could fetch $1.5 million, and a data exfiltration or lockcscreen bypass on a developer preview could earn $750,000, and so on. Previously, rewards for the most severe Android exploits topped out at $200,000 if they involved the trusted execution environment—an independent OS within Android for handling payments, multi-factor authentication, and other sensitive functions—and $150,000 if they involved compromise only on the Android kernel.

Putting Titan M to the test

The big reward bump coincides with the investments Google has poured into securing the Pixel. The Titan M is a Google-designed chip that’s physically segregated from the main chipset of the device. In many respects, it’s analogous to the Secure Enclave in iPhones or the TrustZone in devices running an Arm processor. The Titan M is a mobile version of the Titan chip Google introduced in 2017.

The Titan M carries out four core functions, including:

  • Storing the last known safe version of Android to ensure hackers can’t cause the bootloader—which is the program that validates and loads Android when the phone turns on—to call a malicious or out-of-date version
  • Verifying the lock screen passcode or pattern, limiting the number of unsuccessful login attempts that can be made, and securing the device’s disk encryption key
  • Storing private keys and securing sensitive operations of third-party apps, such as those used to make payments
  • Preventing changes to the firmware unless a passcode or pattern is entered

Titan M was first introduced in 2018 with the roll out of the Pixel 3. It’s also in the recently released Pixel 3a, and will also be included in the just-released Pixel 4. Pixel 2 models relied on a less robust dedicated tamper-resistant hardware security module. In-the-wild exploits disclosed last month were able to remotely execute malicious code on an array of Android phones, including the Pixel 1, Pixel 1 XL, Pixel 2, and Pixel 2 XL, but not the Pixel 3. The Titan M wasn’t responsible for stopping that attack, however. Instead, the reason was that the Pixel 3 and 3a received Linux patches that the vulnerable Pixels had not.

In the four years since the Android Security Rewards Program was introduced, it has paid out more than $4 million from more than 1,800 reports. More than $1.5 million of that came in the past 12 months. The top reward this year was $161,337, which was paid to Guang Gong of Qihoo 360 Technology’s Alpha Lab for a one-click remote code execution exploit chain on a Pixel 3. (Gong’s exploit received an additional $40,000 from the Chrome Rewards Program.)

The new rewards come almost three months after third-party exploit broker Zerodium started paying $2.5 million for zero-day attacks compromising Android, a 25-percent premium over comparable exploits for iOS. As tempting as it is to contrast the Zerodium’s top Android payouts to those from Google, don’t. The talent and amount of work required to develop a weaponized exploit for Zerodium are considerably higher than what Google demands, making for an apples-to-oranges comparison.

Update: Security researcher Saleem Rashid makes a good case why Google’s bump in rewards is significant, and in some important ways beats out prices paid by Zerodium:

i think we’re in the midst of an iOS/Android security paradigm shift https://t.co/N7UXaDHEc2

— Saleem Rashid (@saleemrash1d) November 21, 2019

for context: Zerodium will only pay $100,000 for a lockscreen bypass on either iOS or Android.

Google are offering up to 7.5(!) times as much pic.twitter.com/38S6h1QO2K

— Saleem Rashid (@saleemrash1d) November 21, 2019

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

U.S. Justice Department going ‘full tilt’ on tech antitrust probe
(Reuters) — Alphabet’s Google this year moved to tighten control …

Google told its AI research scientists to ‘strike a positive tone’ on sensitive topics

Rep. Gomez demands answers from Amazon CEO Jeff Bezos on facial recognition
Rep. Jimmy Gomez (D-CA) sent a letter to Amazon CEO …

Rep. Gomez demands answers from Amazon CEO Jeff Bezos on facial recognition

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • Cosmose AI raises $12 million to track brick-and-mortar purchasing habits
    Cosmose AI raises $12 million to track …
    10/12/2019
  • Zynga opens studio in Austin to help with its Star Wars mobile game
    Zynga opens studio in Austin to help …
    17/11/2020
  • Why all great games need a product vision
    Why all great games need a product …
    25/07/2020
  • Fast & Furious: Crossroads lives video games a quarter-mile at a time
    Ancestry.com rejected a police warrant to access …
    04/02/2020
  • I Expect You To Die is an Oculus Quest hit, reaching $2 million in revenue
    I Expect You To Die is an …
    07/06/2020

Popular Posts

  • Mega says it can’t decrypt your files. New POC exploit shows otherwise
    Mega says it can’t decrypt your files. …
    21/06/2022 0
  • 10 Most Common Mutations in Humans – …
    24/05/2022 0
  • 10 Signs You Might Have Already Been …
    24/05/2022 0
  • Digital driver’s license billed as harder than plastic to forge is easily forged
    Digital driver’s license billed as harder than …
    24/05/2022 0
  • Top 10 Horror Novels to Read This …
    25/05/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh