viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Google will pay $1.5 million for the most severe Android exploits
Technology

Google will pay $1.5 million for the most severe Android exploits

23/11/2019

Google will pay $1.5 million for the most severe Android exploits

New Line Cinema

Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.

Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday. The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen.

Google will offer a 50 percent bonus to any of its rewards if the exploit works on specific developer preview versions of Android. That means a critical Titan M hack on a developer preview could fetch $1.5 million, and a data exfiltration or lockcscreen bypass on a developer preview could earn $750,000, and so on. Previously, rewards for the most severe Android exploits topped out at $200,000 if they involved the trusted execution environment—an independent OS within Android for handling payments, multi-factor authentication, and other sensitive functions—and $150,000 if they involved compromise only on the Android kernel.

Putting Titan M to the test

The big reward bump coincides with the investments Google has poured into securing the Pixel. The Titan M is a Google-designed chip that’s physically segregated from the main chipset of the device. In many respects, it’s analogous to the Secure Enclave in iPhones or the TrustZone in devices running an Arm processor. The Titan M is a mobile version of the Titan chip Google introduced in 2017.

The Titan M carries out four core functions, including:

  • Storing the last known safe version of Android to ensure hackers can’t cause the bootloader—which is the program that validates and loads Android when the phone turns on—to call a malicious or out-of-date version
  • Verifying the lock screen passcode or pattern, limiting the number of unsuccessful login attempts that can be made, and securing the device’s disk encryption key
  • Storing private keys and securing sensitive operations of third-party apps, such as those used to make payments
  • Preventing changes to the firmware unless a passcode or pattern is entered

Titan M was first introduced in 2018 with the roll out of the Pixel 3. It’s also in the recently released Pixel 3a, and will also be included in the just-released Pixel 4. Pixel 2 models relied on a less robust dedicated tamper-resistant hardware security module. In-the-wild exploits disclosed last month were able to remotely execute malicious code on an array of Android phones, including the Pixel 1, Pixel 1 XL, Pixel 2, and Pixel 2 XL, but not the Pixel 3. The Titan M wasn’t responsible for stopping that attack, however. Instead, the reason was that the Pixel 3 and 3a received Linux patches that the vulnerable Pixels had not.

In the four years since the Android Security Rewards Program was introduced, it has paid out more than $4 million from more than 1,800 reports. More than $1.5 million of that came in the past 12 months. The top reward this year was $161,337, which was paid to Guang Gong of Qihoo 360 Technology’s Alpha Lab for a one-click remote code execution exploit chain on a Pixel 3. (Gong’s exploit received an additional $40,000 from the Chrome Rewards Program.)

The new rewards come almost three months after third-party exploit broker Zerodium started paying $2.5 million for zero-day attacks compromising Android, a 25-percent premium over comparable exploits for iOS. As tempting as it is to contrast the Zerodium’s top Android payouts to those from Google, don’t. The talent and amount of work required to develop a weaponized exploit for Zerodium are considerably higher than what Google demands, making for an apples-to-oranges comparison.

Update: Security researcher Saleem Rashid makes a good case why Google’s bump in rewards is significant, and in some important ways beats out prices paid by Zerodium:

i think we’re in the midst of an iOS/Android security paradigm shift https://t.co/N7UXaDHEc2

— Saleem Rashid (@saleemrash1d) November 21, 2019

for context: Zerodium will only pay $100,000 for a lockscreen bypass on either iOS or Android.

Google are offering up to 7.5(!) times as much pic.twitter.com/38S6h1QO2K

— Saleem Rashid (@saleemrash1d) November 21, 2019

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Exhume dead cryptocurrency exec who owes us $250 million, creditors demand
In late January, the wife of a cryptocurrency-exchange founder testified …

Exhume dead cryptocurrency exec who owes us $250 million, creditors demand

How I Podcast: Family Ghosts/You Must Remember This’s Sam Dingman – TechCrunch
The beauty of podcasting is that anyone can do it. …

How I Podcast: Family Ghosts/You Must Remember This’s Sam Dingman – TechCrunch

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • First Microsoft, then Okta: New ransomware gang posts data from both
    First Microsoft, then Okta: New ransomware gang …
    22/03/2022
  • Official Monero website is hacked to deliver currency-stealing malware
    Official Monero website is hacked to deliver …
    23/11/2019
  • SpaceX and US Army sign deal to test Starlink broadband for military use
    Elon Musk sold $8.5B in Tesla stock …
    30/04/2022
  • Windows 7: “I’m not dead yet!”
    Windows 7: “I’m not dead yet!”
    14/01/2020
  • Broadcom’s first Wi-Fi 6E mobile chip doubles speeds, cuts energy use
    Broadcom’s first Wi-Fi 6E mobile chip doubles …
    13/02/2020

Popular Posts

  • 10 Real Historical Events That Inspired ‘Game …
    22/05/2022 0
  • Top 10 Most Singular Encounters with Unidentified …
    24/04/2022 0
  • 10 Creepy Apocalyptical Predictions – Listverse
    25/04/2022 0
  • 10 Meetings That Shaped History – Listverse
    25/04/2022 0
  • The first “Meta Store” is opening in California in May
    The first “Meta Store” is opening in …
    25/04/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh