Google has long used bug bounties to help it uncover security flaws in its products before they appear in attacks. It’s also been among the most generous with the payouts for those bugs, but its latest revision of the Android Security Rewards Program is taking things to a whole new level. Security researchers who find a flaw in the company’s Titan M security chip could net themselves as much as $1 million.
The Titan M security chip debuted in the Pixel 3 about a year ago, but it wasn’t an entirely new design. Before the mobile Titan chip, Google designed a similar chip for its servers. In both cases, the use case is similar — Titan is a low-power microcontroller that cryptographically verifies important system components and keeps your most sensitive data separate from the main operating system.
The Titan M is a smaller version of the server chip (see above) that maintains the integrity of a Pixel phone’s software. The idea of having a hardware-based secure element isn’t new. ARM chips have a component called TrustZone that is separate from the main OS and Apple has a secure enclave on its A-series chips. Google’s Titan M is a completely separate hardware component that isn’t even connected to the SoC, theoretically offering even more security. Google has gone so far as to make the Titan M the key to your Google account, provided you configure 2-factor authentication to ping your phone.
That all falls apart if the Titan M isn’t sufficiently hardened from attack, so Google is offering big bucks for exploits. To get the maximum payout, a researcher has to provide a “full chain remote code execution exploit with persistence.” That means a method of breaching the Titan M’s security without physical access to the phone in a way that gives the attacker permanent access. In other words, the worst-case scenario. That would earn $1 million off the bat, and there’s an extra 50 percent bonus for finding an active exploit in specific developer preview versions of Android. So, that could be a $1.5 million payday.
It’s unlikely anyone is going to discover such a vulnerability in the chip (the company has paid out $1.5 million total this year), but Google wants to make sure it’s offering enough to encourage developers to come forward. Private security firms are also offering big bucks for exploits, and researchers selling to them would mean the bug won’t get fixed until something disastrous happens.
- Samsung, Pixel Users No Longer at Risk for Android Camera App Hijacking
- iOS 13.2 Effectively Breaks Multi-Tasking, Kills Background Tasks
- Google Says Project Treble Has Massively Accelerated Android Updates