Become a Millionaire by Finding Bugs! Google Throws Challenge for Pixel Titan M Exploit

  • Bounty hunters need to look for a full chain remote code execution exploit with persistence, which compromises Titan M on Pixel devices.
  • Google payouts totaled over $1.5 million during the last year.

Google’s android bounty program reward has just shot up. If anyone manages to exploit its Titan M chip on Pixel devices, the company will reward up to over a million to the individual. To be a winner, one has to look for a full chain remote code execution exploit with persistence, which compromises Titan M.

New updates in Google’s bounty program

The bounty program was created in 2015 and until now, it has paid out over $4 million for more than 1,800 vulnerabilities reported since. The single highest reward, however, was over $200,000 in the current year. Google payouts totaled over $1.5 million during the last year.

In the recent announcement, Google declared that it will now offer significantly higher rewards through its Android Security Rewards program.

  • Top reward will be up to $1 million for a Pixel Titan M exploit with full chain remote code execution and persistence on the device.
  • There will also be a 50 percent bonus if the exploit chain works on developer preview versions of Android.
  • Further, white hat hackers can now earn up to $500,000 in several other categories such as for exfiltrating data secured by Titan M chip and $100,000 for lock screen bypass techniques.

Other (competitive) bounty reward programs

Zerodium, a leading exploit acquisition platform that claims to provide its services mainly to government organizations, is currently offering up to $2.5 million for an Android exploit chain with persistence and requires no clicks. It pays up to $2 million for an iOS exploit chain that requires one click and offers persistence on the device and $1 Million for chat app exploits affecting WhatsApp, iMessage, or SMS/MMS applications.

Why Titan M is going to be a challenge?

Titan M, a custom-built security chip for Pixel 3, cordons off smartphone’s most sensitive data from its main processor in order to protect it against certain attacks.

  • Titan M helps the bootloader—a piece of code that runs before any operating system runs (Android in this case)—ensure the right version of Android on the phone.
  • It does it by saving the last known safe Android version while preventing bad actors from driving the device back to an older, which could be a potentially vulnerable version of Android.
  • Attacker cannot unlock the bootloader with Titan M in place.
  • It also verifies the lock screen passcode.
  • It is built with insider attack resistance to prevent tampering.

Casey Ellis, founder and CTO of Bugcrowd, said Google's bounty has risen because "the skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market." "By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between whitehat and blackhat," Ellise told Silicon Angle.