Google will pay you $1.5 million if you can hack Titan M security chip on its phones

Are you ready for the hacking challenge? Google announced yesterday that it will pay anyone up to $1.5 million who can successfully hack its Titan M security chip on the its Pixel phones. The announcement it part of Google’s Android bug-bounty program unveiled this week. The $1.5 million offer is for anyone who can show off a unique attack on its Pixel 3 and 4 phones, as long as they allow for persistent access to the device.

“We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” Jessica Lin from the Android Security Team wrote in the post. “Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.”

The Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, they have awarded over 1,800 reports, and paid out over $4 million.

Google borrowed a page from Apple when the tech giant said it would pay researchers who discover a hack that allows for remote control of its smartphones. Similar to Apple’s iPhone Secure Element, Titan M is a security chip that acts as a kind of guardian for device data. It will, for instance, look out for hackers trying to load malware when an Android phone is turned on and will secure app passwords. Anyone hoping to receive the reward will have to break Google’s Titan M “secure element.”

“Security has always been a top priority for Pixel, spanning both the hardware and software of our devices. This includes monthly security updates and yearly OS updates, so Pixel always has the most secure version of Android, as well as Google Play Protect to help safeguard your phone from malware. Last year on Pixel 2, we also included a dedicated tamper-resistant hardware security module to protect your lock screen and strengthen disk encryption,” Google said in a blog post.

Android Bug Bounty

The company went on to describe the security in its Pixel 3 phone: “This year, with Pixel 3, we’re advancing our investment in secure hardware with Titan M, an enterprise-grade security chip custom built for Pixel 3 to secure your most sensitive on-device data and operating system. With Titan M, we took the best features from the Titan chip used in Google Cloud data centers and tailored it for mobile.”

Here are some highlights from 2019 ASR program:

• Total payouts in the last 12 months have been over $1.5 million.

• Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!
• The top reward paid out in 2019 was $161,337.