Google will pay up to $1.5m for full chain RCE for Android on Titan M chips

Pierluigi Paganini November 21, 2019

Google announced that it will increase bug bounty rewards for Android, it will pay up to $1.5 million for bugs that allow to hack new Titan M security chip.

At the end of 2018, Google announced its Titan M dedicated security chip that is currently installed on Google Pixel 3 and Pixel 4 devices. The chip was designed to process sensitive data and processes, include Verified Boot, on-device disk encryption, and secure transactions.

Now Google announced that it will pay up to $1 million white hat hackers that will devise “a full chain remote code execution exploit with persistence.”

The bug hunters can receive up to $1.5 million for reporting exploit chain working against a preview version of the Android OS.

The decision of Google to increase bug bounty payouts is the response of the tech giant to bug bounty programs operated by zero-day brokers like Zerodium that are offering greater rewards for similar issues. In September, Zerodium has updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.

Below the definition for full exploit chain provided by Google.

“We will reward extra for a full exploit chain (typically multiple vulnerabilities chained together) that demonstrates arbitrary code execution, data exfiltration, or a lockscreen bypass.” reads the Android Security Rewards Program Rules. “The actual reward amount is at the discretion of the rewards committee and depends on a number of factors, including (but not limited to):

  • Whether there is a detailed writeup describing how the exploit works.
  • The initial attack vector (ie. remote exploitation versus local).
  • Whether the exploit is device- or build-specific, or whether it works across a broad set of builds and devices.
  • The amount of user interaction required for the exploit to work.
  • Whether the user could feasibly detect that an exploit is in progress or has completed.
  • How reliable the exploit is.
  • Exploits chains found on specific developer preview versions of Android are eligible for up to an additional 50% reward bonus.

Below the maximum exploit rewards for each type of exploit:

Code execution reward amounts

DescriptionMaximum Reward
Pixel Titan MUp to $1,000,000
Secure ElementUp to $250,000
Trusted Execution EnvironmentUp to $250,000
KernelUp to $250,000
Privileged ProcessUp to $100,000

The maximum reward for data of high-value data secured by Pixel Titan M is $500,000 while the maximum reward for Lockscreen bypass is up to $100,000.

Additional info is available on Android Security Rewards Program Rules page.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Titan M, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment