Google will pay up to $1.5 million for the most severe hacks of its Pixel line of Android phones, a more than seven-fold increase over the previous top Android reward, the company said.
Effective immediately, Google will pay $1 million for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the company said in a post published on Thursday.
The company will also pay $500,000 for exploits that exfiltrate data out of a Pixel or bypass its lock screen.
Google will offer a 50 percent bonus to any of its rewards if the exploit works on specific developer preview versions of Android. That means a critical Titan M hack on a developer preview could fetch $1.5 million, and a data exfiltration or lockcscreen bypass on a developer preview could earn $750,000, and so on. Previously, rewards for the most severe Android exploits topped out at $200,000 if they involved the trusted execution environment—an independent OS within Android for handling payments, multi-factor authentication, and other sensitive functions—and $150,000 if they involved compromise only on the Android kernel.
Putting Titan M to the test
The big reward bump coincides with the investments Google has poured into securing the Pixel. The Titan M is a Google-designed chip that’s physically segregated from the main chipset of the device. In many respects, it’s analogous to the Secure Enclave in iPhones or the TrustZone in devices running an Arm processor. The Titan M is a mobile version of the Titan chip Google introduced in 2017.
The Titan M carries out four core functions, including:
Titan M was first introduced in 2018 with the roll out of the Pixel 3. It’s also in the recently released Pixel 3a, and will also be included in the soon-to-be-available Pixel 4. Pixel 2 models relied on a less robust dedicated tamper-resistant hardware security module. In-the-wild exploits disclosed last month were able to remotely execute malicious code on an array of Android phones, including the Pixel 1, Pixel 1 XL, Pixel 2, and Pixel 2 XL, but not the Pixel 3. The Titan M wasn’t responsible for stopping that attack, however. Instead, the reason was that the Pixel 3 and 3a received Linux patches that the vulnerable Pixels had not.
In the four years since the Android Security Rewards Program was introduced, it has paid out more than $4 million from more than 1,800 reports. More than $1.5 million of that came in the past 12 months. The top reward this year was $161,337, which was paid to Guang Gong of Qihoo 360 Technology’s Alpha Lab for a one-click remote code execution exploit chain on a Pixel 3. (Gong’s exploit received an additional $40,000 from the Chrome Rewards Program.)
The new rewards come almost three months after third-party exploit broker Zerodium started paying $2.5 million for zero-day attacks compromising Android, a 25-percent premium over comparable exploits for iOS. As tempting as it is to contrast the Zerodium’s top Android payouts to those from Google, don’t. The talent and amount of work required to develop a weaponized exploit for Zerodium are considerably higher than what Google demands, making for an apples-to-oranges comparison.
