Google Offering $1 Million to Hack Its Titan M Security Chip

Google Offering $1 Million to Hack Its Titan M Security Chip

Google has long used bug bounties to help it uncover security flaws in its products before they appear in attacks. It’s also been among the most generous with the payouts for those bugs, but its latest revision of the Android Security Rewards Program is taking things to a whole new level. Security researchers who find a flaw in the company’s Titan M security chip could net themselves as much as $1 million.

The Titan M security chip debuted in the Pixel 3 about a year ago, but it wasn’t an entirely new design. Before the mobile Titan chip, Google designed a similar chip for its servers. In both cases, the use case is similar — Titan is a low-power microcontroller that cryptographically verifies important system components and keeps your most sensitive data separate from the main operating system.

The Titan M is a smaller version of the server chip (see above) that maintains the integrity of a Pixel phone’s software. The idea of having a hardware-based secure element isn’t new. ARM chips have a component called TrustZone that is separate from the main OS and Apple has a secure enclave on its A-series chips. Google’s Titan M is a completely separate hardware component that isn’t even connected to the SoC, theoretically offering even more security. Google has gone so far as to make the Titan M the key to your Google account, provided you configure 2-factor authentication to ping your phone.

That all falls apart if the Titan M isn’t sufficiently hardened from attack, so Google is offering big bucks for exploits. To get the maximum payout, a researcher has to provide a “full chain remote code execution exploit with persistence.” That means a method of breaching the Titan M’s security without physical access to the phone in a way that gives the attacker permanent access. In other words, the worst-case scenario. That would earn $1 million off the bat, and there’s an extra 50 percent bonus for finding an active exploit in specific developer preview versions of Android. So, that could be a $1.5 million payday.

It’s unlikely anyone is going to discover such a vulnerability in the chip (the company has paid out $1.5 million total this year), but Google wants to make sure it’s offering enough to encourage developers to come forward. Private security firms are also offering big bucks for exploits, and researchers selling to them would mean the bug won’t get fixed until something disastrous happens.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.