Google Offering $1 Million to Hack Its Titan M Security Chip

Google Offering $1 Million to Hack Its Titan M Security Chip

Google has long used bug bounties to help it uncover security flaws in its products before they appear in attacks. It’s also been among the most generous with the payouts for those bugs, but its latest revision of the Android Security Rewards Program is taking things to a whole new level. Security researchers who find a flaw in the company’s Titan M security chip could net themselves as much as $1 million.

The Titan M security chip debuted in the Pixel 3 about a year ago, but it wasn’t an entirely new design. Before the mobile Titan chip, Google designed a similar chip for its servers. In both cases, the use case is similar — Titan is a low-power microcontroller that cryptographically verifies important system components and keeps your most sensitive data separate from the main operating system.

The Titan M is a smaller version of the server chip (see above) that maintains the integrity of a Pixel phone’s software. The idea of having a hardware-based secure element isn’t new. ARM chips have a component called TrustZone that is separate from the main OS and Apple has a secure enclave on its A-series chips. Google’s Titan M is a completely separate hardware component that isn’t even connected to the SoC, theoretically offering even more security. Google has gone so far as to make the Titan M the key to your Google account, provided you configure 2-factor authentication to ping your phone.

That all falls apart if the Titan M isn’t sufficiently hardened from attack, so Google is offering big bucks for exploits. To get the maximum payout, a researcher has to provide a “full chain remote code execution exploit with persistence.” That means a method of breaching the Titan M’s security without physical access to the phone in a way that gives the attacker permanent access. In other words, the worst-case scenario. That would earn $1 million off the bat, and there’s an extra 50 percent bonus for finding an active exploit in specific developer preview versions of Android. So, that could be a $1.5 million payday.

It’s unlikely anyone is going to discover such a vulnerability in the chip (the company has paid out $1.5 million total this year), but Google wants to make sure it’s offering enough to encourage developers to come forward. Private security firms are also offering big bucks for exploits, and researchers selling to them would mean the bug won’t get fixed until something disastrous happens.

Continue reading

NASA Offering $1 Million Prize for Better Space Food
NASA Offering $1 Million Prize for Better Space Food

NASA has announced a new round of Deep Space Food Challenge, and this round of the competition comes with $1 million in prizes for teams that can come up with innovative foods that can be prepared in space.

Enormous Video Game Collection to Enhance University’s Research and Course Offerings
Enormous Video Game Collection to Enhance University’s Research and Course Offerings

An educational institution in Canada is now able to offer students a firsthand tour through video game history, thanks to the recent acquisition of a famous 14,000-title collection.

Intel Is Offering CPUs to Winners of Arc GPU Scavenger Hunt
Intel Is Offering CPUs to Winners of Arc GPU Scavenger Hunt

Sad trombone sound goes here.

Google Is Shutting Down Stadia in January 2023, Offering Refunds
Google Is Shutting Down Stadia in January 2023, Offering Refunds

Google said it was committed to making Stadia the future of gaming, but now it's the past.