Google Offering $1 Million to Hack Its Titan M Security Chip

Google Offering $1 Million to Hack Its Titan M Security Chip

Google has long used bug bounties to help it uncover security flaws in its products before they appear in attacks. It’s also been among the most generous with the payouts for those bugs, but its latest revision of the Android Security Rewards Program is taking things to a whole new level. Security researchers who find a flaw in the company’s Titan M security chip could net themselves as much as $1 million.

The Titan M security chip debuted in the Pixel 3 about a year ago, but it wasn’t an entirely new design. Before the mobile Titan chip, Google designed a similar chip for its servers. In both cases, the use case is similar — Titan is a low-power microcontroller that cryptographically verifies important system components and keeps your most sensitive data separate from the main operating system.

The Titan M is a smaller version of the server chip (see above) that maintains the integrity of a Pixel phone’s software. The idea of having a hardware-based secure element isn’t new. ARM chips have a component called TrustZone that is separate from the main OS and Apple has a secure enclave on its A-series chips. Google’s Titan M is a completely separate hardware component that isn’t even connected to the SoC, theoretically offering even more security. Google has gone so far as to make the Titan M the key to your Google account, provided you configure 2-factor authentication to ping your phone.

That all falls apart if the Titan M isn’t sufficiently hardened from attack, so Google is offering big bucks for exploits. To get the maximum payout, a researcher has to provide a “full chain remote code execution exploit with persistence.” That means a method of breaching the Titan M’s security without physical access to the phone in a way that gives the attacker permanent access. In other words, the worst-case scenario. That would earn $1 million off the bat, and there’s an extra 50 percent bonus for finding an active exploit in specific developer preview versions of Android. So, that could be a $1.5 million payday.

It’s unlikely anyone is going to discover such a vulnerability in the chip (the company has paid out $1.5 million total this year), but Google wants to make sure it’s offering enough to encourage developers to come forward. Private security firms are also offering big bucks for exploits, and researchers selling to them would mean the bug won’t get fixed until something disastrous happens.

Continue reading

Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million
Apple Cuts Fees in Half for App Store Developers Earning Less Than $1 Million

Going forward, Apple's customary 30 percent cut of sales on the iOS platform will drop to just 15 percent for smaller developers. Epic, however, claims this is just an attempt to split the developer community.

There Are Still 100 Million PCs Running Windows 7
There Are Still 100 Million PCs Running Windows 7

Microsoft officially ended update support for Windows 7 last year, but millions of PCs are still running this software of yesteryear. According to long-time Microsoft reporter Ed Bott, that number is probably north of 100 million a year after the end of support.

Google Slashes Play Store Fees for Developers Making Less Than $1 Million
Google Slashes Play Store Fees for Developers Making Less Than $1 Million

Google has followed Apple's lead in announcing a new, lower revenue split for all earnings under $1 million per year. Instead of paying 30 percent of every sale, developers in this category only pay 15 percent.

Man Blames Apple After iPhone Scam App Steals $1 Million in Bitcoin
Man Blames Apple After iPhone Scam App Steals $1 Million in Bitcoin

He made the mistake of downloading an app from the iOS App Store. In the blink of an eye, his fortune was gone, and he blames Apple.