Google Is Offering $200K To Hack Android Phones Using Email and A Phone Number

Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0. The Next Web reports: Today, Google is launching the Project Zero Security Contest and awarding over $300,000 in prizes to anyone who can hack Nexus 6P and 5X knowing only the devices' phone number and email address. To be eligible to win, contestants are required to dig up vulnerabilities that can be exploited remotely -- by sending a text message or an email, for instance. All winning participants will be invited to describe the bugs they've discovered in a short technical report that will appear on the Project Zero Blog. The winner will scoop $200,000, while the runner-up will receive $100,000. There's also another $50,000 in the prize pool for any additional winning entries.

First

Neat.

Re:First

"Hello $firstname $lastname,

This is Google. We have recently experienced hacking attempts and are asking all users to verify their current passwords. Please click here to do so.

Thank you,

Mike Hunt
Google Head of Security"

temptation

[zlives]

is that enough money to temp state actors?

Re:temptation

[NatasRevol]

Or even greedy local actors.

Re:temptation

Jesus no. If you could hack literally billions of phones (ok, millions for Android 7, but maybe it works on earlier versions) with just a phone number and e-mail address, state actors would value that at a lot more than $200k. Just think for a moment about how much intelligence you could gather from VIPs with such an easy to use vulnerability.

This is a ridiculously cheap way of doing security research.

Mind you, if I found such a vulnerability, I'd sooner describe it to my government than Google (aka the US government). I don't need $200k, nor do I want to further strengthen the US.

Re:temptation

[SubtleGuest]

Really? You don't need $200,000?

Re:temptation

[phantomfive]

You mean a government with billions in revenue? The state actors are the ones paying hundreds of thousands of dollars for exploits.

Re:temptation

No. It's not like I'd turn it down if I was offered it unconditionally, but there a lot of things I wouldn't do for it. I was born into a reasonably wealthy family and have been fairly successful in my career. I know how fortunate I am, and it means I get to make decisions for other-than-pecuniary reasons.

Bribery works on the insecure and the greedy. This is one of the reasons I am in favour of a universal basic income: the moment everyone stops having to worry about basic necessities, you make a whole swathe of people more honest.

Re:temptation

[phantomfive]

Really? You don't need $200,000?

No, actually.

Re: temptation

Just kidding, I'm extremely poor and masturbate on the subway.

Re:temptation

universal basic income

This was one of HItler's selling points for Austria to vote to accept Nazi rule.

Just saying.

Re:temptation

[zlives]

no not the govt itself but the users of govt systems that exploit such things. Govt employees pay... anyway since a lot of these tools get sold to the third world regimes it is perhaps plausible?

Re: temptation

2 years salary. $200,000 isn't much nowadays.

Re:temptation

Hitler had some good ideas.

Re:temptation

I believe Hitler is widely reported to have eaten food and breathed air too.

Just saying.

Re: temptation

Depends on where you are.. that would be 5.5 years of income for myself

Re:temptation

Yeah, maybe want but not need. I have a lot more than I "need" right now. Anyway, I would sell the exploit to NSA or CIA for $2.000.000USD rather than cheap-ass Google.

Re: temptation

Before tax .... where I am from this kind of 'award' would cost me 50% tax ...

1 million not no chump change

LOL once more they want to give chump change for this? really.

1 million like Iphone did.

4 paragraphs

Couldn't we find another article that's longer than 4 paragraphs. The Next Web editor seems to be bored with this story by the way he glossed over the subject.

I doubt it's about "confidence"

[93+Escort+Wagon]

Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0.

I suspect this has more to do with trying to proactively find any such vulnerability - and making it pay off well enough to induce the hacker to give Google the info rather than selling it to criminal or state organizations. Selling it privately might still bring in more money, but this might be enough so the hacker will say "this way I still get a good payday and also get credit for doing the right thing".

Re:I doubt it's about "confidence"

The way the contest is setup requires you to report found bugs early, just to be eligible to use that particular bug in you exploit for the contest. In other words, Google can fix the problems even before the submissions for the exploits are due, and they can be assured the contestants will keep the bug a secret. Even better, a contestant does not even know if he can use the bug he found until he submits it to find out if he is the first.

This contest will be structured a bit differently than other contests. Instead of saving up bugs until thereâ(TM)s an entire bug chain, and then submitting it to the Project Zero Prize, participants are asked to report the bugs in the Android issue tracker. They can then be used as a part of submission by the participant any time during the six month contest period. Only the first person to file a bug can use it as a part of their submission, so file early and file often! Of course, any bugs that donâ(TM)t end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended.

That is not confidence. That is a cheap way to do Q&A.
Nothing wrong with that, but caring about security would be offering $20,000,000 for remote exploits.
Confidence would be offering $2,000,000,000 :-).

Seems like it would be worth way more than $200K

[JoeyRox]

I'd put the value of that kind of exploit north of $20M. Biggest buyer would be governments around the world.

Is phishing email allowed?

That would be easy.

Re:Is phishing email allowed?

[campuscodi]

Rules say no user interaction. It has a full exploit chain.

It's a trap!

[downright]

If you do it they will remotely detonate your phone battery.

Re:It's a trap!

I have a Note 7 so this isn't funny you insensitive bastard!

Re:It's a trap!

[Sowelu]

What's hilarious is that, with a remote code execution bug, you probably could tell a system to overcharge the battery. I mean if the short term fix for the Note 7 is "cap battery charge at 60%", then I wonder what shenanigans you could do to other batteries?

Re:Seems like it would be worth way more than $200

[phantomfive]

Looks like the going rate is less than $100k for this kind of exploit. So Google is doing good here.

What about premium sms exploitation?

[Joe_Dragon]

Will they let someone test that out On a live phone?

Re:What about premium sms exploitation?

[Sowelu]

I'm sure nobody will complain if you test it against your own phone.

Re:Seems like it would be worth way more than $200

[tlhIngan]

Looks like the going rate is less than $100k for this kind of exploit. So Google is doing good here.

It would probably be less, given how few devices will run Android 7.0 in the short to medium term, and how many other Android vulnerabilities are out there to try first, making it cost very little.

Google's offering for $200K is about 10 times the going rate (again, taking into account how few devices run it, so the chances of actually running into a phone you need to crack running Android 7.0 are practically nil).

It's Apple that needs to step up their game - their $250K is a quarter of the going rate for an iOS exploit ($1M+ is the going rate). And with iOS 10 out a lot of old exploits are going away. State actors have to guard their tools very closely or a leak like the one a few weeks ago could render their multi mullion dollar business moot. That's probably why they charge so much per installation - each installation runs the risk that the vulnerabilities are found and fixed.

Re:Seems like it would be worth way more than $200

[JoeyRox]

The organizations that would make the exploit worth $20M don't advertise their intentions to buy on public web sites.

Re:Seems like it would be worth way more than $200

[Sowelu]

What's the going rate for getting a legal payoff and having a lot less to worry about? If I found an exploit like that, I'd sooner trade it to Google for a Starbucks gift card than I would try and negotiate with, like, Russia. How would you even start something like that? It sounds like suicide for your criminal record, surely every government has agents posing as agents of other governments to try and poach stuff like that.

Look at it from Google's POV

[Registered+Coward+v2]

For 300k they potentially get bugs found that could cost much more if they did this internally and outside eyes may take approaches Google never thought of. Of course, given the potential value to others beside Google they may not find out about the most serious vulnerabilities because they are much more valuable than $200k; and some hackers that didn't get anything may continue to probe and find vulnerabilities to sell. State actors have no reason to reveal their secrets because those are weapons to deploy when needed. While this is good publicity getting the word out you pay market rates for vulnerabilities might work better, plus possibly forcing prices up to where it is potentially unprofitable.

Re:Look at it from Google's POV

[ThosLives]

So what you're saying is, that Google's own employees - not one among the vast number of them - cannot find this type of exploit, or aren't allocated to this type of exploit finding, so basically Google has opted to contract that work out in the form of a "bounty program"?

Re:Look at it from Google's POV

[Registered+Coward+v2]

So what you're saying is, that Google's own employees - not one among the vast number of them - cannot find this type of exploit, or aren't allocated to this type of exploit finding, so basically Google has opted to contract that work out in the form of a "bounty program"?

It's not so much a question of having the technical smarts but rather Google has limited bandwidth to do this, so they can't cause every possible idea, and outside eyes may look at the problem differently and come up with something not apparent to Google's staff. One challenge people have is they tend to look at problems based on their knowledge and experience and may not approach it from a different angle and come up with something new; it's not a lack of smarts but becoming conditioned as to how to approach a problem or challenge. An added benefit is Google potentially gets vulnerabilities exposed on the cheap, or even for free. Not a bad deal, for them.

Re:Look at it from Google's POV

Yes, prior experience show us that bugs and security vulnerabilities - even critical ones - are found by external people

Re:Seems like it would be worth way more than $200

[phantomfive]

I don't think there is any organization that would spend $20M for this kind of exploit. You made that number up.

Re:Seems like it would be worth way more than $200

[JoeyRox]

If you refer back to my original post it's not a single organization that would pay $20M. And yes, $20M is just an estimate. For support of myestimate look up how much the FBI paid for the exploit on the San Bernardino phone - it was $1.3M. And that was for a single instance, single phone.

This is a cute but meaningless stunt

It certainly is not related to security in the real world.
As long as users can install apps from Google Play, the phone can be compromised.
And any private network it is logged onto can likewise be hacked.

SS7?

Wouldn't a hack via SS7 qualify? It's certainly a remote attack.

3, 2, 1......

[Ensign_Expendable]

Script kiddies, start your engines...........

Social Engineering

Does it count if you phone people offering an upgrade to their phone, then email them a file and advise them to open it on their phone?

That's not the way it works

Guarantee me the 200.000 or i will report to someone else. What a cheap way to get all the exploits for a fixed price ...

Re:Seems like it would be worth way more than $200

The problem to selling stuff to state actors such as governments is they may get a refund by buying it off you, and then suddenly you've committed suicide via 10 shots to the back, and then tieing yourself in a bag and falling into a river.

Re:Seems like it would be worth way more than $200

[tlhIngan]

If you refer back to my original post it's not a single organization that would pay $20M. And yes, $20M is just an estimate. For support of myestimate look up how much the FBI paid for the exploit on the San Bernardino phone - it was $1.3M. And that was for a single instance, single phone.

And iOS.

There's a reason there's a backlog of over 600+ iPhones in the LEO community they'tr trying to break, and under 20 Androids. And it's not because criminals prefer iPhones to Androids.

iOS vulnerabilities are much harder to come by and they often require chaining together multiple ones just to even get them to jailbreak. And we're talking about phones where the user willingly lets the hack happen (jailbreak). Ones that try to start from a locked phone are much harder. Coupled with full disk encryption that's standard and enabled since the beginning and it gets a lot more difficult, even more so in modern phones with a secure enclave that keeps secrets from hitting flash storage (i.e., disk key).

The problem with Android is the defaults are insecure and most people leave it at the defaults, making it trivially easy to get at the data.