Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Android Google Bug Communications Operating Systems Privacy Security Software The Almighty Buck The Internet Technology

Google Is Offering $200K To Hack Android Phones Using Email and A Phone Number (thenextweb.com) 49

Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0. The Next Web reports: Today, Google is launching the Project Zero Security Contest and awarding over $300,000 in prizes to anyone who can hack Nexus 6P and 5X knowing only the devices' phone number and email address. To be eligible to win, contestants are required to dig up vulnerabilities that can be exploited remotely -- by sending a text message or an email, for instance. All winning participants will be invited to describe the bugs they've discovered in a short technical report that will appear on the Project Zero Blog. The winner will scoop $200,000, while the runner-up will receive $100,000. There's also another $50,000 in the prize pool for any additional winning entries.
This discussion has been archived. No new comments can be posted.

Google Is Offering $200K To Hack Android Phones Using Email and A Phone Number

Comments Filter:
  • is that enough money to temp state actors?

  • by 93 Escort Wagon ( 326346 ) on Wednesday September 14, 2016 @05:03PM (#52888829)

    Google is feeling so confident about the security of their latest Android 7.0 Nougat operating system that they're offering $200,000 to anyone who can remotely execute code on a Nexus 6P or 5X running Android 7.0.

    I suspect this has more to do with trying to proactively find any such vulnerability - and making it pay off well enough to induce the hacker to give Google the info rather than selling it to criminal or state organizations. Selling it privately might still bring in more money, but this might be enough so the hacker will say "this way I still get a good payday and also get credit for doing the right thing".

    • by Anonymous Coward

      The way the contest is setup requires you to report found bugs early, just to be eligible to use that particular bug in you exploit for the contest. In other words, Google can fix the problems even before the submissions for the exploits are due, and they can be assured the contestants will keep the bug a secret. Even better, a contestant does not even know if he can use the bug he found until he submits it to find out if he is the first.

      This contest will be structured a bit differently than other contests.

  • by JoeyRox ( 2711699 ) on Wednesday September 14, 2016 @05:03PM (#52888835)
    I'd put the value of that kind of exploit north of $20M. Biggest buyer would be governments around the world.
    • Looks like the going rate [zerodium.com] is less than $100k for this kind of exploit. So Google is doing good here.
      • by tlhIngan ( 30335 )

        Looks like the going rate is less than $100k for this kind of exploit. So Google is doing good here.

        It would probably be less, given how few devices will run Android 7.0 in the short to medium term, and how many other Android vulnerabilities are out there to try first, making it cost very little.

        Google's offering for $200K is about 10 times the going rate (again, taking into account how few devices run it, so the chances of actually running into a phone you need to crack running Android 7.0 are practically

      • The organizations that would make the exploit worth $20M don't advertise their intentions to buy on public web sites.
        • I don't think there is any organization that would spend $20M for this kind of exploit. You made that number up.
          • If you refer back to my original post it's not a single organization that would pay $20M. And yes, $20M is just an estimate. For support of myestimate look up how much the FBI paid for the exploit on the San Bernardino phone - it was $1.3M. And that was for a single instance, single phone.
            • by tlhIngan ( 30335 )

              If you refer back to my original post it's not a single organization that would pay $20M. And yes, $20M is just an estimate. For support of myestimate look up how much the FBI paid for the exploit on the San Bernardino phone - it was $1.3M. And that was for a single instance, single phone.

              And iOS.

              There's a reason there's a backlog of over 600+ iPhones in the LEO community they'tr trying to break, and under 20 Androids. And it's not because criminals prefer iPhones to Androids.

              iOS vulnerabilities are much ha

    • by Sowelu ( 713889 )

      What's the going rate for getting a legal payoff and having a lot less to worry about? If I found an exploit like that, I'd sooner trade it to Google for a Starbucks gift card than I would try and negotiate with, like, Russia. How would you even start something like that? It sounds like suicide for your criminal record, surely every government has agents posing as agents of other governments to try and poach stuff like that.

  • If you do it they will remotely detonate your phone battery.

    • by Sowelu ( 713889 )

      What's hilarious is that, with a remote code execution bug, you probably could tell a system to overcharge the battery. I mean if the short term fix for the Note 7 is "cap battery charge at 60%", then I wonder what shenanigans you could do to other batteries?

  • Will they let someone test that out On a live phone?

  • For 300k they potentially get bugs found that could cost much more if they did this internally and outside eyes may take approaches Google never thought of. Of course, given the potential value to others beside Google they may not find out about the most serious vulnerabilities because they are much more valuable than $200k; and some hackers that didn't get anything may continue to probe and find vulnerabilities to sell. State actors have no reason to reveal their secrets because those are weapons to deploy
    • So what you're saying is, that Google's own employees - not one among the vast number of them - cannot find this type of exploit, or aren't allocated to this type of exploit finding, so basically Google has opted to contract that work out in the form of a "bounty program"?

      • So what you're saying is, that Google's own employees - not one among the vast number of them - cannot find this type of exploit, or aren't allocated to this type of exploit finding, so basically Google has opted to contract that work out in the form of a "bounty program"?

        It's not so much a question of having the technical smarts but rather Google has limited bandwidth to do this, so they can't cause every possible idea, and outside eyes may look at the problem differently and come up with something not apparent to Google's staff. One challenge people have is they tend to look at problems based on their knowledge and experience and may not approach it from a different angle and come up with something new; it's not a lack of smarts but becoming conditioned as to how to approa

  • Script kiddies, start your engines...........

Veni, Vidi, VISA: I came, I saw, I did a little shopping.

Working...