Smartphones are an integral part of our day to day activities and carry valuable and private information. Thus, safety and security are of utmost concern for smartphone brands. At the PwnFest hacking competition in Seoul, South Korea, Google paid $120,000 (approx. Rs 84 Lakh) to the ethical hackers who humiliated Google by hacking the recently launched Google Pixel smartphone in less than a minute. The hackers were from Qihoo 360 who managed to gain remote access to the Pixel phone to exploit phone contacts, messages, photos, videos, emails and even card details. Google did not reveal the exact vulnerability, though, but they claim that the vulnerability has been patched and released in the next stable build. However, the act was nothing less than humiliation for Google which has invested millions of dollars in promoting Pixel phones as one of the most secured and best Android smartphones available nowadays.
But Qihoo 360 was not targeting only Google, they managed to hack into Adobe Flash in just 4 seconds and bagged another $120,000. They continued revealing vulnerabilities in Microsoft Edge on Windows 10 which made their total prize money sum up to $520,000 (approx. Rs. 3.5 crores). Another team of Chinese hackers who call themselves ‘Pangu’, hacked the Safari browser on MacOS Sierra in just 20 seconds which earned them $80,000 (approx. 54 Lakh) in cash.
Google Pixel Phone: Highly Vulnerable to Competition
Google is continuously working towards making its products and software secure and competent. With competitors like Apple iPhone and Samsung Galaxy S7 and S7 Edge, it is crucial for Google to make Pixel Smartphones an unmatched experience in terms of safety as well as user experience. The Pixel phone is company’s first premium smartphone which was launched on 4th October at a price range starting from $649 in the US and INR. 57,000 in India for the 32GB variant. With this premium pricing, the company cannot afford any flaws in the device to sustain in the market.
Google Vulnerability Rewards Program
As of June, Google has received 250 qualified vulnerability reports and paid over $550,000 to 82 individuals with an average of $6,700 per researcher. Google’s top researcher @heisecode has received $75,750 for 26 reports. Also, the company paid 15 researchers $10,000 or more for the reports.
Together, we made a huge investment in security research that has made Android stonger. We’ree just getting started and are looking forward to doing even more in the future, said Quan To, Program Manager, Android Security, Google.
Google had also announced to increase the reward prize from 1st June to encourage more participants. For a high-quality vulnerability report with proof of concept, Google has been paying 33% more. The company will pay 50% more for high-quality vulnerability report for evidence of concept, a Compatibility Test Suite (CTS) test, or a patch. The reward for a remote or proximal kernel exploit was raised from $20,000 to $30,000. Also, for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise, the reward was increased from $30,000 to $50,000. Increasing rewards is a good way to make the bug hunters more aggressive and active in finding and patching the vulnerabilities.
Fight Against the Threat of Hacking
The reward programs are not just for hackers but also for the consumers which encourage them to report their findings rather than exploiting them. To encourage this measure, companies like Microsoft, Oculus and PayPal have implemented reward programs of their own. Even Apple had started its bug bounty program since September, offering up to $200,000 for successfully pointing out bugs and security related issues in its devices. Apple also announced that the company would be mandating HTTPS connections for iOS apps from 1st January 2017. Even Twitter had paid a significant $322,420 in bounties for the same. Apart from the companies in the IT sector, companies from the automotive sector like Tesla Motors, General Motors, Uber, and Fiat Chrysler also launched such programs. Interestingly, even the US army announced ‘Hack the Army’ bug bounty program to find security flaws in their digital recruiting infrastructure.
Companies are leaving no stones unturned to uproot the vulnerabilities in their devices and software. Even after such major payouts and investment, hackers are successfully hacking into devices and software. This is affecting companies as well as the consumers largely. Companies are getting aggressively focused towards the bug bounty programs. Security is a primary concern in this digital era. Everything, from learning to transacting, is dependent on digital devices and system. Hence, any breach of security will raise the red flag immediately.