Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Google's Android hacking contest fails to attract exploits

Lucian Constantin | April 3, 2017
The $200,000 bounty Google offered to hack its Android OS was not enough to tempt researchers.

One way to do that involved sending a multimedia message (MMS) to targeted users and didn't require any interaction on their part. Merely receiving such a message was enough for successful exploitation.

Many similar vulnerabilities have since been found in Stagefright and in other Android media processing components, but Google changed the default behavior of the built-in messaging apps to no longer retrieve MMS messages automatically, closing that avenue for future exploits.

"Remote, unassisted, bugs are rare and require a lot of creativity and sophistication," said Zuk Avraham, founder and chairman of Zimperium, via email. They're worth much more than $200,000, he said.

An exploit acquisition firm called Zerodium is also offering $200,000 for remote Android jailbreaks, but it doesn't put a restriction on user interaction. Zerodium sells the exploits it acquires to their customers, including to law enforcement and intelligence agencies.

So why go to the trouble of finding rare vulnerabilities to build fully unassisted attack chains when you can get the same amount of money -- or even more on the black market -- for less sophisticated exploits?

"Overall, this contest was a learning experience, and we hope to put what we’ve learned to use in Google’s rewards programs and future contests," Natalie Silvanovich, a member of Google's Project Zero team, said in the blog post. To that end, the team is expecting comments and suggestions from security researchers, she said.

It's worth mentioning that despite this apparent failure, Google is a bug bounty pioneer and has run some of the most successful security reward programs over the years covering both its software and online services.

There's little chance that vendors will ever be able to offer the same amount of money for exploits as criminal organizations, intelligence agencies, or exploit brokers. Ultimately, bug bounty programs and hacking contests are aimed at researchers who have an inclination toward responsible disclosure to begin with.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.