Six months ago, Google offered to pay US$200,000 to any researcher who could remotely hack into an Android device by knowing only the victim’s phone number and email address. No one stepped up to the challenge.
While that might sound like good news and a testament to the mobile operating system’s strong security, that’s likely not the reason why the company’s Project Zero Prize contest attracted so little interest. From the start, people pointed out that $200,000 was too low a prize for a remote exploit chain that wouldn’t rely on user interaction.
“If one could do this, the exploit could be sold to other companies or entities for a much higher price,” one user responded to the original contest announcement in September.
“Many buyers out there could pay more than this price; 200k not worth for finding needle under haystack,” said another.
Google was forced to acknowledge this, noting in a blog post this week that “the prize amount might have been too low considering the type of bugs required to win this contest.” Other reasons that might have led to the lack of interest, according to the company’s security team, might be the high complexity of such exploits and the existence of competing contests where the rules were less strict.
In order to gain root or kernel privileges on Android and fully compromise a device, an attacker would have to chain multiple vulnerabilities together. At the very least, they would need a flaw that would allow them to remotely execute code on the device, for example within the context of an application, and then a privilege escalation vulnerability to escape the application sandbox.
Judging by Android’s monthly security bulletins, there’s no shortage of privilege escalation vulnerabilities. However, Google wanted for exploits submitted as part of this contest to not rely on any form of user interaction. This means the attacks should have worked without users clicking on malicious links, visiting rogue websites, receiving and opening files, and so on.
This rule significantly restricted the entry points that researchers could use to attack a device. The first vulnerability in the chain would have had to be located in the operating system’s built-in messaging functions like SMS or MMS, or in the baseband firmware — the low-level software that controls the phone’s modem and which can be attacked over the cellular network.
One vulnerability that would have met these criteria was discovered in 2015 in a core Android media processing library called Stagefright, with researchers from mobile security firm Zimperium finding the vulnerability. The flaw, which triggered a large coordinated Android patching effort at the time, could have been exploited by simply placing a specially crafted media file anywhere on the device’s storage.
One way to do that involved sending a multimedia message (MMS) to targeted users and didn’t require any interaction on their part. Merely receiving such a message was enough for successful exploitation.
Many similar vulnerabilities have since been found in Stagefright and in other Android media processing components, but Google changed the default behavior of the built-in messaging apps to no longer retrieve MMS messages automatically, closing that avenue for future exploits.
“Remote, unassisted, bugs are rare and require a lot of creativity and sophistication,” said Zuk Avraham, founder and chairman of Zimperium, via email. They’re worth much more than $200,000, he said.
An exploit acquisition firm called Zerodium is also offering $200,000 for remote Android jailbreaks, but it doesn’t put a restriction on user interaction. Zerodium sells the exploits it acquires to their customers, including to law enforcement and intelligence agencies.
So why go to the trouble of finding rare vulnerabilities to build fully unassisted attack chains when you can get the same amount of money — or even more on the black market — for less sophisticated exploits?
“Overall, this contest was a learning experience, and we hope to put what we’ve learned to use in Google’s rewards programs and future contests,” Natalie Silvanovich, a member of Google’s Project Zero team, said in the blog post. To that end, the team is expecting comments and suggestions from security researchers, she said.
It’s worth mentioning that despite this apparent failure, Google is a bug bounty pioneer and has run some of the most successful security reward programs over the years covering both its software and online services.
There’s little chance that vendors will ever be able to offer the same amount of money for exploits as criminal organizations, intelligence agencies, or exploit brokers. Ultimately, bug bounty programs and hacking contests are aimed at researchers who have an inclination toward responsible disclosure to begin with.