Google Project Zero Prize competition set to tighten Android security

Google Project Zero Prize hacking competition is set to improve Android security by rewarding remote code execution exploits with prizes up to $200,000.

Google this week launched the Project Zero Prize, a hacking competition with a $200,000 first prize to tighten Android security.

The goal for participants is to come up with an exploit that allows remote code execution on multiple Android devices, knowing only the phone number and email address of the device. The motivation for the contest, according to the announcement post by Google Project Zero security researcher Natalie Silvanovich, is to learn more about how attacks against Android devices are discovered and carried out.

"So why are we doing yet another hacking contest? Our main motivation is to gain information about how these bugs and exploits work," wrote Silvanovich on the Project Zero blog. "There are often rumors of remote Android exploits, but it's fairly rare to see one in action. We're hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs."

In the contest announcement, Google Project Zero stated the contest would be different from other hacking contests, where participants would save up bugs and exploits to build an exploit chain, and then submit their finished work. Instead, competitors are expected to submit all their bugs in the Android issue tracker, after which they can be submitted by the participant at any time during the six-month contest.

The catch, Silvanovich wrote, is that "[o]nly the first person to file a bug can use it as a part of their submission, so file early and file often. Of course, any bugs that don't end up being used in a submission will be considered for Android Security Rewards and any other rewards program at Google they might be eligible for after the contest has ended."

In addition, Silvanovich said Project Zero will publicly share all of the vulnerabilities and exploits submitted for the competition. "Participants will submit a full description of how their exploit works with their submission, which will eventually be published on the Project Zero blog," she wrote. "Every vulnerability and exploit technique used in each winning submission will be made public."

In addition to the top prize of $200,000 for the first winning entry, the second winning entry will garner $100,000 and at least $50,000 will be awarded by Android Security Rewards to additional winning entries.

In other news

  • The White House appointed Brigadier General (retired) Gregory Touhill as the first Federal CISO. Touhill is currently deputy assistant secretary of cybersecurity and communications in the Office of Cybersecurity and Communications at the Department of Homeland Security. "In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies." The appointment was made as part of the Cybersecurity National Action Plan, introduced in February by President Obama, a plan "that takes a series of short-term and long-term actions to improve our cybersecurity posture within the federal government and across the country." The announcement of the appointment was posted by Tony Scott, the federal chief technology officer, and J. Michael Daniel, special assistant to the president and White House cybersecurity coordinator. Touhill's appointment comes on the heels of several high-profile government hacks, such as the OPM breach, and unflattering oversight reports on inadequate cybersecurity practices in agencies such as the FDIC.
  • Two Israeli citizens, Itay Huri and Yarden Bidani, have been arrested by Israeli police and charged with running a massive DDoS operation, investigative reporter Brian Krebs reported. The two young men, both age 18, had been running the vDOS booter service, until this summer when the service was hacked, revealing that it netted at least $600,000 over the past two years -- and possibly much more, as vDOS began operations in September 2012. Krebs broke the story at approximately the same time the two were arrested in Israel in connection with an investigation by the FBI. Krebs reported that the two earned the money for helping their customers execute more than 150,000 DDoS attacks, and Krebs speculated that the vDOS operation may have been responsible for a majority of DDoS attacks over the past few years.
  • As CIA director John Brennan warned that the U.S. should be wary of Russia's hacking capabilities and activities on CBS's Face the Nation Sunday. Politico reported Democratic Party state officials and parties were warned hackers were targeting them. The website obtained a copy of the email, titled "Security Alert: Please Do Not Search Wikileaks!" sent by the Association of State Democratic Chairs to its members. Recipients were warned against visiting the Wikileaks site because of concerns over the potential for being infected by malware transmitted through content on the website. Meanwhile, Brennan warned that "Russia has exceptionally capable and sophisticated cyber capabilities in terms of collection, as well as whatever else it might want to do in that cybersphere." Brennan continued: "Their intelligence services are quite active around the world, and this is something we have to make sure we're on guard for, not just for our national security purposes but also for making sure that our system of government here is going to be preserved."

Next Steps

Find out four top tips for better security with Android.

Learn more about Android Nougat security features.

Read about why the human element is a key issue for information security.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments