Samsung has announced a significant bug bounty program that offers up to $1 million for those who can successfully compromise the Knox Vault security system. Knox Vault is a subsystem integrated into Samsung smartphones to securely store information like credentials and perform authentication procedures.
To earn the $1 million reward, individuals must demonstrate the use of a zero-click method, which means no user interaction is needed, to hack into a Galaxy S or Z handset as an unprivileged user and retrieve credentials. This task is particularly challenging due to the isolated nature of Knox Vault, which has its own processor and storage separate from the main handset processor, making it resistant to common attacks that exploit shared resources.
Samsung has set varying reward amounts for different types of security breaches. For example, compromising TEEGRIS, a trusted execution environment found in certain devices equipped with Samsung’s Exynos SOCs, can earn up to $400,000 for a remote hack and $200,000 for a local breach. However, attackers must directly circumvent the operating system rather than subverting Trustlets apps to qualify for the reward.
Attackers who can bypass Samsung’s Rich Execution Environment (REE) operating system stand to earn up to $300,000 for a local attack and double that for a remote breach. The payout amount depends on the level of privilege escalation achieved and the effectiveness of the code executed. Additionally, hackers who can access user data on a Samsung device before it is unlocked could receive up to $400,000, contingent on the amount of data obtained.
Samsung also offers rewards for compromising other aspects of its security infrastructure, such as installing apps from third-party stores or the Galaxy Store. These rewards range from $30,000 to $100,000, depending on the method and location of the hack. Despite the attractive bounties, Samsung has paid out less than $5 million in total over seven years, with the highest individual reward in the previous year amounting to $57,190.
In comparison, Microsoft has been more generous with bug bounty payouts, distributing $16.6 million among 343 attackers from 55 countries over a 12-month period. The largest reward from Microsoft was $200,000 to an undisclosed individual. The company initially resisted bug bounty programs but eventually implemented them following a successful campaign led by Katie Moussouris, who is now the CEO of Luta Security.
Moussouris discovered that while money is a motivating factor for some security researchers, others are driven by the publicity and recognition gained from finding vulnerabilities. Microsoft’s bounty program has been instrumental in engaging the external research community to enhance product security and protect customers from emerging threats.
Overall, bug bounty programs serve as valuable tools for tech companies to identify and address security vulnerabilities before they can be exploited maliciously. By incentivizing researchers to uncover weaknesses in their systems, companies like Samsung and Microsoft can improve the overall security of their products and services.
