Google will pay $100K to anyone who can hack into a Chromebook remotely. For the hacker to lay his hands on the cash reward, he or she will have to ensure the hack is able to stick around and survive a reboot, while applied in a “guest mode.”
Google effectively doubled the bounty it offers to find security vulnerabilities in Chromebook, its sleek laptop that runs on Chrome, a browser-based operating system designed by the search giant himself. Google hopes doubling the bounty will draw more security researchers, who will attempt to compromise the device. Google is always on the lookout for exploits that can compromise or cripple its software, and such bounty programs are pretty common.
Google has been willingly, and even encouragingly, offering money to hackers since 2010. The company handsomely rewards those who have found security vulnerabilities in its hardware or software. After a call last year to crack its Chromebook’s security system went unanswered, Google is now doubling its reward to $100,000, reported Business Insider. The significantly larger reward is intended for someone who can successfully compromise a Chromebook. However, there are three primary conditions that need to be met before Google will pay.
— Techmeme (@Techmeme) March 15, 2016
The hacker, who seeks to compromise a Chromebok, has to do it over the web. In other words, the hacker will have to pull of his hack “remotely.” The hacker won’t be allowed physical access to the machine. A direct access to the machine makes the process somewhat less difficult, if not easy.
The second condition is that the hacker will have to work his magic while the Chromebook is in a “guest mode.” Designed with the primary intention of allowing shared access to the device, but still protect each of the user’s content, the guest mode is a rather severely restrictive mode. The mode inherently protects the owner’s Chrome profile. The primary owner’s profile, which contains browser data, cookies, and other sensitive information, remains completely off-limits to other users.
Needless to say, in guest mode, Chromebook has its highest defenses up; a guest can download files but can’t install apps, even from Google’s store, reported PC World. Designing applications that have hidden exploits is one of the ways hackers can attempt to install security-compromising malware.
— London PC Repair's (@lpcrepairs) March 15, 2016
Designed specifically to prevent tampering of the primary’s user’s Chrome profile, the guest mode ensures browser data and cookies vanish at the end of a session, reported ZDNet. This makes the third condition even more challenging than it normally would have been. Google insists that the hack orchestrated remotely, over the web, while the Chromebook is in guest mode, has to be persistent. In other words, the hack must survive a reboot, noted the Google’s reward’s page.
“We have a standing $100,000 reward for participants who can compromise a Chromebook or Chromebox with device persistence in guest mode, i.e., guest-to-guest persistence with interim reboot, delivered via a web page.”
Google agreed to pay $100K to hack a Chromebook, an amount that’s double than what was offered last year, because no one stepped forward to claim the prize money. Through its security blog, Google noted that in the year since it dangled the $50,000 Chromebook reward under its Chrome Reward Program, it hasn’t received a single successful submission.
“Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.”
Google’s Chromebook has been made highly secure with several features. Automatic updates get installed without user assistance. Web pages and applications are run in “sandboxes,” limiting the hardware exposure. To top it all, the device does a “verified boot” on startup, which will roll back the OS if it has been tampered with malware.
While the $100K reward is the highest, payouts start at $500. Moreover, if you provide a fix with your bug submission you’re entitle to $1,337. Here too, Google has managed to add some fun. The digits appear similar to the word “leet,” which is hacker slang for “elite hacker”.