Samsung is now offering a $1 million bounty to anyone who can successfully hack into its Knox Vault—a secure hardware component of Samsung Galaxy S and Z smartphones—without any user interaction. The challenge is part of Samsung’s Mobile Vulnerability Program, and is meant to identify and address critical vulnerabilities by inviting hackers to remotely execute arbitrary code, bypass device protections, or extract sensitive data from the Knox Vault.
Samsung’s Knox platform is integral to the security of its devices’ biometric authentication systems. It provides a secure environment for storing and processing biometric data, such as fingerprints, facial recognition, and iris scans.
Knox Vault, an advanced component of the Knox platform on newer devices, further isolates biometric credentials from the rest of the system, adding an extra layer of protection. Knox also includes tamper detection mechanisms that can disable biometric authentication or wipe the device if a security breach is detected.
To qualify for the $1 million bounty, hackers must submit a detailed report that meets several stringent criteria, including demonstrating a successful remote, zero-click exploit on a fully updated device. The exploit must target high-value scenarios, such as unlocking devices or accessing credential-related data within the Knox Vault.
Submissions must be made through Samsung’s official report ticketing system, and those who succeed will work closely with a dedicated security analyst to validate their findings.
Samsung has had these kinds of bug bounty programs in place for about six years, and has so far paid out approximately $5 million in bounties. In its 2023 “Pwn2Own” competition, for example, hackers managed to exploit the Galaxy S23, earning $125,000.
The new, $1 million offer considerably ups the ante. And it may help to inspire a positive trend in digital security, with very few companies in this space currently offering hefty bug bounty programs. In the domain of biometrics, for example, FaceTec is the only firm currently running a Spoof Bounty Program, which offers up to $600,000 in payouts for successful attacks on the company’s sophisticated 3D facial liveness technology.
Source: Forbes
–
August 12, 2024 – by Cass Kennedy and Alex Perala
Related News
RSA 2024: Incode Debuts Corporate Cybersecurity Solution
Adani Group, the DHS, the GPDP, and More – Identity News Digest
ZenGo Gets a Million Users – and Still No Hacks
Security Vulnerabilities Left iPhone Users Open to Attack: Google Researchers
FaceTec Clocks 2.6B Annual Liveness Checks, Other Milestones in 2024 Liveness Detection Security Report
FaceTec’s ‘UR Codes’ Offer Transformative Potential—for Free
Follow Us