Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch

When Google launched the Pixel 6 and 6 Professional in October 2021, key options included its customized Tensor system-on-a-chip processor and the safety advantages of its onboard Titan M2 safety chip. However with a lot new gear launching without delay, the corporate wanted to be further cautious that nothing was missed or went improper. On the Black Hat safety convention in Las Vegas at this time, members of the Android pink group are recounting their mission to hack and break as a lot as they may within the Pixel 6 firmware earlier than launch—a process they completed. 

The Android pink group, which primarily vets Pixel merchandise, caught quite a lot of vital flaws whereas making an attempt to assault the Pixel 6. One was a vulnerability within the boot loader, the primary piece of code that runs when a tool boots up. Attackers may have exploited the flaw to achieve deep system management. It was significantly vital as a result of the exploit may persist even after the system was rebooted, a coveted assault functionality. Individually, the pink teamers additionally developed an exploit chain utilizing a gaggle of 4 vulnerabilities to defeat the Titan M2, a vital discovering, provided that the safety chip must be reliable to behave as a type of sentry and validator inside the cellphone.

“That is the primary proof of idea ever to be publicly talked about getting end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of many pink group leads, informed WIRED forward of the speak. “4 vulnerabilities had been chained to create this, and never all of them had been important on their very own. It was a combination of highs and average severity that once you chain them collectively creates this impression. The Pixel builders wished a pink group to focus all these efforts on them, they usually had been in a position to patch the exploits on this chain previous to launch.”

The researchers say that the Android pink group prioritizes not simply discovering vulnerabilities however spending time growing actual exploits for the bugs. This creates a greater understanding of how exploitable, and subsequently important, totally different flaws actually are and sheds mild on the vary of doable assault paths so the Pixel group can develop complete and resilient fixes.

Like different prime pink groups, the Android group makes use of an array of approaches to hunt for bugs. Ways embody handbook code evaluation and static evaluation, automated strategies for mapping how a codebase features, and searching for potential issues in how the system is ready up and the way totally different parts work together. The group additionally invests considerably in growing tailor-made “fuzzers” that it may well then hand off to groups throughout Android to catch extra bugs whereas growth is first happening.

“A fuzzer is mainly a device that throws malformed information and junk at a service to get it to crash or reveal some safety vulnerability,” Karimi says. “So we construct these fuzzers and hand them off so different groups can constantly run them all year long. It’s a very nice factor that our pink group has completed exterior of discovering bugs. We’re actually institutionalizing fuzzing.”

Leave a Reply