• World CyberCon India
Firewall Daily Vulnerabilties

Researchers Find Vulnerability in Google Pixel’s Titan M Chip, Earn $75,000

Quarkslab found vulnerabilities in Google Pixel’s Titan M Chip by reverse engineering on the chip's firmware. The company reported research to Google and received a bounty prize of USD 75,000.

Researchers Find Vulnerability in Google Pixel’s Titan M Chip, Earn $75,000
  • PublishedAugust 19, 2022

Introduced in 2018 with Pixel smartphones, Google’s Titan M Chip vulnerability-led security researchers at Quarkslab to earn $75,000. The team of researchers published the vulnerability report earlier in Black Hat EU 2021 with a follow-up post on August 11, 2022. In the research, Quarkslab’s members found that a security flaw in Titan M Chip can be exploited to access code execution — enabling hackers to read arbitrary memory on the chip and even access boot ROM.

The researchers reported the Titan M Chip vulnerability to Google in March. Upon confirming the reports, the tech giant released a new security patch for Pixel devices and awarded the researchers an initial reward of $10,000. However, Quarkslab’s demonstration of code execution and data exfiltration fetched them an increased payout bounty of $75,000.

Titan M Chip vulnerability test

Google introduced the Titan M in 2018, starting from the Pixel 3. The chip was the major USP of Pixel devices and was made to reduce the attack surfaces, including hardware tampering and side-channel attacks. It used a separate system-on-a-chip (SoC) and was running its own firmware to communicate with the Application Processor (AP) via the SPI bus. Using different APIs, Titan M guaranteed a higher level of protection against cyber attacks and provided under-the-hood protection up to the secure boot level.

However, by using reverse engineering on the chip’s firmware, Quarkslab researchers reached the open source OS for micro-controllers. They found out that some temporal security bugs can be eliminated — thus creating an opening for hackers to access the hard-coded stack canary. This small vulnerability was enough for the researchers to find a memory corruption opening on the chip that does not require user interaction.

Fuzzing Titan M Chip

Fuzzing is a technique used by hackers to exploit software vulnerabilities. Cybersecurity specialists widely use it to check unknown bugs in applications, websites, and electronic devices. While fuzzing Titan M, Quarkslab observed that a crash occurred when the “firmware was trying to write 1 byte in an unmapped memory area.” Additionally, researchers denoted that the bug could be triggered multiple times to achieve out-of-bounds writes.

The researchers then shared how it allowed them to retrieve any StrongBox protected key, thus bypassing the protection levels of the Android Keystore. Quarkslab reported the vulnerabilities in Titan M Chip, and the Silicon Valley giant gave a bounty amount of $10,000, which was increased to $75,000, upon successfully demonstrating the exploitation by the security firm.

Written By

The Cyber Express is a publication that aims to provide the latest news and analysis about the information security industry. The news comes from a variety of sources and is updated regularly so that readers can stay up to date with the latest happenings in this rapidly growing field.

1 Comment

Comments are closed.