Introduced in 2018 with Pixel smartphones, Google’s Titan M Chip vulnerability-led security researchers at Quarkslab to earn $75,000. The team of researchers published the vulnerability report earlier in Black Hat EU 2021 with a follow-up post on August 11, 2022. In the research, Quarkslab’s members found that a security flaw in Titan M Chip can be exploited to access code execution — enabling hackers to read arbitrary memory on the chip and even access boot ROM.
The researchers reported the Titan M Chip vulnerability to Google in March. Upon confirming the reports, the tech giant released a new security patch for Pixel devices and awarded the researchers an initial reward of $10,000. However, Quarkslab’s demonstration of code execution and data exfiltration fetched them an increased payout bounty of $75,000.
Titan M Chip vulnerability test
Attacking Titan M with Only One Byte
Code execution and exfiltration of encryption keys from Google Pixel phone's Secure Element now being presented by @DamianoMelotti and @max_r_b at @BlackHatEvents #BHUSA
Full details are now public in their blog post:https://t.co/KwRFhXeHMr
— quarkslab (@quarkslab) August 11, 2022
Google introduced the Titan M in 2018, starting from the Pixel 3. The chip was the major USP of Pixel devices and was made to reduce the attack surfaces, including hardware tampering and side-channel attacks. It used a separate system-on-a-chip (SoC) and was running its own firmware to communicate with the Application Processor (AP) via the SPI bus. Using different APIs, Titan M guaranteed a higher level of protection against cyber attacks and provided under-the-hood protection up to the secure boot level.
However, by using reverse engineering on the chip’s firmware, Quarkslab researchers reached the open source OS for micro-controllers. They found out that some temporal security bugs can be eliminated — thus creating an opening for hackers to access the hard-coded stack canary. This small vulnerability was enough for the researchers to find a memory corruption opening on the chip that does not require user interaction.
Fuzzing Titan M Chip
Fuzzing is a technique used by hackers to exploit software vulnerabilities. Cybersecurity specialists widely use it to check unknown bugs in applications, websites, and electronic devices. While fuzzing Titan M, Quarkslab observed that a crash occurred when the “firmware was trying to write 1 byte in an unmapped memory area.” Additionally, researchers denoted that the bug could be triggered multiple times to achieve out-of-bounds writes.
The researchers then shared how it allowed them to retrieve any StrongBox protected key, thus bypassing the protection levels of the Android Keystore. Quarkslab reported the vulnerabilities in Titan M Chip, and the Silicon Valley giant gave a bounty amount of $10,000, which was increased to $75,000, upon successfully demonstrating the exploitation by the security firm.