Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch

When Google (*6*)launched the Pixel 6 and 6 Professional in October 2021, key options included its customized Tensor system-on-a-chip processor and the safety advantages of its onboard Titan M2 safety chip. However with a lot new gear launching directly, the corporate wanted to be additional cautious that nothing was ignored or went unsuitable. On the Black Hat safety convention in Las Vegas at the moment, members of the Android crimson crew are recounting their mission to hack and break as a lot as they may within the Pixel 6 firmware earlier than launch—a activity they completed. 

The Android crimson crew, which primarily vets Pixel merchandise, caught a variety of vital flaws whereas making an attempt to assault the Pixel 6. One was a vulnerability within the boot loader, the primary piece of code that runs when a gadget boots up. Attackers might have exploited the flaw to realize deep gadget management. It was notably important as a result of the exploit might persist even after the gadget was rebooted, a coveted assault functionality. Individually, the crimson teamers additionally developed an exploit chain utilizing a group of 4 vulnerabilities to defeat the Titan M2, a essential discovering, provided that the safety chip must be reliable to behave as a kind of sentry and validator throughout the telephone.

“That is the primary proof of idea ever to be publicly talked about getting end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of many crimson crew leads, instructed WIRED forward of the speak. “4 vulnerabilities have been chained to create this, and never all of them have been vital on their very own. It was a combination of highs and average severity that while you chain them collectively creates this influence. The Pixel builders needed a crimson crew to focus all these efforts on them, they usually have been capable of patch the exploits on this chain previous to launch.”

The researchers say that the Android crimson crew prioritizes not simply discovering vulnerabilities however spending time growing actual exploits for the bugs. This creates a higher understanding of how exploitable, and due to this fact vital, completely different flaws actually are and sheds mild on the vary of doable assault paths so the Pixel crew can develop complete and resilient fixes.

Like different prime crimson groups, the Android group makes use of an array of approaches to hunt for bugs. Ways embody guide code evaluate and static evaluation, automated strategies for mapping how a codebase capabilities, and searching for potential issues in how the system is ready up and the way completely different elements work together. The crew additionally invests considerably in growing tailor-made “fuzzers” that it could then hand off to groups throughout Android to catch extra bugs whereas improvement is first happening.

“A fuzzer is principally a device that throws malformed knowledge and junk at a service to get it to crash or reveal some safety vulnerability,” Karimi says. “So we construct these fuzzers and hand them off so different groups can repeatedly run them all year long. It’s a very nice factor that our crimson crew has completed exterior of discovering bugs. We’re actually institutionalizing fuzzing.”