When Google launched Pixel 6 and 6 Pro October 2021, key features include Custom Tensor system-on-chip processors and the security benefits of integrated processors Security Chip Titan M2. But with so many new devices launching at once, the company needs to be extra careful that nothing is left out or goes wrong. At Black Hat’s security conference in Las Vegas today, members of the red Android team are recounting their mission to hack and break as much as possible in pre-launch Pixel 6 firmware — a mission which they have completed.
Android’s red team, which mainly tests Pixel products, discovered several critical bugs when trying to attack the Pixel 6. One was a vulnerability in the bootloader, the first piece of code that runs when the device is launched. start up. Attackers may have exploited the vulnerability to gain control of the worm device. It is especially important because the exploit can persist even after the device is rebooted, a coveted attack possibility. In addition, the red teams also developed an exploit chain using a group of four vulnerabilities to defeat Titan M2, an important finding, given that the security chip needs to be trusted to function as a type of security chip. monitor and confirm in phone.
“This is the first proof of concept ever publicly talked about end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of the red team leaders, told WIRED ahead of the talk. story. “Four vulnerabilities were chained to create this, and not all of them are critical. It’s a mix of high and moderate severity that when you string them together creates this impact. The Pixel developers want a red team to focus these efforts on them, and they can patch the exploit in this thread before release. “
The researchers say that the red Android team not only prioritizes finding vulnerabilities, but also spends time developing real exploit methods for these bugs. This helps to better understand the true extent of various exploitable and thus important bugs, and sheds light on the range of possible attack paths so that the Pixel team can develop new exploits. Comprehensive and flexible fixes.
Like the other top red teams, the Android team uses a variety of approaches to bug hunting. Tactics include manual code review and static analysis, automated methods for mapping how the codebase works, and looking for potential problems with how the system is set up and how components are different interactions. The team also invests significantly in developing the right “furs” that can then be handed off to the Android teams to catch more bugs while development is in progress for the first time.
“A blur machine is basically a tool that throws malformed data and garbage at a service to cause it to crash or expose some security hole,” Karimi said. “So we build these fluffs and deliver them so other teams can consistently run them throughout the year. That’s a really cool thing our red team has accomplished besides finding bugs. We are actually institutionalizing mining. “
