Google’s Android Red Team had a full Pixel 6 before launch
When Google launched the Pixel 6 and 6 Pro in October 2021, key features included its custom Tensor system-on-chip processor and the security benefits of its Titan M2 embedded security chip. But with so much new equipment launching at the same time, the company had to be very careful that nothing was overlooked or went wrong. At the Black Hat Security Conference in Las Vegas today, members of Android’s Red Team recount their mission to hack and crack as much of the Pixel 6 firmware as they can before launch, a task which they have accomplished.
The Android Red Team, which primarily checks Pixel products, found a number of significant flaws while attempting to attack the Pixel 6. One was a vulnerability in the bootloader, the first piece of code that got executes when a device starts. Attackers could have exploited the flaw to gain deep control of the device. This was particularly important because the exploit could persist even after rebooting the device, a coveted attack capability. Separately, Red Teams also developed an exploit chain using a cluster of four vulnerabilities to defeat the Titan M2, a crucial discovery, given that the security chip must be trusted to act as a kind of sentinel and validator in the phone.
“This is the first proof of concept to have been publicly discussed to achieve end-to-end code execution on the M2 Titan chip,” said Farzan Karimi, one of the Red Team leaders, to WIRED before the conference. “Four vulnerabilities were chained together to create this, and not all of them were critical on their own. It was a mix of high and moderate severity which when you chain them together creates this impact. Pixel developers wanted a red team is focusing those types of efforts on them, and they were able to fix exploits on that channel before release.
Researchers say Android’s red team prioritizes not only finding vulnerabilities, but also developing real exploits for bugs. This provides a better understanding of how exploitable, and therefore critical, the various flaws are, and sheds light on the range of possible attack paths so that the Pixel team can develop comprehensive and resilient fixes.
Like other top red teams, the Android Group uses an array of approaches to bug hunting. Tactics include manual code review and static analysis, automated methods for mapping the operation of a codebase, and finding potential problems in system configuration and the interaction of various components. The team is also investing heavily in the development of bespoke “fuzzers” which they can then hand off to Android teams to catch more bugs during development.
“A fuzzer is basically a tool that throws malformed data and junk files at a service to crash it or reveal a security vulnerability,” Karimi explains. “So we’re building these fuzzers and passing them around so other teams can use them continuously throughout the year. It’s a really nice thing that our red team has done outside of finding bugs. We let’s really institutionalize fuzzing.