Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability in Google’s Titan M Chip Earns Researchers $75,000

Security researchers at Quarkslab have published detailed information on a critical vulnerability they discovered in Google’s Titan M chip earlier this year.

Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot.

Security researchers at Quarkslab have published detailed information on a critical vulnerability they discovered in Google’s Titan M chip earlier this year.

Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot.

Tracked as CVE-2022-20233, the newly detailed vulnerability was addressed as part of Android’s June 2022 security patches, when Google described it as a critical escalation of privilege bug.

According to Quarkslab’s researchers – who discovered the issue and reported it to Google – the security flaw can be exploited to achieve code execution on the Titan M chip.

The vulnerability is an out-of-bounds write issue that exists because of an incorrect bounds check. Exploiting the bug to achieve local escalation of privilege does not require user interaction.

Quarkslab says that, while fuzzing Titan M, they observed a crash that was occurring when “the firmware was trying to write 1 byte in an unmapped memory area,” and discovered that the bug could be triggered multiple times to achieve out-of-bounds writes.

The security researchers note that the Titan M memory is completely static, but that they had to directly connect to the UART console exposed by Titan M to access debugging logs and move on with building an exploit.

Quarkslab’s researchers then created an exploit that allowed them to read arbitrary memory on the chip, which allowed them to “dump the secrets stored in the chip (such as the Root of Trust sent by the Pixel bootloader when the Titan M is updated)” and even access the boot ROM.

Advertisement. Scroll to continue reading.

“One of the most interesting consequences of this attack is the ability to retrieve any StrongBox protected key, defeating the highest level of protection of the Android Keystore. Similarly to what happens in TrustZone, these keys can only be used inside Titan M, while they are stored in an encrypted key blob on the device,” Quarkslab explains.

The researchers reported the vulnerability to Google in March. Google released a patch in June and initially awarded a $10,000 bounty reward for the bug. However, after being provided with an exploit demonstrating code execution and the exfiltration of secrets, the company increased the payout to $75,000.

Quarkslab’s researchers presented their findings both at the TROOPERS conference in June and at Black Hat USA last week.

Related: Google Patches Critical Android Vulnerabilities With June 2022 Updates

Related: Google Offering Up to $1.5 Million for Android 13 Beta Exploits

Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.