Security researchers at Quarkslab have published detailed information on a critical vulnerability they discovered in Google’s Titan M chip earlier this year.
Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot.
Tracked as CVE-2022-20233, the newly detailed vulnerability was addressed as part of Android’s June 2022 security patches, when Google described it as a critical escalation of privilege bug.
According to Quarkslab’s researchers – who discovered the issue and reported it to Google – the security flaw can be exploited to achieve code execution on the Titan M chip.
The vulnerability is an out-of-bounds write issue that exists because of an incorrect bounds check. Exploiting the bug to achieve local escalation of privilege does not require user interaction.
Quarkslab says that, while fuzzing Titan M, they observed a crash that was occurring when “the firmware was trying to write 1 byte in an unmapped memory area,” and discovered that the bug could be triggered multiple times to achieve out-of-bounds writes.
The security researchers note that the Titan M memory is completely static, but that they had to directly connect to the UART console exposed by Titan M to access debugging logs and move on with building an exploit.
Quarkslab’s researchers then created an exploit that allowed them to read arbitrary memory on the chip, which allowed them to “dump the secrets stored in the chip (such as the Root of Trust sent by the Pixel bootloader when the Titan M is updated)” and even access the boot ROM.
“One of the most interesting consequences of this attack is the ability to retrieve any StrongBox protected key, defeating the highest level of protection of the Android Keystore. Similarly to what happens in TrustZone, these keys can only be used inside Titan M, while they are stored in an encrypted key blob on the device,” Quarkslab explains.
The researchers reported the vulnerability to Google in March. Google released a patch in June and initially awarded a $10,000 bounty reward for the bug. However, after being provided with an exploit demonstrating code execution and the exfiltration of secrets, the company increased the payout to $75,000.
Quarkslab’s researchers presented their findings both at the TROOPERS conference in June and at Black Hat USA last week.
Related: Google Patches Critical Android Vulnerabilities With June 2022 Updates
Related: Google Offering Up to $1.5 Million for Android 13 Beta Exploits
Related: Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021