Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.
Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.
Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.
“The secure hardware runs highly secure firmware that is responsible for checking the user’s password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.
Google is also applying digital signatures in their attempt to prevent attackers from replacing a device’s firmware with a malicious iteration. To replace the firmware, an attacker would have to find and exploit a vulnerability in the signature-checking process, or to gain access to the signing key, then sign their firmware version to trick the device into accepting it.
While the signature-checking software is small, isolated, and vetted, which makes exploitation difficult, the signing keys are accessible because they are stored in secure locations, although only a limited number of people have access to them.
“That’s good, but it leaves those people open to attack by coercion or social engineering. That’s risky for the employees personally, and we believe it creates too much risk for user data,” Google notes.
Google Pixel 2 devices, the Internet giant says, have insider attack resistance in the tamper-resistant hardware security module to protect the encryption keys. Thus, if an attacker does come up with a properly signed malicious firmware, they cannot install it on the security module without the user’s cooperation.
Specifically, the correct password is required to upgrade the firmware. While upgrades can be forced, the company says, the process would wipe the secrets used to decrypt the user’s data, effectively destroying it.
“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it’s possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same,” Google notes.