Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Password Protects Pixel 2 Firmware

Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.

Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.

“The secure hardware runs highly secure firmware that is responsible for checking the user’s password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.

Google is also applying digital signatures in their attempt to prevent attackers from replacing a device’s firmware with a malicious iteration. To replace the firmware, an attacker would have to find and exploit a vulnerability in the signature-checking process, or to gain access to the signing key, then sign their firmware version to trick the device into accepting it.

While the signature-checking software is small, isolated, and vetted, which makes exploitation difficult, the signing keys are accessible because they are stored in secure locations, although only a limited number of people have access to them.

“That’s good, but it leaves those people open to attack by coercion or social engineering. That’s risky for the employees personally, and we believe it creates too much risk for user data,” Google notes.

Google Pixel 2 devices, the Internet giant says, have insider attack resistance in the tamper-resistant hardware security module to protect the encryption keys. Thus, if an attacker does come up with a properly signed malicious firmware, they cannot install it on the security module without the user’s cooperation.

Specifically, the correct password is required to upgrade the firmware. While upgrades can be forced, the company says, the process would wipe the secrets used to decrypt the user’s data, effectively destroying it.

“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data. The Google Pixel 2 demonstrated that it’s possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same,” Google notes.

Related: Google Turns TLS on By Default on Android P

Related: Google Pushes Mandatory Full-Disk Encryption in Android 6.0

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...