"Critical Vulnerability in Google's Titan M Chip Earns Researchers $75,000"

Security researchers at Quarkslab discovered a critical vulnerability in Google's Titan M chip earlier this year.  Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot.  The vulnerability is tracked as CVE-2022-20233.  According to the researchers, the security flaw can be exploited to achieve code execution on the Titan M chip.  The researchers noted that the vulnerability is an out-of-bounds write issue that exists because of an incorrect bounds check.  The researchers stated that exploiting the bug to achieve local escalation of privilege does not require user interaction.  The researchers said that while fuzzing Titan M, they observed a crash that was occurring when "the firmware was trying to write 1 byte in an unmapped memory area" and discovered that the bug could be triggered multiple times to achieve out-of-bounds writes.  The researchers noted that the Titan M memory is completely static but that they had to directly connect to the UART console exposed by Titan M to access debugging logs and move on with building an exploit.  The researchers then created an exploit that allowed them to read arbitrary memory on the chip, which allowed them to "dump the secrets stored in the chip (such as the Root of Trust sent by the Pixel bootloader when the Titan M is updated)" and even access the boot ROM.  The researchers stated that one of the most interesting consequences of this attack is the ability to retrieve any StrongBox protected key, defeating the highest level of protection of the Android Keystore.  The researchers reported the vulnerability to Google in March.  Google released a patch in June and initially awarded a $10,000 bounty reward for the bug.  However, after being provided with an exploit demonstrating code execution and the exfiltration of secrets, the company increased the payout to $75,000.

 

SecurityWeek reports: "Critical Vulnerability in Google's Titan M Chip Earns Researchers $75,000"

Submitted by Anonymous on