Critical Bug in Google Titan M Chip Netted Researchers $75,000

bug in Google Titan M

Quarkslab researchers published details of a critical bug they found in the Google Titan M chip earlier this year.

Let me remind you that the Titan M, released in 2018, is a SoC (system-on-a-chip) designed exclusively for processing sensitive data and processes, such as Verified Boot, disk encryption, lock screen protection, secure transactions and much more. In particular, Titan M is designed to improve the security of Pixel devices, including Secure Boot.

Let me remind you that we also wrote that Google Is Trying to Get Rid of the Engineer Who Suggested that AI Gained Consciousness and that Google Offers up to $91,000 for Linux Kernel Vulnerabilities.

Experts from Quarkslab say that the vulnerability they discovered received the identifier CVE-2022-20233 and was fixed with the release of the June patches for Android. Back then, Google described this bug as a critical privilege escalation issue.

According to the researchers, the vulnerability is not only related to privilege escalation, but can also be used to execute code on the Titan M chip. From a technical point of view, the bug is an out-of-bounds write problem, which is associated with incorrect boundary verification. That being said, the report highlights that exploiting this issue for local privilege escalation does not require user interaction.

Quarkslab reports that the bug was discovered while fuzzing the Titan M when it was noticed that “the firmware is trying to write 1 byte to an unallocated memory area.” It turned out that repeating this action provokes an out-of-bounds entry and eventually leads to the occurrence of CVE-2022-20233.

The researchers note that the memory of the Titan M is completely static. Therefore, they had to directly connect to the UART console in order to access the debug logs, and only after that an exploit was created that allowed them to read arbitrary memory from the chip, steal the secrets stored there, and also gain access to the boot ROM.

One of the most interesting consequences of this attack is the ability to get any StrongBox-protected key by breaking the Android Keystore’s highest level of protection. Just like in TrustZone, these keys can only be used inside the Titan M when they are stored in an encrypted blob on the device.Quarkslab says.

The researchers notified Google of the vulnerability back in March 2022. The company released the patch in June and initially paid out only $10,000 in bug bounty rewards to experts. However, after providing an exploit demonstrating code execution and stealing secrets, the company increased the bounty to $75,000.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.