You still ideally have a high entropy passphrase on a Pixel, but 6 digit random PIN does hold up to even sophisticated attackers unless they find a secure element exploit, which is increasingly hard, especially with Pixel 6 Titan M2 where ARM Cortex secure element was replaced.
Conversation
Replying to
They don't even mention it as a recommendation:
source.android.com/compatibility/
The only thing they require is some kind of TEE integration which makes it so that brute force attacks can't be offloaded to a cluster but rather you need to do it on the device, unless you bypass this.
1
2
TEE hardware-bound key derivation integration helps to make a decent passphrase much more secure. It can't really increase the value of a random 6 digit PIN because it doesn't take long to iterate through all the possible values on the device despite key derivation work factor.
1
For Pixels, due to Weaver, the 2 most sensible choices are either a random 6 digit PIN (most people) or 7 random diceware words as a passphrase. Either you rely on the hardware security features or you don't.
1
1
If you use a typical weak/mediocre passphrase, the TEE hardware bound key derivation helps if they can exploit secure element but cannot extract the hardware bound key. It depends on how well that's implemented, the delay per attempt (perhaps ~50ms) and your passphrase quality.
1
Also worth noting: TEE hardware bound key derivation has often been incorrectly implemented where the TEE firmware has a key available that is leaked if you compromise the TEE. It's *supposed* to be burned in hw and not accessible to the firmware, just usable for AES or HMAC.
1
The concept is that the TEE is supposed to run thousands of iterations using a hardware provided crypto primitive like AES / HMAC where the key is burned into hardware. Qualcomm Crypto Engine has this feature but their TEE didn't used to actually use it for this key derivation.
1
1
CDD has absolutely no requirements for the implementation beyond the hardware keystore / TEE being integrated somehow. They could require that there is actual hardware bound key derivation and they could require secure element with Weaver, but there's no quality requirements.
1
Replying to
So what I'm getting is it's not worth getting an Android phone that isn't from Samsung as a flagship or some Pixel device
1
Replying to
It really isn't worth it if you care about security.
Samsung does a lot of good security work but the downside of their devices is they add a massive amount of attack surface with all their fancy features. Samsung is closest to being caught up on security features though.
At least on Samsung's flagship phones... I have no idea what they have on the low end ones, and the super low end MediaTek ones have awful security compared to the Snapdragon/Exynos ones. No clue how broadly they've deployed stuff like secure elements and Weaver on low end.
1
2
Thank you so much for this deep dive. This was a really fascinating read. I really enjoyed reading the whole thread and I have learned way more than I could ever think of from a twitter thread
1
1
Show replies