Attacking Gogole's Titan M chip with only one byte
blog.quarkslab.com/attacking-tita
Conversation
the 75k$ seem to quite cheap for google considering the graveness of the bug (stealing keys)...
2
1
It likely only impacts older generation Pixels. Their research was done against a Pixel 3 which has been end-of-life since after October 2021. It almost certainly also impacted the Pixel 3a which has been end-of-life since after May 2022. Unclear which other Pixels it impacts.
1
Titan M2 in 6th generation Pixels is close to a clean break from the previous generations. It's likely not impacted. May impact 4th and 5th generation Pixels but they did make incremental changes to the Titan M on those. They see an issue only impacting older devices differently.
1
1
In the timeline, you can see they seemed unable to replicate it on a Pixel 5. Pixel 3 was already end-of-life at that point. Pixel 3a was still supported but only had a few months left before end-of-life. If it only impacted 3rd gen, there's the reason for the bounty amount.
1
If it was reported a few months later, they wouldn't have considered it a valid issue unless it impacted 4th or 5th generation Pixels too. It's just how it works: the bounties are for their supported products, and 6th gen Pixels are the first ones with 5 years instead of 3 years.
1
This issue actually impacts all the Pixels, from Pixel 3 up to Pixel 5. We only exploited Pixel 3 and 3a (which was not end of life at the time) because these were the devices we had in our hands. But it is true that we did not tried to reproduce this issue on any Titan M2.
2
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Titan M2 is a totally different thing where they did away with the Cortex secure element. They were probably working on that for at least 2-3 years before Pixel 6 launch and had Pixel 7 in development already, etc. so they see it as older than the public sees it based on launch.
1
They don't state it on the page but I doubt they will pay out the stated bounties for issues not impacting the most recent Pixels since they'll see it as something they addressed already. They can't go back in time and upgrade hardware they already sold, but they mostly moved on.
Particularly for issues that are caused by vulnerabilities in Qualcomm or ARM code. They said at one point they would open source the original Titan M but they never did and I think that's because engineers weren't on the same page about very invasive ARM secure element NDAs.
1
Hard for them to release code if they agreed not to disclose anything about a lot of what's used by that code, etc. There should be no reason they can't release Titan M2 code though and they should be pressured to release the forks of Trusty, OpenTitan or whatever else it uses.
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
It has a lot of impact but whether it will be relevant going forward definitely sways the bounties. If you report a mem corruption bug in a C++ component that they've internally rewritten in Rust, they are probably going to see it as something they already addressed internally.
2
Show replies