When Google introduced Pixel 3 on October 9, one of the innovations they briefly mentioned was the Titan M security chip. While they have talked about how to improve overall security, they have changed the number of changes that it brings with it for the security of Pixel 3, not extended. Well, they've finally shared more, and it's a pretty big deal.
The Titan M is an enhanced version of the hardware security module from last year's Pixel 2 lineup. They borrowed the titanium chip used in their data centers and measured it for mobile users (hence the M). And thanks to Android 9.0 Pie's security enhancements, Google has been able to better integrate the security chip so that even apps can benefit from its performance.
With the new improvements, both the operating system and apps benefit from secure hardware. Titan M makes sure your phone boots with verified software every time and checks every boot level. Apps can be sure that passwords and payments are authorized and incorrect when they leave your phone. The result is a potential end of exploits being applied to locked phones, stronger encryption, and a rewrite of Google's previous bugs to protect its users.
Protecting Verified Boot
Expanding on Androids checked boot system, Google takes a page from BlackBerry and integrating the security chip into the secure boot process. The Pixel 3 checks the version number of the Android operating system to make sure you are using the correct version. In particular, it provides rollback protection to prevent anyone from downgrading your phone to an older Android version.
In this way, an attacker can not downgrade the operating system to bypass new security tools introduced in the latest release. This is very important for Pixel 3, as Android 9.0 Pie has introduced a host of new security features. By downgrading to Oreo, an attacker could bypass these upgrades. Since the Android version is now verified on the Titan M chip, you are protected against external attacks during the verification process because the Titan M is separate from the SoC.
In addition, Titan M protects your device from running a corrupted version of Android. At each boot, the verified boot process (executed in Titan M) ensures that all code is from a trusted source, with each partition being checked before proceeding to the next
Titan M-Chip, prevents exploits to unlock the bootloader in Android. The boot loader will fail the verification process and it would not move to the next level. You can not unlock the bootloader on Pixel 3 ̵
Android 9.0 Pie
Android 9.0 Pie also introduced Protected Confirmation, a function that prompts a user to confirm a brief statement. By accepting the statement, the app can confirm that the user has read the message and is ready to complete the sensitive transaction such as payments or votes. Titan M generates a key to sign the message. Since Titan M is separate from the operating system, the signature is unique and gives the app with great confidence the security that the user has read and agreed to the message.
For years, phones have been using secure environments to protect encryption keys. These environments run highly secure firmware that verifies the user's password for the key to decrypt the storage partition.
However, malicious users could attack this system by replacing the secure firmware with a usable one. It's easier for them to access it. To prevent this, OEMs, including Google, use a digital signature that confirms that the software used is from Google. However, attackers can prevent this process in one of two ways: finding a vulnerability in the signature confirmation process, or gaining access to a signed key and signing their malicious software.
The former is quite difficult, but with the second option, keys can be captured with coercion or social engineering. Therefore, Google has the need to improve this protection to prevent these keys from being accessible to the wrong person.
What Google has done with Titan M is improved protection by building insider attack resistors. With this protection, Titan M is protected against the use of malicious software by preventing updates to the firmware without requiring the user to enter an access code first. This means that without your code unlocking the lock screen, it is not possible for a malicious actor to alter the Titan M's firmware, resulting in the keys. This will make the encryption of your Pixel 3 or 3 XL a lot more powerful and tamper-proof.
With the changes Google makes, it looks like BlackBerry is tearing down on them. Google gives priority to security and is committed to making sure that your Pixel 3 and 3 XL are protected against accidental changes by using the security of the Titan M-Chip. What do you think about these changes? Are you enthusiastic about this level of protection? Let us know in the comments below.