Google Reimagined a Phone. It was Our Job to Red Team and Secure it.

Fuzzing as a central methodology for identifying and mitigating issues in Titan M2 firmware before Pixel 6 release

• Developed three fuzzers: two host-based and one emulator-based
• Identified vulnerabilities in the identity task and other components through fuzzing and variant analysis
• Exploited vulnerabilities to compromise high-value secrets protected by Titan M2
• Implemented defense-in-depth mitigations such as physical memory protection registers, file system isolation, and ACL policy
• Used AI, cybersecurity, and DevOps expertise to proactively identify and mitigate issues in Titan M2 firmware

Through fuzzing, the team was able to identify a vulnerability in the identity task that allowed for an out-of-bounds write primitive. By exploiting this vulnerability and using variant analysis, they were able to compromise high-value secrets protected by Titan M2. The team also implemented defense-in-depth mitigations such as physical memory protection registers, file system isolation, and ACL policy to prevent similar attacks in the future.

Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation. Finally, the Android Red Team will demonstrate multiple security-critical demos. This work showcased the value of red teaming, ensuring a more secure and safe Pixel 6 before its release.