logo

2021: A Titan M Odyssey

Conference:  BlackHat USA 2021

2021-11-10

Summary

The presentation discusses the vulnerabilities found in the firmware of the Titan M chip and the potential for improvement in fuzzing techniques.
  • The Titan M chip is based on ARM Cortex M3 and has been hardened against physical attacks.
  • The firmware of the chip is not encrypted or obfuscated, making it easy for researchers to reverse engineer it.
  • The chip communicates with the rest of the world via UART and SPI buses.
  • The firmware has two sections, A and B, that have to do with the A/B update mechanism.
  • The Titan M chip has an operating system based on EC, which is fully open source and written in C.
  • The presentation discusses the vulnerabilities found in the firmware and the potential for improvement in fuzzing techniques.
  • The presentation suggests building a picture of what happens after a command by parsing the UART log or response to the command.
  • The presentation also suggests adopting an emulation-based solution to improve coverage.
  • The presentation concludes by stating that the fuzzing approach is giving new and interesting results, but there is room for improvement.
The presentation discusses how the read primitive was used to inspect the memory around the code that was crashing and how this helped identify two bugs that were still present in the latest version of the femur. By using the read primitive, the researchers were able to see that the structure was not initialized when the code was reaching it, which allowed them to report the bugs. However, Google considered the bugs not severe enough to end up in the bulletin.

Abstract

In the past years, most of the Android devices were relying on ARM Trustzone for critical security features.In 2018, with the release of the Pixel 3, Google introduced the Titan M chip, a hardware security module used to enhance the device security by reducing its attack surface, mitigating classes of hardware-level exploits such as Rowhammer or Spectre, and providing several security sensitive functions, such as a Keystore backend called StrongBox, Android Verified Boot (or AVB) and others. It has been now almost three years since this announcement and yet very little information about it is available online.In this presentation, we will deep dive into the Titan M's internals and usages. Our goal is to give an understanding of its attack surface as well as its role in some critical security features such as the StrongBox/Keymaster. We will provide some details on how we performed our research from the reverse engineering of the firmware to the physical sniffing of the communication and fuzz testing. We discovered some known and previously unknown vulnerabilities which, among others, allowed us to execute code on the chip and helped us to solve some of the remaining mysteries behind this chip.

Materials:

Tags: