Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch

When Google launched the Pixel 6 and 6 Pro in October 2021, key features included its custom Tensor system-on-a-chip processor and the security benefits of its onboard Titan M2 security chip. But with so much new equipment launching at once, the company needed to be extra careful that nothing was overlooked or went wrong. At the Black Hat security conference in Las Vegas on Wednesday, members of the Android red team are recounting their mission to hack and break as much as they could in the Pixel 6 firmware before launch—a task they accomplished. 

The Android red team, which primarily vets Pixel products, caught a number of important flaws while attempting to attack the Pixel 6. One was a vulnerability in the boot loader, the first piece of code that runs when a device boots up. Attackers could have exploited the flaw to gain deep device control. It was particularly significant because the exploit could persist even after the device was rebooted, a coveted attack capability. Separately, the red teamers also developed an exploit chain using a group of four vulnerabilities to defeat the Titan M2, a crucial finding given that the security chip needs to be trustworthy to act as a sort of sentry and validator within the phone.

“This is the first proof of concept ever to be publicly talked about getting end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of the red team leads, told WIRED ahead of the talk. “Four vulnerabilities were chained to create this, and not all of them were critical on their own. It was a mixture of highs and moderate severity that when you chain them together creates this impact. The Pixel developers wanted a red team to focus these types of efforts on them, and they were able to patch the exploits in this chain prior to release.”

The researchers say that the Android red team prioritizes not just finding vulnerabilities but spending time developing real exploits for the bugs. This creates a better understanding of how exploitable, and therefore critical, different flaws really are and sheds light on the range of possible attack paths so the Pixel team can develop comprehensive and resilient fixes.

Like other top red teams, the Android group uses an array of approaches to hunt for bugs. Tactics include manual code review and static analysis, automated methods for mapping how a codebase functions, and looking for potential problems in how the system is set up and how different components interact. The team also invests significantly in developing tailored “fuzzers” that it can then hand off to teams across Android to catch more bugs while development is first going on.

“A fuzzer is basically a tool that throws malformed data and junk at a service to get it to crash or reveal some security vulnerability,” Karimi says. “So we build these fuzzers and hand them off so other teams can continuously run them throughout the year. It’s a really nice thing that our red team has accomplished outside of finding bugs. We’re really institutionalizing fuzzing.”