Google Pixel 3’s Titan M Chip Security Features Detailed

Google Pixel 3's Titan M Chip Security Features Detailed

Google earlier this month unveiled the Pixel 3₹ 71,000 and Pixel 3 XL as its new flagships. Among other great features, the latest Pixel family comes with a dedicated Titan M chipthat is designed to deliver enhanced security. The search giant claims that the new chip offers the best of the Titan chip featured on Google Cloud data centres. It also comes as an upgrade of the tamper-resistant hardware security module available on the Pixel 2₹ 36,099 series that protected its lock screen and strengthened disk encryption. The newest chip secures boot loading by getting integrated into the Verified Boot process. It is also touted to secure transactions in third-party apps.

In a blog post, Google has detailed the key features of the Titan M chip featured on the Pixel 3 and Pixel 3 XL. The company claims that with the new silicon, the Pixel 3 models have an “enterprise-grade security” that secures “most sensitive on-device data and operating system”. The chip enables the bootloader to validate the Android version of your smartphone. The company says that the chip stores the last known safe Android version and prevents “bad actors” from moving back your handset back to run on an older, potentially vulnerable, Android version. Further, it prevents attempts to unlock the bootloader.

The Titan M chip also powers the lock screen passcode on your Pixel 3. Google says that it “makes the process of guessing multiple password combinations harder” by restricting the number of login attempts. This helps to reduce the amount of unauthorised unlocks. The chip also allows for decryption only upon successfully verifying your actual passcode. Similarly, it makes it harder for attackers to tamper security and gain backdoor access to decrypt your data by securing flash and enable a fully independent computation.

As mobile payments are rising in adoption, Google has also deployed the Titan M chip to secure sensitive transactions. App developers can use StrongBox KeyStore APIs to enable the dedicated chip to generate and store private keys for their apps. Google says that the Google Pay team is already testing out the new APIs that are a part of Android 9. Moreover, the Titan M chip also enables the Protected Confirmation API that exists within Android Pie to protect mobile transactions. “As more processes come online and go mobile — like e-voting, and P2P money transfers — these APIs can help to ensure that the user (not malware) has confirmed the transaction,” Google’s Xiaowen Xin of Android Security team writes in the blog post.

The Titan M chip is also touted to offer insider attack resistance. This means attackers won’t be able to alter the scope of the new chip by tweaking its default firmware. Google says that the Titan M firmware “will never be updated unless you have entered your passcode.”

A separate blog post on Android Developers portal highlights that since Titan M comes as a separate chip, it mitigates against the “entire classes of hardware-level exploits such as Rowhammer, Spectre, and Meltdown”. The chip also resists access to its processor, caches, memory, and persistent storage from being used through the phone’s native system. The chip includes an ARM Cortex-M3 microprocessor that is affirmed to resist side-channel attacks and augmented with defensive features “to detect and respond to abnormal conditions”. Once powered on, the chip verifies the signature of its flash-based firmware using a built-in public key and then it begins its operations after validating the signature. There is also 64KB of RAM that can also preserve its contents in low-power mode.

Additionally, Google reveals that there are a number of hardware accelerators, including AES, SHA, and a “programmable big number coprocessor” to enable public key algorithms. “These accelerators are flexible and can either be initialised with keys provided by firmware or with chip-specific and hardware-bound keys generated by the Key Manager module. Chip-specific keys are generated internally based on entropy derived from the True Random Number Generator (TRNG), and thus such keys are never externally available outside the chip over its entire lifetime,” the company explains in its developer-focused blog post.

Google says that the security will be able to audio the Titan M through its open-source firmware in the coming months. The chip will be exclusive to the new Pixel models, though some Android OEMs are likely to deploy similar technologies on their future phones.