Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch

Before the flagship phone ever landed in users’ hands, the security team thoroughly hacked it by finding bugs and developing exploits.
Google Pixel 6
Photograph: Google

When Google launched the Pixel 6 and 6 Pro in October 2021, key features included its custom Tensor system-on-a-chip processor and the security benefits of its onboard Titan M2 security chip. But with so much new equipment launching at once, the company needed to be extra careful that nothing was overlooked or went wrong. At the Black Hat security conference in Las Vegas today, members of the Android red team are recounting their mission to hack and break as much as they could in the Pixel 6 firmware before launch—a task they accomplished. 

The Android red team, which primarily vets Pixel products, caught a number of important flaws while attempting to attack the Pixel 6. One was a vulnerability in the boot loader, the first piece of code that runs when a device boots up. Attackers could have exploited the flaw to gain deep device control. It was particularly significant because the exploit could persist even after the device was rebooted, a coveted attack capability. Separately, the red teamers also developed an exploit chain using a group of four vulnerabilities to defeat the Titan M2, a crucial finding, given that the security chip needs to be trustworthy to act as a sort of sentry and validator within the phone.

“This is the first proof of concept ever to be publicly talked about getting end-to-end code execution on the M2 Titan chip,” Farzan Karimi, one of the red team leads, told WIRED ahead of the talk. “Four vulnerabilities were chained to create this, and not all of them were critical on their own. It was a mixture of highs and moderate severity that when you chain them together creates this impact. The Pixel developers wanted a red team to focus these types of efforts on them, and they were able to patch the exploits in this chain prior to release.”

The researchers say that the Android red team prioritizes not just finding vulnerabilities but spending time developing real exploits for the bugs. This creates a better understanding of how exploitable, and therefore critical, different flaws really are and sheds light on the range of possible attack paths so the Pixel team can develop comprehensive and resilient fixes.

Like other top red teams, the Android group uses an array of approaches to hunt for bugs. Tactics include manual code review and static analysis, automated methods for mapping how a codebase functions, and looking for potential problems in how the system is set up and how different components interact. The team also invests significantly in developing tailored “fuzzers” that it can then hand off to teams across Android to catch more bugs while development is first going on.

“A fuzzer is basically a tool that throws malformed data and junk at a service to get it to crash or reveal some security vulnerability,” Karimi says. “So we build these fuzzers and hand them off so other teams can continuously run them throughout the year. It’s a really nice thing that our red team has accomplished outside of finding bugs. We’re really institutionalizing fuzzing.”

The idea across Android, in general, is to bake security assessments and improvements into the development process as early as possible to avoid costly mistakes later. In the Black Hat talk, the researchers will also be highlighting some of the types of bugs they are most focused on looking for to try to stay ahead of trends in attacker exploitation.

For example, the researchers have been hunting for vulnerabilities in the cellular communication tech that’s baked into Pixels and every smartphone. “We’re actively invested in that area, and what I can say is that it’s 100 percent worth the effort,” Karimi says. And he adds that the biggest type of vulnerability the group has its eye on right now is “race condition” bugs, in which attackers take advantage of the sequence or timing of an uncontrollable event and inject themselves into a software interaction at the opportune time to gain unintended system access.

“Imagine you’re setting up a profile on a … smartwatch,” Karimi says. “Maybe the system tries to run commands and the attacker injects their own commands during that process to submit or execute malicious code that they control. We’re thinking about unique ways to tackle this.”

In part, the red team’s job is to set priorities and bet on the right security horses to protect Pixel users around the world.

“Pixel 6 was a complete transformation of prior generation phones, and it was our job to red team it and secure it,” Karimi says. “We were looking at all this attack surface and testing what we felt is at most risk within about a year and half of time. There are 100 things you have to look at, and they’re all high priority. So you have to be selective about what’s the lowest level of effort for an attacker to abuse and start with that.”