Google Pixel 2’s HSM Protects Users Against Malicious Firmware Updates

Google confirmed that its Pixel 2 uses a Secure Enclave on steroids called a hardware security module (HSM). The company revealed how the module helps protect users against malicious actors stealing the firmware signing key in order to replace the original device firmware and unlock the user's phone without their cooperation.

The iPhone has long been considered the most secure mobile device available. One its of the main security features is the Secure Enclave, a portion of the chip that has strict separation from the main operating system and stores encryption keys as well as other sensitive data you wouldn’t want attackers to easily obtain.

Google said that it too has been deploying features to make its Pixel smartphones more secure, such as encrypting all user data on the smartphones by default and storing the encryption keys in secure hardware. This hardware runs secure firmware that is responsible for checking the user’s password when decrypting the device.

To prevent attackers from replacing the firmware with malicious firmware (something the FBI wanted Apple to do in order to unlock user’s iPhones), Google applies digital signatures. However, an attacker could still bypass this mechanism by finding and exploiting vulnerabilities in the signing process or gaining access to the signing key through other means. Once the attacker has the signing key, they can replace the firmware, and the users would see it as a legitimate update to their device.

Google said that although its firmware is tiny, isolated, and thoroughly vetted, the signing keys must be kept somewhere and at least several people must have access to them. This opens the possibility for an inside attacker. The people holding the keys could also become targets of intelligence agencies or other sophisticated hacking groups and fall prey to social engineering or coercion.

Enter Pixel 2 Insider Attack Resistance

In Android P, Google announced support for HSMs, which are sort of a Secure Enclave on steroids. The HSM comes with a CPU, secure storage, a true random-number generator, and other mechanisms to resist tampering and unauthorized side-loading of apps. The HSM cam be used in conjunction with a new implementation of the Keymaster hardware abstraction layer (HAL) called the “StrongBox Keymaster.”

Google now confirmed that the Pixel 2 already uses a tamper-resistant HSM, which enables the insider attack resistance. The module prevents attackers from replacing the original firmware with properly signed yet malicious firmware without the user’s cooperation: the user would need to input their device’s passphrase, too, before the firmware can be replaced. Firmware upgrades without the original user’s cooperation are still possible, but all the user’s encryption keys would be wiped, so the data would become inaccessible.

Google recommended all device makers to implement insider attack resistance (and therefore use an HSM and the StrongBox Keymaster implementation available in Android P) in order to better protect their users against malicious parties. Google also said any interested device maker can reach out to the Android security team for help with implementing this solution.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • canadianvice
    Neat. Just remember though that your phone is only secure within certain parameters - in Canada, for instance, one can be compelled to give a fingerprint scan. I think this is permissible in the US as well.

    So.... if you're running, make sure you take a moment to turn your phone off!
  • Christopher1
    That needs to change, Canadianvice. We need to change the laws so that a fingerprint is equivalent to a number or letter password and you cannot be compelled to give it without a warrant.
  • canadianvice
    The trouble is what they are. While I won't say I fundamentally disagree, a fingerprint is ultimately available for public consumption, so to speak.

    Passwords and such are hidden in the last refuge, but anyone can see an fp. It may also be awk on account of police being allowed an fp database.

    I imagine someone would try making an argument against that if fp were defined to be afforded 5th protection.