![](\"https:\/\/media.wired.com\/photos\/5bca5d4f9a40cd185593f594\/master\/pass\/Google-chip.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sun, 21 Oct 2018 11:00:00 +0000<\/strong><\/p>\n The Google Pixel <\/span>3 has all the betterments<\/a> you would expect from a flashy flagship smartphone: great camera, zippy processor, smarter AI. It also, though, comes with an unexpected bonus, one that works so deeply in the background you\u2019ll likely never even know it\u2019s there. The Titan M chip may be small and discreet, but it helps make the Pixel 3 and its beefier sibling, the Pixel 3 XL, among the most secure smartphones you can buy.<\/p>\n The Titan M draws inspiration from the Titan chip<\/a> that helps safeguard Google servers, and while they differ some in the details\u2014the Titan M draws much less power, for instance, so as not to tax your battery\u2014they both share the task of protecting hardware against the most sophisticated, and devastating, attacks. And because it sits entirely apart from the Pixel 3's main processor, it helps cordon off the most sensitive data your smartphone holds.<\/p>\n "Once the tools are there and the knowledge is there, the attacks will tickle down."<\/p>\n Will Drewry, Google<\/p>\n One such attack the Titan M is designed to protect against is the boot-time attack. \u201cIf you put yourself in the shoes of an attacker, the earlier you can interfere in the process, the more power you have, generally. If you can interfere when the chip is being manufactured, that\u2019s phenomenal,\u201d says Simha Sethumadhavan, a computer scientist at Columbia University. \u201cIf you cannot do that, the other place to do it is when the system is booting. When the system is booting, it\u2019s initializing and needs to run at the highest privilege. It\u2019s a super convenient place for the attacker to interfere. They can get access to all the happenings in the system.\u201d<\/p>\n Titan M heads off these boot-time attacks by tying into Verified Boot, a feature introduced in 2017 with Android Oreo. Verified Boot confirms that you\u2019re running the correct version of Android as soon as you turn it on; by leveraging Titan M, the Pixel 3 ensures the integrity of that check before an attacker has a chance to downgrade you to something more vulnerable, or meddles with your bootloader.<\/p>\n The chip also helps prevent fake log-ins, both by limiting the number of passcode attempts and by having a direct electrical connection to the Pixel\u2019s side buttons so that an attacker can\u2019t create fake button presses to make it seem like a user is present when none is.<\/p>\n Having a secure, mobile hardware element isn\u2019t especially novel; the ARM chips that power most higher-end Android smartphones have something called TrustZone, a secure enclave within the main processor that sits apart from the operating system. And Apple\u2019s Secure Enclave, a cordoned off part of its A series of processors, has for years provided safe storage for your private keys and biometric information.<\/p>\n But because it\u2019s a separate chip altogether, Titan M takes that isolation to the extreme.<\/p>\n \u201cEverything that\u2019s living in the main processor is sharing cache and RAM, for the most part. In order to use it to protect keys, that\u2019s a reasonable thing to do, but you know there\u2019s still going to be the risk of attacks like Spectre, Meltdown, and Rowhammer<\/a>,\u201d says Will Drewry, principle software engineer at Google, referring to prominent examples of pernicious hardware-based attacks. \u201cFor us, we moved the key matter to tamper-resistant hardware that has its own private storage, its own private RAM, its own private processing.\u201d<\/p>\n By opting for a distinct, hardened chip, Google can better inoculate the Pixel 3 from the so-called side channel attacks that leverage hiccups in interactions between components. In fairness, the risk of that kind of advanced technique to the average user is relatively low, given the relative ease of software-based attacks. They still happen, though, which makes them worth defending against\u2014especially if, as Drewry suspects, they become increasingly common over time.<\/p>\n \u201cIt\u2019s only a matter of time that these shared resource attacks become cheap enough that they become opportunistic,\u201d he says. \u201cOnce the tools are there and the knowledge is there, the attacks will tickle down. For us it\u2019s about being proactive.\u201d<\/p>\n "This raises the bar significantly."<\/p>\n Simha Sethumadhavan, Columbia University<\/p>\n And while Google began work on Titan chips long before Bloomberg\u2019s recent blockbuster\u2014and hotly contested<\/a>\u2014report about<\/a> attacks on the supply chain, that class of vulnerability was on the company\u2019s mind from the beginning of their development.<\/p>\n \u201cAs technology shrinks, the opportunities change, and where you can place parts and how big they are changes, but practically supply chain attacks have always been there,\u201d says Drewry. To minimize the chances of any unwanted elements sneaking into the Titan M along the way, Google created a custom provisioning process. By building the chipset itself, it has insight into its manufacturing from start to finish. And Google will also make it easier for security researchers to make sure it\u2019s living up to its promises of protection.<\/p>\n \u201cThe firmware for this will be fully open source in the coming months, which I think is very unique in the industry,\u201d says Google security project manager Xiaowen Xin.<\/p>\n None of which is to say that the Titan M is invincible. But it is a significant step forward for security-minded Android users, and no small advance for a platform that has historically been more vulnerable<\/a> than iOS. \u201cIt is, I think, terrific that Google is doing these kinds of hardware enhancements. It\u2019s much harder to break than software defenses,\u201d says Columbia\u2019s Sethumadhavan. \u201cThis raises the bar significantly.\u201d<\/p>\n