Quarkslab Discusses New Vulnerability Research on a Modern Security Chip Used in Google Pixel 3 Devices

In a recent announcement, Quarkslab, a French deep tech cybersecurity company specializing in software protection technologies, revealed that security researchers Damiano Melotti and Maxime Rossi Bellom would lead a briefing on vulnerability research at BlackHat 2022 in Las Vegas. 

Quarkslab urges those interested in modern security chips to attend the Thursday, August 11 session at Islander FG Level. The session, “Attack on Titan M Reloaded,” will discuss the duo’s findings on Google’s Titan M chipset introduced in Pixel 3 through Pixel 5 devices. Quarkslab’s research will provide valuable insights into the Titan M chipset and its potential vulnerabilities. Their research is essential in keeping the public informed and safe against potential security risks. Attendees of Quarkslab’s session will better understand how to protect themselves against possible threats.

Damiano Melotti, Maxime Rossi Bellom, and the Quarkslab team have worked tirelessly to ensure their research is thorough and informative. Quarkslab’s efforts will benefit the industry greatly by providing the knowledge and tools necessary to protect against potential threats associated with this chipset. 

The Titan M Chip is a crucial component for Google Pixel devices, and Quarkslab has analyzed the chip. In their BackHat briefing, Melotti and Bellom will focus on measures they took to research software vulnerabilities they were able to find even with limited public information available about the chip.

According to Melotti, “We will dive into how Quarkslab’s black-box fuzzer works and its associated limitations, and then we’ll show how emulation-based solutions can outperform hardware-bound approaches.” He continued, “By combining a coverage-guided fuzzer (AFL++), an emulator (Unicorn), and some optimizations specifically for this target, we found a vulnerability that allowed setting a single byte to 1 with several constraints on the offset. We will present how we managed to obtain code execution from this chip and leaked the secrets contained in the secure module.”

Bellom added, “This is the tale of how we mixed together various known techniques and open-source tools against this chip with almost no debugging support and often relying in return codes to develop our tools and exploits. We hope to offer insights into our work to benefit other security researchers probing similar targets.”

Melotti is a cybersecurity researcher based in Paris who explores solving complex problems in all security aspects. His passion is dynamic vulnerability research, systems and mobile security, and security engineering. Bellom is a security research engineer working in the embedded and cryptography team at Quarkslab.

Founded ten years ago, Quarkslab has a dedicated team of cyber-security engineers and developers. The team aims at forcing the attackers, not the defender, to adapt constantly.Through QLab’s consulting expertise and R&D, and their software QFlow and QShield, these experts share and scale their knowledge by making it accessible to everyone. Quarkslab’s team believes that security is everyone’s concern since there is no freedom if there is no security. Their expertise combines offensive and defensive security in application protection to help organizations adopt a new security posture.

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.