How the Titan M chip will improve Android security

3 min read

Aside from the big ugly notch on the Pixel XL 3, both the XL 3 and the Pixel 3 will sport a new security chip called the Titan M. This dedicated chip raises the security game in these new Pixel devices.

The M is… well a good guess—mobile. The Titan chip was previously used internally at Google. This is another move towards making better security available at the hands of everyday consumers after Google made the Titan security key for available for purchase.

What does the Titan M do?

The Titan M is an individual low-power security chip designed and manufactured by Google. This is not a part of Snapdragon 845 powering the new Pixel devices. It performs a couple of security functions at the hardware level.

Store and enforce the locks and rollback counters used by Android Verified Boot to prevent attackers from unlocking the bootloader.
Securely locks and encrypts your phone and further limits invalid attempts of unlocking the device.
Apps can use the Android Strongbox Keymaster module to generate and store keys on the Titan M. The Titan M chip has direct electrical connections to the Pixel’s side buttons that prevent an attacker from faking button presses.
Factory-reset policies that enforce rules with which lost or stolen devices can be restored only by the owner.
Ensures that even Google themselves can’t unlock a phone or install firmware updates without the passcode set by the owner with Insider Attack Resistance.

An overview of the Titan M chip

Since the Titan M is a separate chip, it protects against hardware-level attacks such as Rowhammer, Spectre, and Meltdown. Google has complete control and supervision over building this chip, right from the silicon stages. They have taken care to incorporate features like low power usage, low-latency, hardware cryptographic acceleration, tamper detection, and secure, timely firmware updates to the chip.

On the left is the first generation Titan chip and on the right is the new Titan M chip.

Source: Google Blog

Titan M CPU

The CPU used is an ARM Cortex-M3 microprocessor which is specially hardened against side-channel attacks. It has been augmented with defensive features to detect and act upon abnormal conditions. The CPU core also exposes several control registers to join access with chip configuration settings and peripherals.

The Titan M verifies the signature of its firmware using a public key built into the chip. On signature verification, the flash is locked to prevent any modification. It also has a large programmable coprocessor for public key algorithms.

Encryption in the chip

This new chip also features hardware accelerators like AES and SHA. The accelerators are flexible meaning they can either be initialized with firmware provided keys or via chip-specific and hardware-bound keys generated by the Key Manager module. The chip-specific keys are generated internally with the True Random Number Generator (TRNG). Hence such keys are limited entirely to the chip internally and are not available outside the chip.

Google tried to pack maximum security features into Titan M’s 64 KB RAM. The RAM contents of the chip can be preserved even during battery saving mode when most hardware modules are turned off. Here’s a diagram showing the chip components.

Source: Google Blog

Google is aware of what goes into each chip from logic gates to the boot code. The chip allows higher security in areas like two-factor authentication, medical device control, and P2P payments among other potential future uses.

The Titan M firmware source code will be publicly available soon. For more details, visit the Google Blog.