Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    Google Says Pixel 2 Encryption Thwarts Even Privileged Insider Attacks

    By
    JAIKUMAR VIJAYAN
    -
    June 1, 2018
    Share
    Facebook
    Twitter
    Linkedin
      1088_Pixel2Rollout

      The encryption capability available with Google’s Pixel 2 smartphones is highly resistant to attacks on the hardware, software, operating system and firmware, the company said this week. 

      Central to that security is “insider attack resistance” that ensures even highly-privileged users with administrative access to a Pixel 2 device cannot overcome the encryption on it without the owner’s cooperation and without destroying all data on the device first. 

      “The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data,” Google software engineer Shawn Willden said in an update on Google’s Android Developer blog May 31.  

      With the Pixel 2 Google has been able to demonstrate how user data can be protected against even the most highly privileged insiders, he said. “We recommend that all mobile device makers do the same.” 

      The insider attack resistance capability is designed to thwart an attacker from using rogue firmware to access the keys needed to decrypt data on a device. Google by default encrypts all user data on the Pixel 2. The keys that are used to encrypt the data are stored in a separate tamper-resistant hardware module on the device. 

      The module contains firmware for checking the validity of a user’s password. The firmware ensures the device stays encrypted until the correct password in entered. It also limits the rate at which someone can retry the password in case an incorrect password is entered. The rate-limiting feature is designed to make it harder for an attacker to use brute force methods to try and guess a password, Willden said. 

      The firmware itself is digitally signed to prevent attackers from using spoofed or rogue firmware to try getting at the decryption keys in the hardware module. The only way attackers can overcome the protection is to attack and break the digital signature verification process or gain access to the digital signing keys so they can sign their rogue firmware. 

      Because the signature checking software is really small and isolated, it can be very hard to defeat, Willden said. 

      The keys that are used for signing however need to be stored somewhere and at least a few people need to have access to them in order to sign legitimate firmware. 

      Organizations have typically tended to store the keys in highly secure locations and minimize the number of people who have access to them in order to reduce risk. The approach does not guarantee security, however, because people with access to the signing keys can be coerced or tricked into giving them up, Willden said. 

      Google’s strategy with Pixel 2 therefore has been to include the protection inside the hardware security module that contains the encrypted keys. The goal is to ensure that even if an attacker somehow managed to gain access to firmware signing keys they would not be able to install rogue firmware on a Pixel 2 without the user’s active cooperation, Specifically, unless the user enters the correct password, an attacker would not be able to update the firmware on a Pixel 2 even if the firmware is legitimately signed. 

      An attacker can force a firmware upgrade—as might be necessary when a device is being refurbished—but that ensures any encrypted data on the device is cleared as well, Willden said. 

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×