On Thursday, Google revealed that Pixel 2 devices will now better fend off insider attacks through an improved hardware security module that guards user data encryption keys, according to an Android Developers Blog post. This will help prevent inside attackers from installing properly signed malicious firmware on the security module of a lost or stolen device, the post said.
With the new security measures, hackers will not be able to upgrade the firmware that checks the user’s password without the correct password, the post noted. While a malicious party can still force an upgrade, such as by refurbishing the device for resale, doing so will wipe the secrets used to decrypt the users data, which destroys it.
The added security measures could increase the enterprise appeal of the Pixel 2 and Pixel 2XL phones, which already include the AI-powered Google Assistant, all-day battery life, a high-quality camera, and other impressive features.
SEE: Encryption policy (Tech Pro Research)
Google had already rolled out encryption for all user data on Pixel devices. Secure hardware protects the encryption keys, and runs secure firmware, that checks the user’s password to grant access to the user data, according to the post. Users cannot decrypt the device if they do not have the right password, and can only check a certain number of passwords before the device is locked.
The Android devices also use digital signatures to prevent attackers from replacing the phone’s firmware with a malicious version. But hackers could still get around the signature checks to install malicious firmware by gaining access to the signing key and getting their version signed, so the device will accept it as a real update. Device makers have previously tried to protect these keys by storing them in secure locations, and restricting the number of people with access, the post said. However, that still leaves those people vulnerable to coercion or social engineering attacks, creating risk for users and their data—hence, the need for the new security updates.
“The Android security team believes that insider attack resistance is an important element of a complete strategy for protecting user data,” the post said. “The Google Pixel 2 demonstrated that it’s possible to protect users even against the most highly-privileged insiders. We recommend that all mobile device makers do the same.”
Device makers who want to implement insider attack resistance can reach out to the Android security team through their Google contact, the post noted.
The big takeaways for tech leaders:
- Google announced that its Pixel 2 devices will better fend off insider attacks through an improved hardware security module that guards user data encryption keys.
- The new Android security features on the Pixel 2 phones could increase the enterprise appeal of those devices.