How the Pixel 2's security module delivers enterprise-grade security

Security is often top of mind for enterprise customers when it comes to choosing a device for work. Company data should be protected against all manner of threats to avoid a costly and distressing security breach.

The new Google Pixel 2 was built with a tamper-resistant hardware security module that reinforces the lock screen against malware and hardware attacks to better safeguard the data stored on your device, like emails, contacts and photos. This is the first of what we hope are many Android devices that feature dedicated security modules.

Benefits of tamper-resistant hardware

The lock screen is the first line of defense in protecting your data from attacks. Devices that ship with Android 7.0 and above verify your lock screen passcode in a secure environment, such as the Trusted Execution Environment or TEE, that limits how often someone can repeatedly brute-force guess it. When the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key. Without that key, your data can’t be decrypted.

The goal of these protections is to prevent attackers from decrypting your data without knowing your passcode. However, the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.

Tamper-resistant hardware comes in the form of a discrete chip, separate from the System on a Chip (SoC). It includes its own flash, RAM, processing unit, and other resources inside a single package, so it can fully control its own execution and ward off external attempts to tamper with it. The package is resistant to physical penetration and designed to resist many side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing. The hardware is also resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature.

Security module in Pixel 2

In addition to being tamper-resistant, the security module in Pixel 2 also helps protect against software-only attacks. Because it performs very few functions, it has a super small attack surface. And with passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first. 

The security module is designed so that nobody, including Google, can update the passcode verification to a weakened version without knowing your passcode first.

Security at the core

Businesses that choose the new Google Pixel 2, or a future Android device with tamper- resistant hardware, will have more peace of mind that critical company data is safer against an entire class of sophisticated hardware attacks. These security upgrades, along with the comprehensive and innovative management features that Android brings to work, give your business a powerful set of tools for a mobile workforce.