304 North Cardinal St.
Dorchester Center, MA 02124
With the Pixel 6 series, Google began developing its in-house Tensor SoC. But that wasn’t the first time the search giant used a piece of custom silicon in its smartphones – the Pixel 2’s Pixel Visual Core was technically the first. One generation later, the company announced that Pixel 3 devices would include a hardware security module dubbed Titan M. Then, in 2021, Google followed it up with the Titan M2. The security chip has since become a selling point for Google phones like the Pixel 7 series and Pixel 6a.
So in this article, let’s take a closer look at the role of the Titan M2 in Pixel devices, how it works, and why it’s even necessary in the first place.
Google’s Titan server chip (left) and first-generation Titan M security chip (right)
The Titan M2 is a dedicated security chip included in Pixel 6 and Pixel 7 series smartphones. Google designed the Titan M2 in-house so that it could exercise complete control over its feature set. The chip is based on the RISC-V CPU architecture and contains its own memory, RAM, and cryptographic accelerator.
The Titan M2 is one of the many measures Google has employed to improve smartphone security over the years. The company uses the chip in its Pixel phones to provide an additional layer of protection on top of Android’s default security measures.
Google designed the Titan M2 chip to augment Android’s default security measures.
Take Android’s mandatory full-disk encryption. On most devices, it relies on a security feature known as a Trusted Execution Environment (TEE), which is essentially the secure area of a processor. Android devices store their encryption keys within this secure area, which is in turn guarded with your pattern, PIN, or passcode. In other words, the TEE isolates cryptographic keys and never reveals them to the user or even the operating system.
Virtually all smartphone SoCs in this day and age have a TEE or similar secure environment. On Snapdragon chips, it’s commonly referred to as the Qualcomm Secure Execution Environment (QSEE). Apple’s Arm-based chips like the M1 have the Secure Enclave. With these secure environments in place, malicious apps cannot access decryption keys, biometrics, and other sensitive data.
With the Pixel 3, Google decoupled the TEE from the chipset and used a separate security module instead. The Titan M, which has now been replaced by the Titan M2, can almost be considered a standalone processor by itself. The chip has its own flash memory for storing sensitive data and runs its own minimal operating system (sometimes called a microkernel).
The Titan M2 is a separate chip that doesn’t share resources like memory or cache with the main processor.
It’s worth noting that dedicated security chips aren’t a new concept. Many computer motherboards have a Trusted Platform Module (TPM) chip that serves the same purpose, albeit with less flexibility.
Gary Sims / Android Authority
Unlike the main SoC that performs general-purpose tasks, a dedicated security chip like the Titan M2 executes very few functions. This vastly reduces the number of potential attack vectors since most software cannot directly interact with the security chip.
As for what the security chip actually does, let’s start with booting the Android operating system. When you turn on a Pixel device, the Titan M2 communicates with the bootloader to validate that you’re running the latest known version of Android. This check ensures an attacker hasn’t rolled back your device’s operating system to an older, potentially unsafe version. Google also states that the chip safeguards against malicious attempts to unlock the bootloader.
The Titan M2 comes into play as soon as you press the power button, quite literally.
Once booted, the phone’s storage remains encrypted and inaccessible until you clear the lock screen prompt. The Titan M2 plays a key role here as it stores the decryption keys. Even if an attacker tampers the operating system to try and brute-force their way through the lock screen, the chip will limit the number of attempts at the hardware level. Titan M2 will only reveal the decryption keys if you enter the correct pattern or PIN.
But what if an attacker tries to tamper with the Titan M2 directly? Google thought of that too. You can’t change or update the chip’s firmware without the device’s pattern or PIN. The company also says it hardened the chip against side-channel attacks like power analysis and voltage fluctuations.
The Titan M2 also supports Android StrongBox, which is a safe storage space for cryptographic keys used by third-party apps. A payment app, for example, could request the chip to generate and store a private key for your saved cards. And with Android’s Protected Confirmation, the chip also supports the universal FIDO authentication standard. This means you can use Pixel phones as a physical two-factor authentication key for your online accounts. In terms of security, Google treats it as on par with the $30 Titan Security Key.
The Titan M2 hasn’t revolutionized smartphone security by any means, but it does eliminate some key potential attack vectors. Google is currently the only smartphone maker to use a dedicated security module. However, that doesn’t mean other Android devices aren’t secure enough. The Arm chips used in modern smartphones also have isolated and secure environments, just not to the same degree as the Titan M2.
Read next: The best Pixel-only features explained