Check Point Research (CPR), the research arm of Check Point Software, points out gaps security in the processor chip found in 37% of smartphones worldwide. If these vulnerabilities were left unpatched, a hacker could exploit the vulnerabilities to eavesdrop on Android users and/or sneak malicious code into them.
- Security holes were found in the chip from MediaTek, the world's largest chipset supplier, a partner of the companies Xiaomi, Oppo, Realme, Vivo etc.
- CPR through reverse engineering, for the first time, of MediaTek audio processor reveals security gaps
- CPR officially announced the findings to MediaTek
Check Point Research (CPR) has identified security gaps in the Taiwanese smartphone chip companyof their production, MediaTek. MediaTek's chip is found in 37% of smartphones worldwide and serves as the main processor for almost every notable Android device, including Xiaomi, Oppo, Realme, Vivo and others. The security holes were found inside the chip's audio processor, and if unpatched, the vulnerabilities could allow a hacker to eavesdrop on an Android user and/or hide malicious code.
record
MediaTek chips include a dedicated AI processing unit (APU) and a digital audio signal processor (DSP) to improve multimedia performance and reduce CPU usage. Both APU and DSP audio have custom microprocessor architectures, making MediaTek's DSP a unique and challenging target for security research.
CPR began to worry about the extent to which MediaTek DSP could be used as an attacker for perpetrators. For the first time, CPR was able to reverse engineer MediaTek's audio processor, revealing several security flaws.
Attack methodology
To exploit vulnerabilities, the sequence of actions of a threatening agent, in theory, would be as follows:
1) A user installs a malicious application from the Play Store and launches it
2) The application uses the MediaTek API to attack a library that has permissions to communicate with the audio driver
3) The permissions application sends edited messages to the audio driver to execute code in the audio processor firmware
4) The application steals the audio stream
Responsible Disclosure
CPR has officially disclosed its findings to MediaTek, creating the following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were subsequently corrected and published in the MediaTek Security Bulletin in October 2021.
The problem security in MediaTek's audio HAL (CVE-2021-0673) was corrected in October and will be published in the MediaTek Security Bulletin in December 2021.
CPR also informed Xiaomi of its findings.