After our post yesterday Attention: vulnerabilities in Xiaomi phones, Check Point Research sent us a press release describing the attack:
Η Check Point Research (CPR) εντόπισε ευπάθειες στον μηχανισμό πληρωμών μέσω κινητού Xiaomi. Σε περίπτωση που αυτή δεν επιδιορθωθεί, κάποιος εισβολέας θα μπορούσε να κλέψει τους κωδικούς που χρησιμοποιούνται για την υπογραφή των πακέτων ελέγχου Wechat Pay και πληρωμών.
In the worst case scenario, an unauthorized Android app could create and sign a fake payment package.
Check Point Research (CPR) has identified vulnerabilities in the Xiaomi mobile payment engine. If not fixed, an attacker could steal the private keys used to sign Wechat Pay's control and payment packets. In the worst case, an unauthorized Android app could create and sign a fake payment package.
In particular, vulnerabilities were found in Xiaomi's trusted environment, which is responsible for storing and managing sensitive information such as passwords. The devices studied by CPR were powered by MediaTek chips.
Two types of attack
CPR discovered two ways to attack trusted code:
- From an unauthorized Android app: User installs a malicious app and launches it. The app extracts the keys and sends a fake payment packet to steal the money
-
If the attacker has the target devices in his hands: The attacker roots the device, then degrades the trust environment, and then executes the code to create a fake payment package without an application.
CPR responsibly disclosed its findings to Xiaomi. Xiaomi has acknowledged and issued fixes.
Slava Makkaveev, Security Researcher, Check Point commented:
“We discovered a set of vulnerabilities that could allow payment packets to be falsified or the payment system to be disabled directly from an Android app. We were able to hack WeChat Pay and implement a fully-fledged demo of the hack.”
“Our study marks the first time Xiaomi's trusted apps have been examined for security issues. We immediately shared our findings with Xiaomi, who quickly worked to issue a fix. Our message to the public is to always make sure your phones are updated to the latest version provided by the manufacturer. If even mobile payments are not secure, then what is?”
