Check Point Research has identified security flaws in the smartphone chip found in 37% of the world’s smartphones, made by Taiwanese manufacturer MediaTek.
MediaTek’s chip serves as the main processor for almost all notable Android devices, including Xiaomi, Oppo, Realme, Vivo, and more. The security holes were found inside the chip’s audio processor. Without a patch, the vulnerabilities could have allowed a hacker to spy on an Android user and / or hide malicious code.
According to the CPR, MediaTek chips contain a special AI processing unit (APU) and digital audio signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and exciting target for security research.
The CPR became curious to what extent MediaTek DSP could be used as an attack vector for threat actors. For the first time, the CPR was able to reverse engineer the MediaTek audio processor, revealing several security holes.
To exploit security vulnerabilities, an order of operations of threat actors, in theory, would be:
1) A user installs a malicious app from the Play Store and launches it
2) The application uses the MediaTek API to attack a library authorized to speak with the audio driver
3) System privileged application sends designed messages to audio driver to execute code in audio processor firmware
4) The application steals the audio stream
The CPR disclosed its findings to MediaTek, creating the following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were subsequently corrected and published in the MediaTek security bulletin of October 2021. The security issue in MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the MediaTek security bulletin of December 2021.
The CPR also informed Xiaomi of its findings.
âMediaTek is known to be the most popular chip for mobile devices,â says Slava Makkaveev, security researcher at Check Point Software.
âGiven its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We started researching the technology, which led to the discovery of a chain of vulnerabilities that could potentially be used to reach and attack the chip’s audio processor from an Android application, âsays Makkaveev.
“Without a patch, a hacker could potentially have exploited the vulnerabilities to eavesdrop on Android users’ conversations.”
Furthermore, Makkaveev claims that the security holes could have been misused by the device makers themselves to create a massive listening campaign.
âWhile we see no specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi.
âIn summary, we have proven a whole new attack vector that could have abused the Android API. Our message to the Android community is to update their devices with the latest security patch in order to be protected. MediaTek has worked diligently with us to ensure these security issues were resolved in a timely manner, and we are grateful for their cooperation and spirit for a more secure world. “
Tiger Hsu, Head of Product Security at MediaTek, says device security is a critical component and priority of all MediaTek platforms.
âWith respect to the Audio DSP vulnerability disclosed by Check Point, we have worked diligently to validate the issue and make the appropriate mitigation measures available to all OEMs,â Hsu said.
âWe have no evidence that it is currently in use. We encourage end users to update their devices as soon as patches become available and to only install apps from trusted locations such as the Google Play Store.
“We value the collaboration with the research team at Check Point to make the MediaTek product ecosystem more secure.”