To stay ahead of the game, one has to think differently and use unconventional methods to get ahead of the competitor. To a cop, thinking like a criminal could help the cop solve a crime faster. Similarly, in this modern age, thinking like a hacker, could help you be a few steps ahead or you could discover and fix a flaw in a system.
The key takeaway is to constantly be on toes and keep a look out for vulnerabilities. Check Point Research (CPR) has identified security flaws in the processor chip found in 37% of the world’s smartphones. Left unpatched, a hacker could have exploited the vulnerabilities to eavesdrop on Android users and/or hide malicious code.
A Flaw In the Chip Could Affects Billions Of Devices Globally
MediaTek which proudly claims on its website that it is the world’s 4th largest global fabless semiconductor company and powers more than 2 billion devices a year, were found to have security flaws in their chip. Supplying to some of the biggest brands out there such as Xiaomi, Oppo, Realme, and Vivo amongst others, MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world.
MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research.
CPR grew curious around the degree to which MediaTek DSP could be used as an attack vector for threat actors. For the first time, in a study, CPR reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of the research was to find a way to attack the audio DSP from an Android phone. And it could be done.
To exploit the security vulnerabilities, a threat actor’s attack methodology would be, in theory, be in this particular sequence. First, a user installs a malicious app from the Play Store and launches it, then the app uses the MediaTek API to attack a library that has permissions to talk with the audio driver. The app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor
The icing on the cake, the app steals the audio flow.
Slava Makkaveev, Security Researcher at Check Point Software, said “MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We embarked research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application.
He further added that if left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign.
“Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. Our message to the Android community is to update their devices to the latest security patch in order to be protected,” he enthused.
To date, the discovered vulnerabilities in the DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) have already been fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin.
“Device security is a critical component and priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs,” explained Tiger Hsu, MediaTek Product security Officer.
“We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store. We appreciate the collaboration with the Check Point research team to make the MediaTek product ecosystem more secure,” he concluded.