Xiaomi MediaTek Security Flaw Allows Vulnerability Exploits in Pay Systems
CheckPoint’s analysis reveals critical security vulnerabilities in Xiaomi devices using MediaTek processors. These flaws allow attackers to bypass protections, potentially falsifying or disabling the pay system, even from unprivileged Android apps.
2024-01-18
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
CheckPoint Finds Security Flaws in Xiaomi Devices’ Pay System on MediaTek Processors
In a recent analysis, CheckPoint Research uncovered serious security vulnerabilities in Xiaomi smartphones that run on MediaTek processors. The vulnerabilities are specifically associated with the pay system integrated into these devices, allowing attackers to bypass security protocols, potentially altering pay packets or even disabling the system without privileged access. These findings raise critical security concerns for Xiaomi users who rely on mobile payments, as attackers could exploit the Trusted Execution Environment (TEE) to bypass core protections.
What is TEE, and Why is It Critical?
The Trusted Execution Environment (TEE) is a secure, isolated section of a device designed to process and protect sensitive data such as cryptographic keys and biometric data (e.g., fingerprints). TEE’s security is based on hardware extensions, such as ARM TrustZone, that separate it from the regular operating system to ensure that the data within it remains safe even if the device is compromised. Common TEE implementations include Qualcomm Secure Execution Environment (QSEE) and Trustonic Kinibi.
For Xiaomi devices:
- Those using Qualcomm processors are equipped with QSEE for TEE.
- Devices using MediaTek processors rely on Trustonic Kinibi.
In this case, CheckPoint’s findings apply to Xiaomi devices with MediaTek processors, highlighting risks in the TEE’s isolation and functionality.
CheckPoint’s Key Findings: Security Flaws in Xiaomi’s Pay System
The researchers’ analysis focused on Xiaomi’s pay system as implemented on the Xiaomi Redmi Note 9T 5G running MIUI Global 12.5.6.0. The main issues they identified are as follows:
- Vulnerabilities in Trusted Applications: Trusted applications within the TEE are meant to have high security standards, but researchers discovered that Xiaomi’s TEE application allowed for multiple application signatures that could be easily modified due to overlapping “magic fields.” This overlap also impacts other Xiaomi models, including Xiaomi T11 and Xiaomi Note 8 Pro.
- Exploitable Update Mechanism: One critical flaw is that attackers can bypass security fixes released by Xiaomi or MediaTek. By exploiting version control vulnerabilities, an attacker could potentially install older, unpatched versions of trusted applications, thus undoing security updates and exposing the pay system to attacks.
- Remote Exploitation Potential: The flaw allows attackers to remotely alter or disable the pay system even through non-privileged Android applications. Essentially, this means that regular applications without elevated permissions could gain access to sensitive processes typically secured within the TEE.
Why Are TEE Vulnerabilities Especially Dangerous?
Given its responsibility for secure processing and storage of sensitive information, any breach of the TEE is concerning. In Xiaomi’s case, the vulnerabilities discovered in the TEE could allow attackers to:
- Falsify Pay Packets: Attackers could manipulate pay packets, allowing for fraudulent transactions.
- Disable the Pay System: By compromising the TEE, attackers could render Xiaomi’s pay system inoperative, affecting users’ ability to make secure payments.
- Access Cryptographic Keys: If exploited, this flaw could expose cryptographic keys stored within the TEE, leading to broader security risks.
This risk extends to rooted and malware-infected devices since hardware-level protections like ARM TrustZone are designed to shield the TEE even in compromised environments. However, the ability to downgrade trusted applications introduces a vulnerability vector that hardware-based security alone cannot prevent.
How Attackers Bypass Security Fixes in Trusted Applications
One of the more alarming aspects of CheckPoint’s discovery is the potential for security patch circumvention in Xiaomi’s TEE. When Xiaomi or MediaTek releases a security update, it typically patches vulnerabilities in the trusted application. However, by downloading and installing an older, unpatched version of the app, attackers can bypass these updates and exploit known vulnerabilities that were previously resolved.
This vulnerability opens doors for attackers to use old exploits even after Xiaomi has provided patches, undermining user confidence and leaving device security vulnerable despite efforts to secure it.
What Does This Mean for Xiaomi Users?
For users of Xiaomi devices running MediaTek processors, this discovery underscores a significant security risk in their smartphone’s payment capabilities. Xiaomi and MediaTek are likely already aware of these issues, but full mitigation may require comprehensive updates that address the root causes of application signature and version control vulnerabilities. For users, it’s essential to stay aware of updates from Xiaomi and MediaTek and to install security patches as soon as they’re available.
In addition to Xiaomi, other device manufacturers may need to examine similar issues, as the flaws in TEE implementation could reflect a broader trend in mobile security.
Recommendations for Enhanced Security
While waiting for Xiaomi to address these vulnerabilities, here are a few actions that IT and security teams can consider to safeguard devices and users in their organizations:
- Regular Security Patch Updates: Ensure that all device updates are applied as soon as they’re released, especially those related to TEE or payment security.
- Educate Users: Security awareness training is crucial to help users recognize potential threats. Security Awareness Training can empower users to spot unusual behaviors and follow best practices.
- Restrict Sensitive Apps to Secure Devices: Encourage users to avoid installing sensitive applications, like payment apps, on rooted or unverified devices to reduce potential attack vectors.
- Implement Phishing and Quishing Simulators: To protect employees against phishing or QR-based attacks that could lead to TEE exploitation, consider using phishing simulators and quishing simulators to enhance security awareness.
As mobile security threats continue to evolve, TEE vulnerabilities remind us of the complexity of safeguarding sensitive information. With stronger protection protocols and regular security patches, users can better protect themselves against vulnerabilities. For organizations, proactive defense measures like human risk management are invaluable.
Editor’s note: This blog was updated November 12, 2024
SHARE ON