Check Point Research discover vulnerabilities in smartphones chips embedded in 37% of smartphones around the world

 Highlights

 

·       Check Point Research discovered vulnerabilities in MediaTek’s chips, embedded in 37% of all smartphones globally

·       CPR discovered several vulnerabilities in the audio processor that are accessible from the Android user space

·       If exploited, attacker can potentially eavesdrop on the user from an unprivileged Android app



Introduction

Taiwan’s MediaTek has been the global smartphone chip leader since Q3 2020. MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more.

 

Modern MediaTek SoCs, including the latest Dimensity series, contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied. This fact makes MediaTek DSP a unique and challenging target for security research.

 

In this study, we reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of our research was to find a way to attack the audio DSP from an Android phone.

 

A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user. By chaining with vulnerabilities in Original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues we found could lead to local privilege escalation from an Android application.

 

The discovered vulnerabilities in the DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) have already been fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin.

Comments

Popular posts from this blog

Empowering Business Connectivity and Innovation: Insights from HPE and Tarsus Leadership

Vodacom Group enhances employee offerings to endorse inclusivity and promote well-being.

How can we grow young female entrepreneurship in South Africa?