There are security flaws in the smartphone chip made by Taiwanese semiconductor manufacturer MediaTek, Check Point Research (CPR) said.
Check Point Research (CPR) found the security flaws inside the chip’s audio processer. The vulnerabilities could have enabled a hacker to eavesdrop on an Android user and/or hide malicious code. Check Point is one of the leaders in cyber security business assisting leading brands and corporates.
MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research.
Check Point grew curious around the degree to which MediaTek DSP could be used as an attack vector for threat actors. For the first time, CPR was able to reverse engineer the MediaTek audio processor, revealing several security flaws.
Attack Methodology
To exploit the security vulnerabilities, a threat actor’s order of operations, in theory, would be:
# A user installs a malicious app from the Play Store and launches it
# The app uses the MediaTek API to attack a library that has permissions to talk with the audio driver
# The app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor
# The app steals the audio flow
Check Point disclosed its findings to MediaTek, creating the following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were subsequently fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin.
Check Point also informed Xiaomi of its findings.
“A hacker could have exploited the vulnerabilities to listen in on conversations of Android users. The security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign,” Slava Makkaveev, Security Researcher at Check Point Software, said in a media statement.
“Device security is a critical component and priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs,” Tiger Hsu, Product Security Officer at MediaTek, said.