Check Point Research discover vulnerabilities in smartphones chips embedded in 37% of smartphones around the world

Highlights

  • Check Point Research discovered vulnerabilities in MediaTek’s chips, embedded in 37% of all smartphones globally
  • CPR discovered several vulnerabilities in the audio processor that are accessible from the Android user space
  • If exploited, attacker can potentially eavesdrop on the user from an unprivileged Android app

Introduction

Taiwan’s MediaTek has been the global smartphone chip leader since Q3 2020. MediaTek Systems on a chip (SoCs) are embedded in approximately 37% of all smartphones and IoT devices in the world, including high-end phones from Xiaomi, Oppo, Realme, Vivo and more.

Modern MediaTek SoCs, including the latest Dimensity series, contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied. This fact makes MediaTek DSP a unique and challenging target for security research.

In this study, we reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android user space. The goal of our research was to find a way to attack the audio DSP from an Android phone.

A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user.

By chaining with vulnerabilities in Original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues we found could lead to local privilege escalation from an Android application.

The discovered vulnerabilities in the DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) have already been fixed and published in the October 2021 MediaTek Security Bulletin. The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin.

 

Check Point’s customer remain fully protected against such threats with Harmony Mobile Security that Prevents malware from infiltrating  devices by detecting and blocking the download of malicious apps in real-time.
By extending Check Point’s industry-leading network security technologies to mobile devices, Harmony Mobile offers a broad range of network security capabilities, ensuring devices are not exposed to compromise with real-time risk assessments

Protection name: VULN__CVE20210673

 

Read the full technical details