MediaTek, discovered and fixed a security flaw in its processors

In the audio processor of MediaTek’s SoCs Some security, holes have been identified by Check Point Research that could allow so-called “Privilege Escalation Attack”, attacks that, by obtaining the highest levels of authorization, would allow both to spy on users and to hide malicious code inside Android smartphones.

The MediaTek chips, which have been the most popular in the mobile field for months now, integrate a special unit of accelerated processing (APU) it’s a digital signal processor (DSP) to improve multimedia performance and reduce CPU usage. Both the APU and the DSP have custom microprocessor architectures on which it is not easy to research in the security field.

IDENTIFIED PROBLEM

Check Point Research, trying to understand to what extent the DSP could be used as a vector for a possible attack, however, managed to perform the “reverse engineering” of the audio processor, discovering several security holes.

This is the comment of Slava Makkaveev, Security Researcher at Check Point Software:

MediaTek is undoubtedly one of the most famous chips among mobile devices. Given its huge global reach, we suspected it could be used as an attack vector by hackers. We started researching this technology and discovered a chain of vulnerabilities that could potentially be used to reach and attack the chip’s audio processor from an Android app. Without a patch, a hacker could have exploited the vulnerabilities to listen to user conversations.

Makkaveev also pointed out that security holes could have been misused by the manufacturers of the devices themselves. “create a massive wiretapping campaign”:

While there is no evidence of such misuse, we quickly shared our findings with MediaTek and Xiaomi (a major user of MediaTek processors ed). In short, we demonstrated the existence of a totally new attack vector that could have harmed the Android APIs. Our message to the Android community is to update devices to the latest security patch in order to stay safe. MediaTek worked diligently with us to ensure that security issues were resolved quickly and we are grateful to them for their cooperation and focus on a safer world.

However, MediaTek has already corrected these vulnerabilities with patches last October. The security issue in MediaTek’s audio HAL, also corrected in October, will be published in the December 2021 MediaTek Security Bulletin. As of today, it states Tiger Hsu, Product Security Officer of MediaTek, there is no information regarding their possible exploitation:

The security of a device is an essential component and a priority of all MediaTek platforms. Regarding the Audio DSP vulnerability discovered by Check Point, we have worked carefully to validate the criticality and have taken the mitigation actions available on all OEMs. We have no evidence that this vulnerability has been exploited.

Both the Check Point and MediaTek researchers have not disclosed which SoCs are affected which, according to the research whitepaper, would be based on the so-called Tensilica APU platform, the same one on which some Huawei HiSilicon Kirin chips are also based.

Leave a Comment