Xiaomi Phones Vulnerable to Forged Payments

Xiaomi Phones Vulnerable to Forged Payments – Are MediaTech Chips To Blame

Major security flaws were discovered in two Xiaomi phones, including the Xiaomi Redmi Note 9T and the Redmi Note 11 models. According to Check Point, flaws were found in the devices that were powered by MediaTek chipsets when they were conducting a security analysis of a Chinese handset maker’s Kinibi Trusted Execution Environment or TEE.

TEE is secure enclaves inside the main processor used to process and store sensitive information, including cryptographic keys. They help main confidentiality and integrity. 

The Israeli cyber security firm discovered that a trusted app could be downgraded on a Xiaomi device if there was a lack of control. Therefore, it enabled the attacker to replace the newer and more secure app with one that was old and vulnerable. 

Due to this, Researcher Slava Makkaveev from Check Point believes that the attacker can bypass security fixes Xiaomi or MediaTek make in trusted apps and downgrade them to their older unpatched versions.

Furthermore, the researchers have also found a vulnerability in thhadmin, a trusted app responsible for security management. Attackers could abuse and leak stored keys or execute arbitrary code and pin it on the app. 

The weakness aims at trusted apps developed by Xiaomi and implement cryptographic operations related to service, Tencent Soter, which is a biometric standard. It functions as an embedded mobile payment framework and authorizes transactions made on third-party apps that use WeChat and AliPay.

However, a heap overflow vulnerability on the soter trusted app could be exploited to induce a denial of service by an Android app that may not have permission to communicate with TEE directly. 

Furthermore, chaining the previously mentioned downgrade attack in an attempt to replace the soter trusted app with an old and vulnerable version could make extracting private keys used to sign payment packages possible, according to Check Point

Read Also

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.