Widely used Taiwanese MediaTek system-on-chips (SoCs) contain multiple vulnerabilities, according to Check Point researchers. The chips are deployed in approximately 37% of all smartphones and IoT devices worldwide, including models by Xiaomi, Oppo, Realme, Vivo.
Widely Used MediaTek SoCs Contain Eavesdropping Bugs
The weaknesses could have allowed cybercriminals to perform elevation of privileges attacks and subsequently execute arbitrary code in the audio processor’s firmware. In other words, threat actors become enabled to carry out large-scale eavesdropping campaigns, without the users’ awareness.
The vulnerabilities stem from a specific AI processing unit (APU) and Digital signal processor (DSP), which are used to improve media performance and reduce CPU usage. Both components are based on custom Tensilica Xtensa microprocessor architecture, which allows chip manufacturers to customize the base Xtesa instruction set with custom instructions. This is done to optimize some algorithms and prevent them from being copied.
Check Point researchers succeeded in reverse-engineering the MediaTek audio DSP firmware “despite the unique opcodes and processor registers,” hence uncovering a number of security flaws, accessible from the Android user space.
The researchers chained the weaknesses with vulnerabilities in Original equipment manufacturer (OEM) partner’s libraries, and discovered a local privilege escalation attack is possible from an Android app. “A successful exploitation of the DSP vulnerabilities could potentially allow an attacker to listen to user conversations and/or hide malicious code,” the researchers said.
A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user, the report added.
CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663
The vulnerabilities are tracked under the CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663 advisories. Shortly said, the issues stem from a heap-based buffer overflow in the audio DSP component that could be leveraged to reach elevated privileges.
The following chipsets are affected by the vulnerabilities: MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, and MT8797, on Android versions 9.0, 10.0, and 11.0.
You can learn more technical details about the vulnerabilities from the original report.
In 2019, security researchers discovered several issues in Broadcom WiFi chipset drivers. The flaws (CVE-2019-9503, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502) affected multiple operating systems, and could allow remote attackers to perform arbitrary code execution resulting in denial-of-service condition.
More on Android Security: Android Zero-Day Exploited in the Wild