Check Point Research (CPR), a cybersecurity company, Check Point Software Technologies, discovered a security vulnerability that exists in the chip installed in 37% of smartphones. The vulnerability is that a malicious hacker could eavesdrop on the user.
It is the SoC manufactured by MediaTek, a Taiwanese semiconductor manufacturer, that CPR found the vulnerability. MediaTek has a market share high enough to call itself the world’s largest SoC manufacturer, and 37% of smartphones and IoT devices including Xiaomi, Oppo, Redmi, and Vivo are equipped with MediaTek chips.
Recent MediaTek SoCs have built-in special AI processing units and DSP for audio to improve media performance and reduce CPU usage. The CPR research team reverse-engineered the DSP firmware for MediaTek audio, finding a vulnerability that could be accessed from the Android smartphone user space.
As a result of the analysis, the research team found three vulnerabilities in DSP firmware (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) and one vulnerability in the audio hardware abstraction layer (CVE- 2021-0673). reported to have found
For the vulnerabilities discovered this time, the research team said that malicious interprocessor messages could be exploited by an attacker and malicious code could be executed or hidden within the DSP firmware. Because DSP firmware has access to the audio data flow, attacks on DSPs can be used to eavesdrop on users, it says.
They point out that this vulnerability could work in conjunction with a vulnerability in the OEM library that could allow an Android app to gain improper access privileges. If the hacker succeeds in elevating privileges, the app can send messages to the audio DSP firmware, he said.
The research team also wrote a proof-of-concept exploit for this vulnerability using a Xiaomi smartphone (Redmi Note 9 5G) equipped with a MediaTek chip MT6853, but they refrained from proof-of-concept for ethical reasons.
MediaTek released a patch for this vulnerability in October 2021. In addition, it reports on a DSP firmware vulnerability in October, and plans to publish details about the hardware abstraction layer vulnerability in December. Related information can be found here.