[German]Security researchers from Check Point have discovered a vulnerability in an Android APU, the APU is the AI Processing Unit in MediaTek chips. The security researchers warn that users can be eavesdropped via the audio processor. The Mediatek chips are installed in 37% of all Android devices. The incident is reminiscent of the vulnerability in Qualcomm chips.
Vulnerability in the audio processor
The security firm's research division, Check Point Research (CPR), looked at the manufacturer MediaTek's chips in smartphones for security vulnerabilities. In the process, they discovered a vulnerability in the audio processor of the Taiwanese chip manufacturer MediaTek. This would have allowed attackers to tap into smartphones and listen in on conversations.
MediaTek chips are installed in around 37 percent of all Android smartphones in the world, including devices from Xiaomi, Oppo, Realme and Vivo.
MediaTek chips include a dedicated AI processing unit (APU) and digital audio signal processor (DSP) to improve playback and reduce CPU utilization. Both the APU and audio DSP have specialized microprocessor architectures, making the MediaTek DSP a unique and challenging target for security research. CPR was therefore curious about how the audio DSP could be used as an entry point for hackers. Now, for the first time, CPR says it was able to reverse engineer the MediaTek audio processor, uncovering multiple security vulnerabilities.
The attack methodology
Check Point Research (CPR) describes in its announcement how an attacker would theoretically have to proceed to exploit the vulnerabilities:
1) A user installs a tainted app from the Play Store and launches it.
2) The app uses the MediaTek API to attack a library that has permission to communicate with the audio driver.
3) The app with system privileges sends manipulated messages to the audio driver to execute malicious code in the audio processor's firmware.
4) The app then taps the flow of audio data, thus listens to conversations.
Slava Makkaveev, security researcher at Check Point, explains, "MediaTek is known to be the most popular chip for portable devices, such as smartphones. Given its prevalence, we suspected that it could be used as an attack path by hackers. We began investigating, which led to the discovery of a number of vulnerabilities through which the chip's audio processor could be accessed and attacked from an Android application. If the vulnerabilities were not fixed, a hacker could have exploited them to listen in on Android users' conversations. In addition, the vulnerabilities could have been abused by the device manufacturers themselves for a massive eavesdropping campaign. Although we do not see any concrete evidence of abuse of any kind, we quickly informed MediaTek and Xiaomi – the largest vendor of smartphones with the MediaTek chip – about our findings. In summary, we have proven a completely new attack path via the Android API. So our message to Android users is that they should update their devices around the new security updates to be protected. MediaTek has worked diligently with us to ensure these issues are fixed quickly, and we are grateful for their cooperation and commitment to a safer world."
Disclosure in coordination with manufacturer
CPR reported its findings to MediaTek and produced the following information: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were subsequently fixed and disclosed in the October 2021 MediaTek Security Bulletin. The MediaTek audio HAL vulnerability (CVE-2021-0673) was fixed in October and will be published in the December 2021 MediaTek Security Bulletin. In addition, CPR has also informed the Chinese manufacturer Xiaomi of its findings. Thus, all security vulnerabilities have been closed.
Often, smartphones download such updates automatically. Otherwise, they remind the user and he should act immediately and have the updates installed – otherwise the vulnerabilities are exposed. More about the vulnerability in MediaTek's Android chips including technical details can be found here.
Cookies helps to fund this blog: Cookie settings