Xiaomi Smartphones with MediaTek Chips Are Vulnerable to Counterfeit Payments

Analysts have identified problems in the payment system that are present on Xiaomi smartphones with MediaTek chips, and which provide a Trusted Execution Environment (TEE) responsible for signing transactions.

These bugs can be used to sign fake payment packages using a non-privileged third party application. Among the consequences of such an attack can be both disabling the mobile payment mechanism and forgery of transactions (signing transactions from the user’s mobile wallet to the attacker’s wallet).

Let me remind you that we also wrote that Information security experts suspect Chinese company Xiaomi of spying on users, and also that Lithuanian authorities discovered censorship in Xiaomi smartphones.

Check Point experts explain that Xiaomi smartphones with MediaTek chips use the Kinibi TEE architecture, which has a separate virtual enclave to store the keys needed to sign transactions. This space is designed to run trusted applications such as thhadmin, which is responsible for managing security, including the built-in Tencent Soter mobile payment platform and providing an API for integrating payment capabilities.

That is, applications such as WeChat Pay and Alipay, which together have over a billion users, rely on the Tencent Soter API to verify payment packages and complete transactions.

Xiaomi with MediaTek chips

As the researchers found out, in the trusted application format that Xiaomi uses, a bug was found related to the lack of version control. This problem opens the door to a downgrade attack, meaning a hacker can replace a newer and more secure application with an older and more vulnerable version. As a result, the researchers bypassed the Xiaomi and MediaTek patches by overwriting the thhadmin application in MIUI with the application from MIUI, which opened up many opportunities for subsequent abuse.

Experts were also able to exploit another vulnerability (CVE-2020-14125) in the trusted Tencent Soter application, which allows an attacker to extract private keys and sign fake payment packages in the context of an unprivileged user.

For users of vulnerable Xiaomi smartphones, a patch is already available – the June security updates for Android, which fix the CVE-2020-14125 vulnerability.

However, the downgrade vulnerability is a third-party issue, and so far, Xiaomi representatives have only confirmed that a fix is being worked on and should be released in the near future.

For this reason, the researchers recommend that anyone who cannot fully give up mobile payments, should try to minimize the number of applications installed on the device, regularly update the OS and use security solutions that can stop suspicious activities.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button