Researchers have recently shared insights about some recently patched vulnerabilities affecting MediaTek chips. Exploiting these bugs in the MediaTek Systems on a Chip (SoCs) could allow eavesdropping on Android smartphone users. The chipsets in question power most Android phones of today.
Media Tek Smartphone Chip Bugs
According to a recent report from Check Point Research, numerous security bugs affecting the latest MediaTek Systems on a Chip (SoCs) risked smartphone security. Specifically, these bugs affected the chip’s audio Digital signal processor (DSP) firmware.
Explaining about audio DSP, the researchers explained that most recent MediaTek SoCs include a dedicated AI processing unit (APU) and audio Digital signal processor (DSP). These components aid in reducing CPU usage and enhancing media performance. Explaining more about the bugs, the report reads,
Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied.
Given its significance, the CheckPoint Research team reverse-engineered the audio DSP firmware that made them find several vulnerabilities.
Briefly, they observed three heap-based buffer overflow vulnerabilities, CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663. Despite the similar nature, these bugs affected different functions:
AUDIO_DSP_TASK_MSGA2DSHAREMEM message handler, the
init_share_mem_core function and the
Exploiting the bugs could allow eavesdropping on the Android phone’s user.
Since the DSP firmware has access to the audio data flow, a malformed IPI message could potentially be used by a local attacker to do privilege escalation, and theoretically eavesdrop on the mobile phone’s user.
Patches Rolled Out
After discovering the bugs, the researchers contacted MediaTek to report the matter. Consequently, MediaTek addressed the flaws.
As evident from their October security bulletin, MediaTek has patched numerous other vulnerabilities along with these three. The bulletin states the same vulnerability description for all three bugs,
In audio DSP, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
These bugs typically affect sets running on Android 9, 10, and 11. While the affected chipsets include MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8797.
Alongside these three, CPR also found another bug in the MediaTek audio HAL (CVE-2021-0673). While MediaTek has also patched this vulnerability in October, it will disclose the bug fix in December’s security bulletin.