MediaTek Smartphone Chip Vulnerability Could Allow Spying On Android Smartphones

Researchers have recently shared insights about some recently patched vulnerabilities affecting MediaTek chips. Exploiting these bugs in the MediaTek Systems on a Chip (SoCs) could allow eavesdropping on Android smartphone users. The chipsets in question power most Android phones of today.

Media Tek Smartphone Chip Bugs

According to a recent report from Check Point Research, numerous security bugs affecting the latest MediaTek Systems on a Chip (SoCs) risked smartphone security. Specifically, these bugs affected the chip’s audio Digital signal processor (DSP) firmware.

Explaining about audio DSP, the researchers explained that most recent MediaTek SoCs include a dedicated AI processing unit (APU) and audio Digital signal processor (DSP). These components aid in reducing CPU usage and enhancing media performance. Explaining more about the bugs, the report reads,

Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied.

Given its significance, the CheckPoint Research team reverse-engineered the audio DSP firmware that made them find several vulnerabilities.

Briefly, they observed three heap-based buffer overflow vulnerabilities, CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663. Despite the similar nature, these bugs affected different functions: AUDIO_DSP_TASK_MSGA2DSHAREMEM message handler, the init_share_mem_core function and the audio_dsp_hw_open_op function.

Exploiting the bugs could allow eavesdropping on the Android phone’s user.

Since the DSP firmware has access to the audio data flow, a malformed IPI message could potentially be used by a local attacker to do privilege escalation, and theoretically eavesdrop on the mobile phone’s user.

Patches Rolled Out

After discovering the bugs, the researchers contacted MediaTek to report the matter. Consequently, MediaTek addressed the flaws.

As evident from their October security bulletin, MediaTek has patched numerous other vulnerabilities along with these three. The bulletin states the same vulnerability description for all three bugs,

In audio DSP, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

These bugs typically affect sets running on Android 9, 10, and 11. While the affected chipsets include MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8797.

Alongside these three, CPR also found another bug in the MediaTek audio HAL (CVE-2021-0673). While MediaTek has also patched this vulnerability in October, it will disclose the bug fix in December’s security bulletin.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

1 comment

Oliver55h November 28, 2021 - 9:36 pm
Actually i has gone through bad cybercrime a lot , I always need need to secure my devices from exposure to threat, but someone is behind my use of work sending targeted bugs trying to make my device always have errors so that he can report them , by al means he records my analytics, getting me across many open source , my device is now like an experimental tool , this is very bad .

Comments are closed.

Add Comment