Xiaomi Phones’ TEE Vulnerability May Allow Forge Mobile Payments

Researchers discovered a serious security vulnerability in MediaTek-powered Xiaomi Phones, allowing forged mobile payments due to TEE security issue. Xiaomi patched the vulnerability with June 2022 updates.

Xiaomi TEE Vulnerability Affecting Secure Payments Via Phones

Researchers from Check Point Research (CPR) have shared a detailed report about the security issues in Xiaomi phones. The vulnerability, CVE-2020–14125, allows forging mobile payments, particularly in Xiaomi phones, due to the Trusted Execution Environment (TEE) security issues.

Trusted Execution Environment (TEE) is the secure zone in processors storing sensitive information. TEE allows running trusted apps via a trusted OS, preventing unauthorized access to cryptographic information. Any vulnerability affecting this secure enclave can lead to severe damages, including financial losses and data breaches.

According to CPR, numerous studies have been conducted on the security status of popular TEEs like Qualcomm SEE and Trustonic Kinibi. While Xiaomi phones with Qualcomm chips use QSEE, the ones with MediaTek chips use Kinibi.

As a standard, Xiaomi phones prevent access from unauthorized apps to trusted apps. However, CPR previously discovered that a vulnerability in the ALAC media decoder allowed such communications. This vulnerability may also allow access to Xiaomi’s trusted apps.

About The Newly Discovered Tencent Soter Flaw

In their recent research, CPR researchers evaluated the MediaTek chip-based Xiaomi phones as they remained largely untapped in previous studies. They analyzed the Xiaomi Redmi Note 9T 5G with MIUI Global 12.5.6.0 OS.

This time, the researchers found a vulnerability in the Tencent Soter (CVE-2020-14125). Specifically, Tencent Soter is an embedded mobile payment framework that provides an API for third-party Android apps, like WeChat and AliPay, to integrate payment systems. While this trusted framework ensures verified and secured payments, the vulnerability allows an attacker to extract private keys and forge payments as an underprivileged user.

Describing how it becomes possible, the researchers stated,

The com.tencent.soter.soterserver system app exports (shares for the public access) the SoterService service, which provides the API to manage the soter keys. The service binds the vendor.microtrust.hardware.soter@1.0-service system service to communicate with the soter trusted app.

An unprivileged Android application has no permissions to communicate with the TEE directly, but it can use the SoterService as a proxy. The Java code invokes the initSigh function of the soter app and causes a crash in the trusted app… Therefore, a third-party Android application can easily attack the soter without any user interaction. Xiaomi did not implement an app permission to protect the soter API.

The researchers have elaborated on the technicalities of this vulnerability in their report.

Xiaomi Addressed The Flaw

Following the bug discovery, team CPR contacted Xiaomi officials to report the matter. And now, the researchers have confirmed that Xiaomi released the vulnerability fixes with June 2022 updates. In addition, the relevant third party is also handling the Soter key leak issue, as Xiaomi confirmed.

Hence, all Xiaomi users must ensure that their phones are running on the June 2022 updates or later. However, if immediate updates are not possible, or unless mobile payments are urgent, users can choose to disable mobile payments to prevent any losses.

Let us know your thoughts in the comments.