Vulnerabilities in MediaTek chipset could have led to spying on Android users

Vulnerabilities in MediaTek chipset could have led to spying on Android users
25 Nov, 2021

New vulnerabilities found in MediaTek Dimensity chipset could have allowed threat actors to carry out privilege escalation and eavesdrop on Android users, Check Point Software said in its latest report.  

During their research, the cybersecurity firm found three vulnerabilities-- CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, in the chipset's audio DSP (digital signal processor) firmware and a security issue in the MediaTek audio HAL (CVE-2021-0673).  

All vulnerabilities and security issues flagged by the cybersecurity company were patched by MediaTek in October.  

To find the vulnerabilities, researchers at Check Point reverse-engineered the audio manager API and the firmware that runs on the audio DSP. The test was performed on a rooted Xiaomi Redmi Note 9 smartphone running on MediaTek Dimensity 800U chipset and MIUI Global on top of Android 11. 

They found that an unprivileged Android application could abuse the AudioManager API by creating a parameter value to attack the Android Aurisys HAL (CVE-2021-0673). When the researchers combined CVE-2021-0673 with other vulnerabilities in original equipment manufacturer (OEM) partner’s libraries, they found a security issue that could have triggered local privilege escalation from an Android application. 

Since there are few media-related drivers on a smartphone, they easily found the driver that facilitates communication between the AP (application processor) and the DSP.  

Using the local privilege escalation, researchers were able to send messages to the audio DSP firmware, which has access to the audio data flow. 

The researchers concluded that by sending a malformed message, attackers could easily trigger privilege escalation and eavesdrop on the owner of the device running on the MediaTek Dimensity chipset.  

By exploiting these vulnerabilities, attackers could perform other malicious activities too, such as executing and hiding malicious code in the audio DSP chip.  

MediaTek is the leading supplier of mobile SoCs (system on chips) and accounts for around 37% of all smartphones and IoT devices in the world. Its Dimensity series chipsets are used in flagship smartphones by all major brands including Xiaomi, Oppo, OnePlus, Realme and Vivo.  

This isn't the first time security researchers have come across vulnerabilities in MediaTek’s chipsets. In March 2020, Google flagged a rootkit in the firmware of MediaTek's 64-bit chipsets, which could have been exploited by attackers to root Android devices using a simple script. The vulnerability, now patched, was believed to have affected millions of Android devices.