Security flaws found in Xiaomi phones’ trusted environment could have affected over 1 billion users

Security researchers have found vulnerabilities in Xiaomi phones’ trusted environment, which could have affected more than a billion users. If left unpatched, they could have allowed attackers to steal private keys used to login into payment apps such as WeChat Pay, the researchers warned. 

The vulnerabilities were flagged by Cybersecurity firm Check Point Research (CPR), which said that Xiaomi acknowledged and fixed the security flaws after they were brought to its attention. 

Though CPR didn't disclose the name of the afflicted Xiaomi devices, it said that they were powered by MediaTek chips.

A trusted environment is an isolated space on a smartphone that is designed to run trusted apps with higher security and privacy demands. Most payment apps such as WeChat and Samsung Pay use this space to store tokenised information such as private keys and passwords. 

“We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” Slava Makkaveev, a security researcher at CPR said in a statement. 

Makkaveev and his team, during their research, found that the vulnerabilities could have been exploited to attack the trusted code in two ways. In the first method, they installed a malicious application and used it to extract the private keys and send a fake payment packet to steal the money.

In the second method, they rooted the device to downgrade the trust environment and then ran a code to create a fake payment package without involving an application. 

“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application,” added Makkaveev. 

Makkaveev urged users to apply the latest updates and security patches released by the company. 

Though Makkaveev said that this is the first time Xiaomi's trusted applications are being reviewed for security issues, CPR has flagged vulnerabilities in Xiaomi devices in the past. For instance, in 2019, CPR found a vulnerability in a pre-installed security app called Guard Provider on Xiaomi smartphones. The network traffic of the app was found to be unsecured and vulnerable to man-in-the-middle attacks (MIMT).