Check Point researchers have uncovered new flaws in MediaTek system-on-chips (SoCs) which could have enabled threat actors to eavesdrop on the audio of roughly two-fifths (37%) of all smartphones and Internet of Things devices.
Tracked as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, the three security flaws were patched by Taiwanese microchip firm MediaTek in its October bulletin after accountable disclosure by Check Point Research. A fourth bug, CVE-2021-0673, was fixed in October and will probably be published in the December bulletin.
The Check Point team mentioned it reverse engineered one of the key parts on the chip, the audio digital signal processor (DSP), which is implemented to minimize CPU usage and enhance media output.
The report published also highlighted the process that attackers would have to go through to abuse this flaw. The vulnerability can only be exploited if a user installs a malicious app from the Google Play Store allowing hackers to exploit the flaw in MediaTek SoC-powered smartphones. Once installed, the app will leverage the MediaTek API to attack a library that has permission to communicate with the audio driver.
After that, the malicious app with system privilege will send crafted messages to the driver to implement code in the firmware of the audio processor. This would enable remote attackers to eavesdrop on audio conversations.
MediaTek’s chip is the primary processor for “nearly every notable Android device,” which includes several Chinese manufacturers including Xiaomi, Oppo, Realme, and Vivo, in accordance with Check Point.
“Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign,” warned Check Point safety researcher, Slava Makkaveev. Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi.”
Tiger Hsu, product security officer at MediaTek, urged all customers to replace their handsets when patches become available but were at pains to point out there’s no evidence the vulnerabilities are currently being abused.
“Device security is a critical component and priority of all MediaTek platforms,” Hsu stated. “Regarding the audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs.”
