Vulnerabilities have been detected in Xiaomi’s mobile payment mechanism that could allow forged transactions and therefore harm the user. The analysis was carried out by the security agency Check Point, whose investigation detected flaws thanks to certain Android smartphones of the Chinese brand.
More specifically, Check Point Research (CPR) analyzed the payment system integrated in Xiaomi smartphones with MediaTek chips. It was on these devices that the security agency found warning signs, which it nevertheless disclosed and also shared with Lei Jun’s company.
Vulnerabilities detected by the Check Point agency in Xiaomi smartphones
In fact, vulnerabilities were found that could allow payment forgery and direct disabling of the payment system. This from an Android app with no notable privileges or permissions. However, the agency in question collaborated with Xiaomi. The company acknowledged the vulnerabilities and provided patches for the vulnerabilities.
The problem was a vulnerability in the payment systems of Xiaomi mobile phones. These vulnerabilities primarily affect smartphones with MediaTe processorsk However, according to reports made by Check Point Research to payment systems in China, the threat was reduced outside of this country.
With the rise in popularity of mobile payments, a common form of payment around the world, they are increasingly being targeted by criminals. They are systems that most smartphone users already use daily and comfortably, clearing up doubts and uncertainties.
Xiaomi smartphones with MediaTek chips were attacked in China
According to the report by CPR (Mobile) researchers, the threat could affect the payment system embedded in Xiaomi smartphones with MediaTek chips. More affordable models, therefore very popular in China and other global markets.
During these analyses, vulnerabilities were discovered that could allow payment packets to be spoofed. They could also disable the payment system directly from an Android app without privileges.
If TEE is secure, so are your payments.
The Trusted Execution Environment (TEE) has been an integral part of mobile devices for many years. Its main purpose is to process and store sensitive security information. Information such as cryptographic keys and fingerprints.
Since mobile payment subscriptions are made on the TEE, we assume that the TEE is secure. So are your payments.
The Asian market, mainly represented by smartphones based on MediaTek chips, has not been widely explored yet. No one is examining trustworthy apps written by device vendors like Xiaomi. This is despite the fact that security management and the core of mobile payments are implemented there.
According to CPR, “Our study marks the first time that trusted Xiaomi apps have been reviewed for security reasons.”
“In our research, we focused on trusted applications of devices MediaTek. The test device used is Xiaomi Redmi Note 9T 5G with Android operating system and MIUI Global 12.5.6.0 interface.”, says CPR.
conclusion
- Throughout this investigation, they detected ways to attack the platform built into Xiaomi smartphones and used by millions of users in China for mobile payments.
- An unprivileged Android app could exploit the CVE-2020-14125 vulnerability to execute code in the trusted wechat app and spoof payment packets.
- After disclosure and collaboration, Xiaomi fixed this vulnerability in June 2022.
- In addition, they demonstrated how the downgrade vulnerability in Xiaomi’s TEE can allow the older version of the wechat app to steal private keys. This submitted vulnerability was also patched and patched by Xiaomi after disclosure and collaboration.
- The declassification issue, confirmed by Xiaomi as belonging to a third-party provider, will be fixed soon.
