Newly discovered vulnerabilities in MediaTek chips, embedded in 37% of smartphones and Internet of Things (IoT) devices around the world, could have allowed attackers to eavesdrop on Android users from an unprivileged application.
The vulnerabilities are found specifically in a part of the MediaTek system-on-chip that handles audio signals, Check Point Research explained in a blog post. Modern MediaTek chips, built into advanced phones from Xiaomi, Oppo, Realme and Vivo, feature an artificial intelligence (AI) processor unit (APU) and audio digital signal processor (DSP) to increase media performance and reduce CPU usage.
Researchers say the goal of their analysis was to find a way to attack the audio DSP from an Android phone. Conversely, the team has developed the MediaTek audio DSP firmware to find more bugs available from the Android user space, they report.
They found that an unprivileged Android application could abuse the AudioManager API by setting a designed parameter value to attack a vulnerability in the Android Aurisys hardware abstraction layer (HAL) (CVE-2021-0673). By linking this bug to bugs in the OEM partner’s libraries, the MediaTek security bug, Check Point found, could lead to local privilege escalation from an Android app. With this, an Android app may be able to send messages to the audio DSP firmware.
Three other vulnerabilities in the audio DSP itself (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) may allow an attacker to perform additional malicious actions, such as hiding and executing code in the audio DSP. chips.
The detected bugs in the DSP firmware have been corrected and published in the MediaTek Security Bulletin from October 2021, Check Point reports. CVE-2021-0673 was corrected in October and will appear in the December 2021 MediaTek Security Bulletin.
Read Check Point Research’s blog post and technical writing for more information.