Check Point Software finds four vulnerabilities in MediaTek smartphone chips
Check Point Software Technologies Ltd., a publicly traded cybersecurity provider, has discovered four vulnerabilities in smartphone chips from MediaTek Inc. that could enable hackers to install malware on affected devices.
Check Point Software’s cybersecurity research unit detailed the vulnerabilities on Wednesday. MediaTek released patches in October.
Taiwan-based MediaTek supplies chips for Android handsets and “internet of things” products. The company’s silicon powers 37% of all smartphones and IoT devices, according to market research cited by Check Point Software.
The four vulnerabilities discovered by the cybersecurity firm affect some of MediaTek’s systems-on-chip, which combine a central processing unit with additional computing modules. Those additional modules include an artificial intelligence accelerator and a digital signal processor that performs audio processing tasks.
The vulnerabilities detailed by Check Point Software affect the digital signal processor. Three of the vulnerabilities are in the processor’s firmware, the low-level software that controls how a chip operates. The fourth security issue was found in the hardware abstraction layer. The hardware abstraction layer is a technology that is used by a device’s operating system, in this case Android, to control the chip on which it runs.
According to Check Point Software, the vulnerabilities can be used by a malicious Android application to infect a MediaTek system-on-chip’s digital signal processor with malware and eavesdrop on users. Hackers can install the malware by causing the processor to generate a software flaw known as a heap overflow. In a heap overflow, parts of a processor’s memory that contain application data are overwritten with malicious code.
The cause of the issue, Check Point Software detailed, is a set of faulty configuration settings that were originally implemented for debugging purposes but can be abused by malicious apps to launch cyberattacks. By themselves, the settings wouldn’t pose a severe risk because they can’t be accessed by Android apps under normal conditions. But access is made possible by a separate set of issues affecting a piece of software that the digital signal processor uses to coordinate its work with other components of the system-on-chip.
Check Point Software has added the vulnerabilities to the CVE system, a database operated by the nonprofit MITRE Corp. that the cybersecurity community uses to track cybersecurity flaws. The vulnerabilities are tracked as CVE-2021-0661, CVE-2021-0662, CVE-2021-0663 and CVE-2021-0673.
Previously, Check Point Software researchers discovered a vulnerability in a digital signal processor from Qualcomm Inc,. another major supplier of chips for smartphones. The vulnerability made it possible for hackers to install unremovable malware on affected handsets.
Image: Unsplash
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU