惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

Vulnerabilities – Threatpost

Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Firewall Bug Under Active Attack Triggers CISA Warning iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year Black Hat and DEF CON Roundup Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws Open Redirect Flaw Snags Amex, Snapchat User Data
Xiaomi Phone Bug Allowed Payment Forgery
Nate Nelson · 2022-08-16 · via Vulnerabilities – Threatpost

Mobile transactions could’ve been disabled, created and signed by attackers.

Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack.

Researchers at Check Point Research revealed last week in a report released at DEF CON that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it or create and sign their own forged transactions.

The potential pool of victims was massive, considering one in seven of the world’s smartphones are manufactured by Xiaomi, according to Q2/22 data from Canalys. The company is the third largest vendor globally, according to Canalys.
Infosec Insiders Newsletter“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” wrote Slava Makkaveev, security researcher with Check Point.

He said, the Check Point study marks the first time Xiaomi’s trusted applications have been reviewed for security issues. WeChat Pay is a mobile payment and digital wallet service developed by a firm of the same name, which is based in China. The service is used by over 300 million customers and allows Android users to make mobile payments and online transactions.

The Flaw

It’s unclear how long the vulnerability existed or if it was exploited by attackers in the wild. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June and has a CVSS severity rating of high.

“A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service,” according to the NIST common vulnerability and exposure description of the bug.

While details of the bug’s impact were limited at the time Xiaomi disclosed the vulnerability in June, researchers at Check Point have outlined in its postmortem of the patched bug and the full potential impact of the flaw.

The core issue with Xiaomi phone was the mobile phones payment method and the Trusted Execution Environment (TEE) component of the phone. The TEE is the Xiaomi’s virtual enclave of the phone, responsible for processing and storing ultra-sensitive security information such fingerprints and the cryptographic keys used in signing transactions.

“Left unpatched, an attacker could steal private keys used to sign WeChat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package,” researchers wrote.

Two types of attacks could have been performed against handsets with the flaw according to Check Point.

  • From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
  • If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.

Two Ways to Skin a TEE

Controlling the TEE, according to Check Point, is a MediaTek chip component that needed to be present to conduct the attack. To be clear, the flaw was not in the MediaTek chip – however the bug was only executable in phones configured with the MediaTek processor.

“The Asian market,” the researchers noted, is “mainly represented by smartphones based on MediaTek chips.” Xiaomi phones that run on MediaTek chips use a TEE architecture called “Kinibi,” within which Xiaomi can embed and sign their own trusted applications.

“Usually, trusted apps of the Kinibi OS have the MCLF format” – Mobicore Loadable Format – “but Xiaomi decided to come up with one of their own.” Within their own format, however, was a flaw: an absence of version control, without which “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.” The signature between versions doesn’t change, so the TEE doesn’t know the difference, and it loads the old one.

In essence the attacker could’ve turned back time, bypassing any security fixes made by Xiaomi or MediaTek in the most sensitive area of the phone.

As a case-in-point, the researchers targeted “Tencent soter,” Xiaomi’s embedded framework providing an API to third-party apps that want to integrate mobile payments. Soter is what’s responsible for verifying payments between phones and backend servers, for hundreds of millions of Android devices worldwide. The researchers performed time travel to exploit an arbitrary read vulnerability in the soter app. This allowed them to steal the private keys used to sign transactions.

The arbitrary read vulnerability is already patched, while the version control vulnerability is “being fixed.”

In addition, the researchers came up with one other trick for exploiting soter.

Using a regular, unprivileged Android application, they were able to communicate with the trusted soter app via “SoterService,” an API for managing soter keys. “In practice, our goal is to steal one of the soter private keys,” the authors wrote. However, by performing a classic heap overflow attack, they were able to “completely compromise the Tencent soter platform,” allowing much greater power to, for example, sign fake payment packages.

Phones Remain Un-scrutinized

Mobile payments are already receiving more scrutiny from security researchers, as services like Apple Pay and Google Pay gain popularity in the West. But the issue is even more significant for the Far East, where the market for mobile payments is already way ahead. According to data from Statista, that hemisphere was responsible for a full two-thirds of mobile payments globally in 2021 – about four billion dollars in transactions in all.

And yet, the Asian market “has still not yet been widely explored,” the researchers noted. “No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, instead of by chip manufacturers, even though security management and the core of mobile payments are implemented there.”

As previously noted, Check Point asserted this was the first time Xiaomi’s trusted applications have been reviewed for security issues.