Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally

Cyber Security

Multiple security weaknesses have been disclosed in MediaTek system-on-chips (SoCs) that could have enabled a threat actor to elevate privileges and execute arbitrary code in the firmware of the audio processor, effectively allowing the attackers to carry out a “massive eavesdrop campaign” without the users’ knowledge.

The discovery of the flaws is the result of reverse-engineering the Taiwanese company’s audio digital signal processor (DSP) unit by Israeli cybersecurity firm Check Point Research, ultimately finding that by stringing them together with other flaws present in a smartphone manufacturer’s libraries, the issues uncovered in the chip could lead to local privilege escalation from an Android application.

“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware,” Check Point security researcher Slava Makkaveev said in a report. “Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user.”

Tracked as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, the three security issues concern a heap-based buffer overflow in the audio DSP component that could be exploited to achieve elevated privileges. The flaws impact chipsets MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, and MT8797 spanning across versions 9.0, 10.0, and 11.0 of Android.

“In audio DSP, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation,” the chipmaker said in an advisory published last month.

A fourth issue uncovered in the MediaTek audio hardware abstraction layer aka HAL (CVE-2021-0673) has been fixed as of October and is expected to be published in the December 2021 MediaTek Security Bulletin.

In a hypothetical attack scenario, a rogue app installed via social engineering means could leverage its access to Android’s AudioManager API to target a specialized library — named Android Aurisys HAL — that’s provisioned to communicate with the audio drivers on the device and send specially crafted messages, which could result in the execution of attack code and theft of audio-related information.

MediaTek, following disclosure, said it has made appropriate mitigations available to all original equipment manufacturers, adding it found no evidence that the flaws are currently being exploited. Furthermore, the company has recommended users to update their devices as and when patches become available and to only install applications from trusted marketplaces such as the Google Play Store.