Flaws in the Xiaomi Redmi Note 9T and Redmi Note 11 models could be exploited to disable the mobile payment mechanism and even falsify transactions.
Check Point researchers discovered the flaws by analyzing the payment system built into Xiaomi smartphones powered by MediaTek chips.
The Trusted Execution Environment (TEE) is an important component of mobile devices designed to process and store sensitive security information such as cryptographic keys and fingerprints.
TEE protection leverages hardware extensions (such as ARM TrustZone) to secure data in this enclave, even on rooted devices or systems compromised by malware.
The most popular implementations of TEE are Qualcomm’s Trusted Execution Environment (QSEE) and Trustronic’s Kinibi, but most devices in the wider Asian market are powered by MediaTek chips, which are less explored by experts. safe.
Experts explained that on Xiaomi devices, trusted apps are stored in the /vendor/thh/ta directory. Applications are in unencrypted binary file format with specific structure.
Trusted applications of the Kinibi operating system have the MCLF format, while Xiaomi uses its own format.
A trusted app can have multiple signatures following magic fields and the magic fields are the same in all trusted apps on the mobile device.
Researchers noticed that the version control field is omitted in the trusted app file format, this means an attacker can transfer an older version of a trusted app to the device and use it to overwrite the new application file. Using this trick, the TEE will load the application transferred by the attacker.
“Therefore, an attacker can bypass security patches made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. To prove the problem, we managed to overwrite the trusted thhadmin app on our test device running MIUI Global 22.214.171.124 OS with an older one pulled from another device running MIUI Global 10.4 OS .1.0. reads the analysis published by Check Point researchers “The old thhadmin application was launched successfully, although its code is very different from the original.”
Experts have also found several flaws in the “thhadmin” app, which could be exploited to leak stored keys or execute malicious code in the context of the app.
Check Point researchers analyzed an integrated mobile payment framework, named Tencent Soter, used by Xiaomi devices. This framework provides an API for third-party Android apps to integrate payment capabilities. Tencent soter is used to verify payment packages transferred between a mobile app and a remote backend server, it is supported by hundreds of millions of Android devices.
A heap overflow vulnerability in the soter trusted application could be exploited to trigger a denial of service by an Android application that does not have permission to communicate directly with the TEE.
Researchers have demonstrated that it is possible to extract the private keys used to sign payment packages by replacing the soter trusted application with an older version affected by an arbitrary read vulnerability. Xiaomi has tracked the issue as CVE-2020–14125.
“This vulnerability [CVE-2020–14125] can be exploited to execute custom code. Xiaomi trusted apps do not have ASLR. There are examples on the internet of exploitation of such a classic heap overflow vulnerability in Kinibi applications. In practice, our goal is to steal one of the private keys, not to execute the code. The key leak completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages. concludes the report.
“To steal a key, we used another arbitrary read vulnerability that exists in the older version of the
soter app (taken from MIUI Global 10.4.1.0). As mentioned, we can downgrade the app on Xiaomi devices.
Xiaomi fixed the CVE-2020-14125 vulnerability on June 6, 2022.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, mobile)