CheckPoint researched the payment system built into Xiaomi smartphones powered by MediaTek chips. From the analysis, they identified vulnerabilities that can allow the forging of payment packages or disabling the payment system directly from an unprivileged Android application.
The trusted execution environment (TEE) aims to process and store sensitive security information such as cryptographic keys and fingerprints. TEE protection is based on hardware extensions (such as ARM TrustZone) that keep the TEE world safe even on rooted devices or those compromised by malware.
Generally, popular implementations of the TEE for mobile devices are Qualcomm’s Secure Execution Environment (QSEE) and Trustronic’s Kinibi.TEE creates a secure virtual world managed by a trusted OS that runs trusted apps, also a trusted app implements a specific security feature.
Xiaomi devices on Qualcomm chips use QSEE trusted OS. MediaTek-based devices use Kinibi. Researchers tested Xiaomi Redmi Note 9T 5G with MIUI Global 22.214.171.124 OS.
Trusted App Format
Researchers explain that a trusted app can have multiple signatures following the magic fields. The magic fields are the same across all trusted apps on the device. Also, they are the same as the app fields of all other devices, such as Xiaomi T11 and Xiaomi Note 8 Pro.
“An attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions”, CheckPoint.
In the case of Xiaomi, it follows the GlobalPlatform TEE Internal Core API Specification in implementing trusted apps. Each app exports the “TA Interface” functions, which are the entry points to create the app instance, notify the instance that a new client is connecting, notify the instance when the client invokes a command, and so on.
Xiaomi devices have an embedded mobile payment framework called Tencent Soter that provides an API for third-party Android applications to integrate the payment capabilities.
An unprivileged Android application could exploit the CVE-2020-14125 vulnerability to execute code in the soter trusted app and forge payment packets.
Xiaomi, following responsible disclosure, has rolled out patches to address CVE-2020-14125 on June 6, 2022. “The downgrade issue, which has been confirmed by Xiaomi to belong to a third-party vendor, is being fixed,” Check Point added.
Sponsored: Your SWG Battle Plan: 3 Steps to Achieve Web Security