Security News > 2021 > November > Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally

Eavesdropping Bugs in MediaTek Chips Affect 37% of All Smartphones and IoT Globally
2021-11-24 20:50

Multiple security weaknesses have been disclosed in MediaTek system-on-chips that could have enabled a threat actor to elevate privileges and execute arbitrary code in the firmware of the audio processor, effectively allowing the attackers to carry out a "Massive eavesdrop campaign" without the users' knowledge.

The discovery of the flaws is the result of reverse-engineering the Taiwanese company's audio digital signal processor unit by Israeli cybersecurity firm Check Point Research, ultimately finding that by stringing them together with other flaws present in a smartphone manufacturer's libraries, the issues uncovered in the chip could lead to local privilege escalation from an Android application.

"Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user."

Tracked as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, the three security issues concern a heap-based buffer overflow in the audio DSP component that could be exploited to achieve elevated privileges.

A fourth issue uncovered in the MediaTek audio hardware abstraction layer aka HAL has been fixed as of October and is expected to be published in the December 2021 MediaTek Security Bulletin.

In a hypothetical attack scenario, a rogue app installed via social engineering means could leverage its access to Android's AudioManager API to target a specialized library - named Android Aurisys HAL - that's provisioned to communicate with the audio drivers on the device and send specially crafted messages, which could result in the execution of attack code and theft of audio-related information.


News URL

https://thehackernews.com/2021/11/eavesdropping-bugs-in-mediatek-chips.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-25 CVE-2021-0663 Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0
In audio DSP, there is a possible out of bounds write due to an incorrect bounds check.
local
low complexity
google CWE-787
6.7
2021-10-25 CVE-2021-0662 Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0
In audio DSP, there is a possible out of bounds write due to an incorrect bounds check.
local
low complexity
google CWE-787
6.7
2021-10-25 CVE-2021-0661 Out-of-bounds Write vulnerability in Google Android 10.0/11.0/9.0
In audio DSP, there is a possible out of bounds write due to an incorrect bounds check.
local
low complexity
google CWE-787
6.7

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mediatek 56 0 39 45 13 97