Xiaomi Phones with MediaTek Chips Found Vulnerable to Forged Payments
Security flaws have been identified in Xiaomi Redmi Note 9T and Redmi Note 11 models, which could be exploited to disable the mobile payment mechanism and even forge transactions via a rogue Android app installed on the devices.
Check Point said it found the flaws in devices powered by MediaTek chipsets during a security analysis of the Chinese handset maker's "Kinibi" Trusted Execution Environment (TEE).
A TEE refers to a secure enclave inside the main processor that's used to process and store sensitive information such as cryptographic keys so as to ensure confidentiality and integrity.
Specifically, the Israeli cybersecurity firm discovered that a trusted app on a Xiaomi device can be downgraded due to a lack of version control, enabling an attacker to replace a newer, secure version of an app with an older, vulnerable variant.
"Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions," Check Point researcher Slava Makkaveev said in a report shared with The Hacker News.
More at https://thehackernews.com/2022/08/xiaomi-phones-with-mediatek-chips-found.html