How a malicious Android app could covertly turn the DSP in your MediaTek-powered phone into an eavesdropping bug

Millions of devices potentially vulnerable, we're told

Check Point Research will today spill the beans on security holes it found within the audio processor firmware in millions of smartphones, which can be potentially exploited by malicious apps to secretly eavesdrop on people.

The infosec outfit believes as many as 37 per cent of smartphones globally are vulnerable. The flaws, patches for which were released last month, lie deep within handsets: in the code that controls an audio-processing unit inside system-on-chips designed by Taiwan's MediaTek.

Though its chips tend to power low-to-mid-end Android handhelds, MediaTek leads the world in terms of smartphone chip shipments; its tech is used nearly everywhere. Its system-on-chips include a digital signal processor (DSP) for handling audio, and this is a customized Tensilica Xtensa processor that has its own special opcodes and registers.

Check Point Research says it was able to obtain and reverse-engineer MediaTek's firmware driving this DSP, and found it was an adapted FreeRTOS environment with code for processing audio and exchanging messages with the Android software stack running on the phone. This real-time OS starts multiple individual tasks for handling phone calls, capturing raw audio from the microphone, and so on.

This firmware was pulled from a Xiaomi Redmi Note 9 5G smartphone running Android 11 on a Dimensity 800U SoC, which was also used for testing that the security holes could be exploited.

Essentially, according to Check Point Research, it's possible for an unprivileged, malicious Android app to chain together vulnerabilities and oversights in MediaTek and phone makers' system libraries and driver code to escalate its privileges and send messages direct to the audio DSP firmware. This low-level firmware code has little in the way of secure coding, allowing its memory to be overwritten and execution hijacked on receiving these messages.

At this point, the malicious app can now potentially program the DSP to act like a covert listening bug, drawing from raw microphone audio flows, and run hidden programs. The technical details for these flaws should appear here by the time you read this.

“MediaTek is known to be the most popular chip for mobile devices," said Slava Makkaveev, a security researcher at Check Point.

"Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers.

"Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdropping campaign."

Mediatek's latest Dimensity-series chips are among the components affected, we're told. Check Point Research said it can't right now share full details on how to achieve real-world exploitation "for ethical reasons."

MediaTek doesn't think anyone's abused these bugs in the wild, and has issued some fixes for its code to phone makers to then push to people's devices.

"Regarding the audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs," said Tiger Hsu, product security officer at MediaTek. "We have no evidence it is currently being exploited."

It's at least an interesting piece of research, though one wonders whether it might not be easier for an evil app to use a privilege-escalation flaw in the Android side of the device to eavesdrop on the user without having to delve into the custom DSP processor.

While patches are now out, you may want to check if your MediaTek-powered phone has actually been offered and installed the updates. The bugs CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663 in the firmware were shared in October, and CVE-2021-0673 in MediaTek's hardware abstraction library is due to be released in December. The delay in patching the 0673 bug may be why full exploitation details are being withheld. We've asked Check Point Research for further info. ®

Similar topics

Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021